Proposing an HMM-based approach to detect metamorphic malware

Gharacheh, Mina; Derhami, Vali; Hashemi, Sattar; Fard, Seyed Mehdi Hazrati

doi:10.1109/cfis.2015.7391648

Cited by 8 publications

(11 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Also this objective has been deeply studied in literature, and several reviewed papers target the detection of variants. Given a malicious sample m, variants detection consists in selecting from the available knowledge base the samples that are variants of m [37,30,38,39,40,41].…”

Section: Malware Similarity Analysismentioning

confidence: 99%

“…Among reviewed works, the majority relies on dynamic analyses [42,55,56,15,44,16,60,57,66,46,50,58,24,26,28,30,51,52,53,35,40], while the others use, in equal proportions, either static analyses alone [11,12,63,64,72,17,65,19,47,49,61,22,23,25,31,73,27,29,37,38,54,67,74,39] or a combination of static and dynamic techniques [75,18,21,48,20,…”

Section: Feature Extractionmentioning

confidence: 99%

See 1 more Smart Citation

Survey of machine learning techniques for malware analysis

Ucci

Aniello

Baldoni

2019

Computers & Security

397

189

View full text Add to dashboard Cite

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies to keep pace with malware evolution. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis in Windows environments, i.e. for the analysis of Portable Executables. We systematize surveyed papers according to their objectives (i.e., the expected output), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of issues and challenges, including those concerning the used datasets, and identify the main current topical trends and how to possibly advance them. In particular, we introduce the novel concept of malware analysis economics, regarding the study of existing trade-offs among key metrics, such as analysis accuracy and economical costs.

show abstract

Section: Malware Similarity Analysismentioning

confidence: 99%

Section: Feature Extractionmentioning

confidence: 99%

Survey of machine learning techniques for malware analysis

Ucci

Aniello

Baldoni

2019

Computers & Security

397

189

View full text Add to dashboard Cite

show abstract

“…One example of the sequence of transactions can be shown as llmhmlhm. The types of purchases such [13], [27], [43], [86], [93], [101], [107] [2], [34], [39], [50], [59], [113], [118] [30], [41], [77], [83] [4], [8], [17], [36], [38], [42] [6], [7], [18], [48], [74], [92] [28], [33], [40], [47], [53], [67], [71], [97], [105], [114], [116], [119] [54], [55], [112] [15], [70], [77], [95], [99], [102] [10], [44], [66] [41], [53], [56], [74],…”

Section: Credit Card Fraud Detectionmentioning

confidence: 99%

“…Using the HMM, we can compute the similarities between the 2 behaviors; this is of great importance when detecting such viruses. The most prominent research concerning internet malware detection includes [4,8,17,36,38,57]. These works aim to create an HMM to detect malware such as botnets and viruses to prevent their destructive behavior in the network.…”

Section: Malware Detectionmentioning

confidence: 99%

A systematic review on intrusion detection based on the Hidden Markov Model

Ramaki

Rasoolzadegan

Jafari

2018

Statistical Analysis

View full text Add to dashboard Cite

Apart from using traditional security solutions in software systems such as firewalls and access control mechanisms, utilizing intrusion detection systems are also necessary. Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM-based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up-to-date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM-based intrusion detection techniques have 6 main advantages-precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real-time applications by processing data streams on-the-fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning. KEYWORDSHidden Markov Model, intrusion detection, intrusion detection system, statistical learning, system and network security

show abstract

“…Moreover, Hidden Markov Model (HMM) in its crude form has been applied to identify malware instances; however, the metamorphic malware instances which completely transformed themselves could not be easily determined using HMM. Therefore, a strategy to extract only the important sequences of malware software op-code to train the HMM have been explored in [130].…”

Section: Recent Research Status In Mutating Malware Characterizationmentioning

confidence: 99%

A Cognitive and Concurrent Cyber Kill Chain Model

Khan

Siddiqui

Ferens

2017

Computer and Network Security Essentials

View full text Add to dashboard Cite

The challenges of cyber security have outpaced the advantages of cyber tools and technologies. In 2018, World Economic Forum has already placed cyber security in the top five risks faced by the world. Cyber threats are evolving and can cripple economies and nations. The major tools of cyber threats are anonymity, deception and uncertainty. Current state of the art research is also evolving into addressing these challenges by applying new and proactive threat hunting approaches instead of doing reactive cyber defense, which is proving futile. Malware is an indispensable tool of cyber threat actors to accomplish malicious activities i.e. exfiltration, espionage and disruption. Using advanced obfuscation and mutation methods, malware adversaries are able to remain ahead of cyber defenders. Most malware detection technologies are based on finding a-priori known signatures of malware payload or known patterns of malware behavior. This dissertation addresses the challenge of hunting unknown behaviorally mutated malware inside a host computer by proposing a proof of concept framework named Malvidence for characterizing malware behavior within a host operating system process tree using cognitive machine intelligence. Using Malvidence framework, tools and techniques can be derived for variety of cyber security methods for threat detection. Cognitive Computing is a promising domain of machine intelligence which explores and develops new tools to incorporate human cognitive characteristics so that the performance of existing domain of artificial intelligence and machine learning can be improved. Therefore, cognitive complexity based fractal analysis is demonstrated and a methodology of extracting inherent but hidden patterns of malware dynamics using a temporal graph theoretical approach is proposed. Further, a set of graph theoretical features is analyzed and proposed for an effective characterization of malware behavior which can be subsequently used for malware hunting and detection. In addition, the proposed features are tested for their mathematical validity. Finally, using proposed cognitive complexity analysis, characterization performance of an unsupervised clustering algorithm is provided to demonstrate the validity of Malvidence framework.

show abstract

Proposing an HMM-based approach to detect metamorphic malware

Cited by 8 publications

References 5 publications

Survey of machine learning techniques for malware analysis

Survey of machine learning techniques for malware analysis

A systematic review on intrusion detection based on the Hidden Markov Model

A Cognitive and Concurrent Cyber Kill Chain Model

Contact Info

Product

Resources

About