Metamorphic malware identification using engine-specific patterns based on co-opcode graphs

Kakisim, Arzu Gorgulu; Nar, Mert; Soğukpınar, İbrahim

doi:10.1016/j.csi.2020.103443

Cited by 31 publications

(32 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The malware binary files were downloaded from the public repository Vxheaven (https://www.vxheaven.org). Vxheaven dataset is a public repository that is commonly-used by previous malware analysis studies such as in [14,36,37,[40][41][42]. The malware dataset contains different types of malware families such as trojans, adware, backdoors, ransomware, viruses, and worms among many others.…”

Section: B Dataset Descriptionmentioning

confidence: 99%

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

Malware variants are the major emerging threats that face cybersecurity due to the potential damage to computer systems. Many solutions have been proposed for detecting malware variants. However, accurate detection is challenging due to the constantly evolving nature of the malware variants that cause concept drift. Existing malware detection solutions assume that the mapping learned from historical malware features will be valid for new and future malware. The relationship between input features and the class label has been considered stationary, which doesn't hold for the ever-evolving nature of malware variants. Malware features change dynamically due to code obfuscations, mutations, and the modification made by malware authors to change the features' distribution and thus evade the detection rendering the detection model obsolete and ineffective. This study presents an Adaptive behavioral-based Incremental Batch Learning Malware Variants Detection model using concept drift detection and sequential deep learning (AIBL-MVD) to accommodate the new malware variants. Malware behavior were extracted using dynamic analysis by running the malware files in a sandbox environment and collecting their Application Programming Interface (API) traces. According to the malware first-time appearance, the malware samples were sorted to capture the malware variants' change characteristics. The base classifier was then trained based on a subset of historical malware samples using a sequential deep learning model. The new malware samples were mixed with a subset of old data and gradually introduced to the learning model in an adaptive batch size incremental learning manner to address the catastrophic forgetting dilemma of the incremental learning. The statistical process control technique has been used to detect the concept drift as indication for incrementally updating the model as well as reducing the frequency of model updates. Results from extensive experiments show that the proposed model is superior in terms of detection rate and the efficiency compared with the static model, periodic retraining approaches, and the fixed batch size incremental learning approach. The model maintains an average of 99.41% detection accuracy of new and variants malware with a low updating frequency of 1.35 times per month.

show abstract

Section: B Dataset Descriptionmentioning

confidence: 99%

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

show abstract

“…A drastic change in the entropy of machine code created by standard compilers indicates that the file has been packed. Many types of packers such as UPX 2 , FSG, Yoda's 3 , ExeStealth 4 , PETite 5 , ASPack 6 , UPack, and VMProtect 7 can be detected by looking for a unique sequence of byte codes [8], though the unpacking patterns and decryption keys are not detectable using this method. The complexity and ambiguity of malware activities prompts analysts towards dynamically monitoring and analyzing malware's behavior in order to discover the true nature of obfuscated files.…”

Section: Mmentioning

confidence: 99%

“…All these malware programs are pursuing a single malicious goal -but from different channels. This is why obfuscation and metamorphic engines play a critical role in the development of a large number of perilous malware programs in today's IT environment [4]. Consequently, there is a never-ending battle between malware developers and security analyzers, which is evolving as rapidly as the complexity of malware advances [5].…”

Section: Introductionmentioning

confidence: 99%

A Novel Method for Detecting Future Generations of Targeted and Metamorphic Malware Based on Genetic Algorithm

Javaheri

Lalbakhsh²,

Hosseinzadeh

2021

IEEE Access

View full text Add to dashboard Cite

This paper presents a novel solution for detecting rare and mutating malware programs and provides a strategy to address the scarcity of datasets for modeling these types of malware. To provide sufficient training data for malware behavioral modeling, genetic algorithms are used together with an optimization strategy that selectively creates generations of mutated elite malware samples. In our unique method, a sequence of system API calls is extracted using tracker filter drivers in a sandbox environment. The most obfuscated and metamorphic malware are chosen by an elite selection method. The behavioral chromosomes are formed by mapping extracted APIs to genes using linear regression. Our analysis system includes an Internet simulator and a human emulator to deceive intelligent classes of malware to successfully execute themselves and prevent system halting. The evolution process is performed through crossover and permutation of genes, which are encoded based on the addresses of the kernel-level system functions. An objective function has been defined to optimize the vital indicators of malignancy and tracking rate with a linear time complexity. This guarantees that new generations of malware are more destructive and stealthy than their parents. J48 and deep neural networks were employed in our experiments as they are two popular modeling and classification strategies in the area of behavioral malware detection. Real-world malware samples from valid references were used for the performance evaluation of our approach. Comprehensive scenarios were involved in the experiments to evaluate the performance of our proposed strategy. The results demonstrate significant improvement in detection accuracy -up to 5% considering rare and metamorphic malware. The results also demonstrated a considerable enhancement in true positive rate for the proposed deep-learning algorithm.

show abstract

“…Afterwards, it uses a set of rules or thresholds to detect the malicious codes. Recently, a study shows that the metamorphic malware can be identified using engine specific patterns developed from co‐opcode graph 29 . Each node of the graph represents a unique opcode that works as a discriminating feature.…”

Section: Malware Detection Techniquesmentioning

confidence: 99%

Toward accurate and intelligent detection of malware

Arfeen

Khan

Uddin

et al. 2021

Concurrency and Computation

View full text Add to dashboard Cite

Summary Malware is a constant threat to the safety of the public Internet and private networks. It also affects the security of endpoint devices. An infected endpoint device can take part in aggressive or slow distributed denial of service attacks globally. Polymorphic malware has rendered traditional signature‐based detection ineffective. Hence the efforts to identify malware have been focused on behavioral modeling to identify and classify malware. This behavioral identification paved the way for artificial intelligence (AI) in cybersecurity. AI can detect a zero‐day attack and malware, but it suffers from several false positives. This article presents an extensive analysis of traditional and AI‐based methods for malware detection and related challenges. AI is vulnerable to attacks, such as dataset poisoning and adversarial data input, which can reduce model accuracy and increase false negatives. AI has helped to improve malware detection and reduce manual work through automation of feature extraction and feature selection. It is also beneficial to create models that are less prone to malware variations and capture the malicious behavior holistically. This article explores the transition of malware detection from traditional to AI‐based techniques. Furthermore, it also explains how some conventional approaches are still relevant today in terms of detection speed.

show abstract

Metamorphic malware identification using engine-specific patterns based on co-opcode graphs

Cited by 31 publications

References 29 publications

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

A Novel Method for Detecting Future Generations of Targeted and Metamorphic Malware Based on Genetic Algorithm

Toward accurate and intelligent detection of malware

Contact Info

Product

Resources

About