Analysis of Malware Communities Using Multi-Modal Features

Cruickshank, Iain J.; Carley, Kathleen M.

doi:10.1109/access.2020.2989689

Cited by 8 publications

(4 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many models that use images and text simultaneously typically adopt multi-modal learning [29]. There are malware classification models based on multimodal learning [4], [10], [30]. Gibert et al [10] combined API calls, raw bytes, and opcodes using the late fusion method to exploit low-level and high-level information to enhance classification performance.…”

Section: Malware Classification Based On Multi-modal Learningmentioning

confidence: 99%

“…They used static API sequences extracted from disassembled files and dynamic API sequences logged during the runtime. In [30], the malware was identified by a multi-modal clustering algorithm using a PE header, string hashes, IAT, and byte entropy. Recently, cross-modal learning [31], [32], [29], a new multi-modal learning method that focuses on the adaptive combination of multiple modalities, has emerged.…”

Section: Malware Classification Based On Multi-modal Learningmentioning

confidence: 99%

See 1 more Smart Citation

Attention-Based Cross-Modal CNN Using Non-Disassembled Files for Malware Classification

2023

View full text Add to dashboard Cite

The role of malware classification is crucial in addressing the explosive increase in malware variants. By classifying malware instances into malware families, malware analysts can apply appropriate techniques and tools to handle malware variants in each family. Using high-level representations of malware, such as disassembled codes, yields meaningful classification performance. However, malware classification based on disassembled codes depends on the practically implausible assumption that every malware is correctly reversed by disassemblers. Unfortunately, sophisticated malware, which has anti-disassembly capabilities, seeks to confuse disassemblers, yielding incorrectly disassembled codes. In this study, we focus on malware family classification, which requires no disassembly, and propose a new CNN-based malware classification model using non-disassembled malware files (i.e., binary files). Our model associates two modalities: "malware images" and "structural entropies," which are converted and extracted from binary files. Both modalities have different granularities of bytes and chunks that complement each other. The model adopts a cross-modal attention mechanism to combine the features of the two modalities by moderating their expressive limitations. We validate our model using three popular datasets from the Kaggle Microsoft Malware Classification, Malimg, and BODMAS datasets. The experimental results show that our model identifies malware families with a higher degree of accuracy than previous methods and does not require the burden of disassembling.

show abstract

Section: Malware Classification Based On Multi-modal Learningmentioning

confidence: 99%

Section: Malware Classification Based On Multi-modal Learningmentioning

confidence: 99%

Attention-Based Cross-Modal CNN Using Non-Disassembled Files for Malware Classification

2023

View full text Add to dashboard Cite

show abstract

“…Malware is a software that harmfully attacks other software in ways that causes the actual behavior to differ from the intended behavior [24]. Threat actors tend to use this type of method to execute many attacks that could be in form of viruses, ransomware, trojans, remote access trojans (RAT), advanced persistent threats (APT) and the list goes on [25], [26], [27].…”

Section: ) Malware Attacksmentioning

confidence: 99%

Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents

et al. 2022

View full text Add to dashboard Cite

show abstract

“…With the continuous update and popularization of network information, people have more and more opportunities to use the network in life and work, which also makes network security a major issue that is urgently needed at the moment [1,2]. Particularly in recent years, large-scale computer virus infections with great destructiveness have emerged one after another [3].…”

Section: Introductionmentioning

confidence: 99%

Design and Analysis of Network Virus Defense System Based on Multimodal Data Mining Technology

Hou

Ding

2022

Scientific Programming

View full text Add to dashboard Cite

This study analyzes and designs a network security management system based on the K-means algorithm. Through the investigation of network security managers, this article uses structured modeling technology to derive the system’s logical business functions, which are data acquisition function, data analysis function, and post-processing function. This study uses a three-tier architecture to design the system, describes the system data business processing flow, and gives the key flow of the K-means algorithm application. In addition, the system database is designed to provide support for system data processing. This study proposes a dual-network text matching model based on local interactive components. This model composes two modalities of single-modal short text data: a positional structural modal for describing local interactions and a global semantic understanding modal for extracting global semantic information. Two heterogeneous networks are used to extract two modalities. The principle of complementarity of modalities is realized by constructing the differences of each modal. At the same time, through the attention mechanism, the position information of the position structure modal is transferred to the global semantic understanding modal to obtain consistent comprehensive information so as to realize the principle of modal consistency. On this basis, by designing low-order interaction functions and high-order interaction functions, and using long- and short-term memory networks, we have, respectively, improved the position structure modal and global semantic understanding modal. The theoretical analysis and simulation results of the model show that the propagation characteristics of the network worm are completely determined by the threshold R0 required for its existence. When R0 >1, the network worm will become popular even with a small initial infection number; conversely, even if the initial infection machine is large, the network worm will eventually become extinct. The research results of this article also show that the introduction of mobile devices has an important impact on the defense technology of network worms. To curb network worms that use both the network and mobile devices to spread, and to increase the proportion of machines that have never been infected with the virus, the most effective method is to control the number of mobile devices and reduce the possibility of cross-infection between mobile devices and machines. The simulation results show that, regardless of whether dynamic isolation and antivirus software are considered, the local area network-based choke method given in this study can effectively curb intelligent network worms that have slow scanning rates and clear scanning targets. In addition, the choke method presented in this article can determine the choke threshold without affecting the normal network scanning behavior of users in the local area network.

show abstract

Analysis of Malware Communities Using Multi-Modal Features

Cited by 8 publications

References 40 publications

Attention-Based Cross-Modal CNN Using Non-Disassembled Files for Malware Classification

Attention-Based Cross-Modal CNN Using Non-Disassembled Files for Malware Classification

Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents

Design and Analysis of Network Virus Defense System Based on Multimodal Data Mining Technology

Contact Info

Product

Resources

About