A Gene-Inspired Malware Detection Approach

Chen, Yihang; Shan, Zheng; Liang, Guanghui; Zhao, Binglin; Li, Xingwei; Qiao, Meng

doi:10.1088/1742-6596/1168/6/062004

Cited by 7 publications

(5 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Machine learning models trained on static data have shown good detection accuracy. Chen et al [5] achieved 96% detection accuracy using statically extracted sequences of API calls to train a Random Forest model. However, static data have been demonstrated to be quite vulnerable to concept drift [12,13].…”

Section: Malware Detection With Static or Post-collectionmentioning

confidence: 99%

“…Due to the huge numbers of new malware appearing each day, the detection of malware samples needs to be automated [2]. Signature-matching methods are not resilient enough to handle obfuscation techniques or to catch unseen malware types and as such, automated methods of generating detection rules, such as machine learning, have been widely proposed [3][4][5][6]. ese approaches typically analyse samples when the file is first ingested, either using static code-based methods or by observing dynamic behaviours in a virtual environment.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Real-Time Malware Process Detection and Automated Process Killing

Rhode

Burnap

Wedgbury

2021

Security and Communication Networks

View full text Add to dashboard Cite

Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware. The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model that is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.

show abstract

Section: Malware Detection With Static or Post-collectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Real-Time Malware Process Detection and Automated Process Killing

Rhode

Burnap

Wedgbury

2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…In the construction of sample classification characteristics, Qian et al [6]. analyzed the sample's attributes and characteristics information by observing the dynamic behavior of the sample in the sandbox and recording its detailed log information.…”

Section: Related Workmentioning

confidence: 99%

“…Meanwhile, through the sandbox-based program dynamic characteristic detection technology, some researchers have collected the sample's behavioral characteristics and static analysis-based sample characteristics code, in order to get the test sample from them [5]. However, the rapidly evolution of malware variants and the constantly introduction of new technologies highlights the limitations of these traditional analysis methods, and meanwhile, methods that rely too much on manual experience lag far behind rapidly updated malicious programs [6].…”

Section: Introductionmentioning

confidence: 99%

The Software Gene-Based Test Set Automatic Generation Framework for Antivirus Software

Bai¹,

Cncert²,

Rong³

et al. 2019

JSW

View full text Add to dashboard Cite

After studying the existing test set generation methods of antivirus software and sample analysis methods based on manual experience, the paper proposes a software gene-based test set automatic generation framework for antivirus software. Most of current test set automatic generation frameworks have problems of unstable performance, time-consuming, and the fact that its test set cannot well reflect the density distribution character of the original dataset. In this paper, some improvements are made to resolve above problems. Experiment results show that the framework can efficiently generate the test sample set with the volume no more than one tenth of the original data set, meanwhile the distribution characteristics of the original dataset can be retained.

show abstract

“…al. [11] achieved 96% detection accuracy using staticallyextracted sequences of API calls to train a Random Forest model. However, in direct comparison with dynamic data, static data performed less well and did not even improve accuracy when used to augment dynamic datasets [2].…”

Section: Malware Detection Using Dynamic Behavioursmentioning

confidence: 99%

Real-time malware process detection and automated process killing

Rhode¹,

Burnap²,

Wedgbury³

2019

Preprint

View full text Add to dashboard Cite

Adversaries are increasingly motivated to spend energy trying to evade automatic malware detection tools. Dynamic analysis examines the behavioural trace of malware, which is difficult to obfuscate, but the time required for dynamic analysis means it is not typically used in practice for endpoint protection but rather as an analysis tool. This paper presents a run-time model to detect malicious processes and automatically kill them as they run on a real endpoint in use. This approach enables dynamic analysis to be used to prevent harm to the endpoint, rather than to analyse the cause of damage after the event. Run-time detection introduces the risk of malicious damage to the endpoint and necessitates that malicious processes are detected and killed as early as possible to minimise the opportunities for damage to take place. A distilled machine learning model is used to improve inference speed whilst benefiting from the parameters learned by larger, more computationally intensive model. This paper is the first to focus on tangible benefits of process killing to the user, showing that the distilled model is able to prevent 86.34% of files being corrupted by ransomware whilst maintaining a low false positive rate for unseen benignware of 4.72%.

show abstract

A Gene-Inspired Malware Detection Approach

Cited by 7 publications

References 9 publications

Real-Time Malware Process Detection and Automated Process Killing

Real-Time Malware Process Detection and Automated Process Killing

The Software Gene-Based Test Set Automatic Generation Framework for Antivirus Software

Real-time malware process detection and automated process killing

Contact Info

Product

Resources

About