Task-Aware Meta Learning-based Siamese Neural Network for Classifying Obfuscated Malware

Zhu, Jinting; Jang-Jaccard, Julian; Singh, Amardeep; Watters, Paul A.; Camtepe, Seyit

doi:10.48550/arxiv.2110.13409

Cited by 5 publications

(7 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our future work, we will extend this model for the multi-class scenarios to detect different classes of intrusion attacks specifically minority attacks. We also plan to apply the proposed method for Android-based malware detection [57,58], or ransomware detection and classification tasks [59,60,61] to evaluate the generalizability and practicability.…”

Section: Discussionmentioning

confidence: 99%

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

Singh¹,

Jang-Jaccard²

2022

Preprint

Self Cite

View full text Add to dashboard Cite

The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subsets based on correlations in traffic data. These solutions often require high computational cost, manual support in finetuning intrusion detection models, and labeling of data that limit real-time processing of network traffic. Unsupervised solutions do reduce computational complexities and manual support for labeling data but current unsupervised solutions do not consider spatio-temporal correlations in traffic data. To address this, we propose a unified Autoencoder based on combining multi-scale convolutional neural network and long short-term memory (MSCNN-LSTM-AE) for anomaly detection in network traffic. The model first employs Multiscale Convolutional Neural Network Autoencoder (MSCNN-AE) to analyze the spatial features of the dataset, and then latent space features learned from MSCNN-AE employs Long Short-Term Memory (LSTM) based Autoencoder Network to process the temporal features. Our model further employs two Isolation Forest algorithms as error correction mechanisms to detect false positives and false negatives to improve detection accuracy. We evaluated our model NSL-KDD, UNSW-NB15, and CICDDoS2019 dataset and showed our proposed method significantly outperforms the conventional unsupervised methods and other existing studies on the dataset.

show abstract

Section: Discussionmentioning

confidence: 99%

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

Singh¹,

Jang-Jaccard²

2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…By using entropy features, our model is more resilient to producing misclassification when obfuscated malware is included in training samples. Though the resilience against the control flow obfuscation technique has been evidenced in [25], the influence of other types of obfuscation techniques requires further investigation.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

“…More changes to the original information content produce higher entropy values while fewer changes to the original information are associated with lower entropy values. As discussed in [24,25], using entropy values as feature representation has a number of advantages compared to using grayscale 1 ImageNet. http://www.image-net.org image features.…”

Section: Feature Preprocessing Phasementioning

confidence: 99%

“…This can easily lead to misclassification results where a classification algorithm puts them into different malware families when in fact they belong to the same malware family. In addition, the computation cost associated with grayscale image features is usually much higher due to the higher cost involved in processing texture features of grayscale images [24,25]. To avoid these weaknesses associated with grayscale features, we instead use entropy features that are more resilient to changes in the malware binary code and reduce computation costs.…”

Section: Feature Preprocessing Phasementioning

confidence: 99%

See 1 more Smart Citation

A Ransomware Triage Approach using a Task Memory based on Meta-Transfer Learning Framework

Zhu¹,

Jang-Jaccard²,

Welch³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Solutions for rapid prioritization of different ransomware have been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of ransomware attacks in recent years. To address this concern, we propose a ransomware triage approach that can rapidly classify and prioritize different ransomware classes. Our Siamese Neural Network (SNN) based approach utilizes a pre-trained ResNet18 network in a meta-learning fashion to reduce the biases in weight and parameter calculations typically associated with a machine learning model trained with a limited number of training samples. Instead of image features typically used as inputs to many existing machine learning-based triage applications, our approach uses the entropy features directly obtained from the ransomware binary files to improve feature representation, resilient to obfuscation noise, and computationally less expensive. Our triage approach can classify ransomware samples into the correct classes if the ransomware features significantly match known ransomware profiles. Our evaluation shows that this classification part of our proposed approach achieves the accuracy exceeding 88% and outperforms other similar classification only machine learning-based approaches. In addition, we offer a new triage strategy based on the normalized and regularized weight ratios that evaluate the level of similarity matching across ransomware classes to identify any risky and unknown ransomware (e.g., zero-day attacks) so that a rapid further analysis can be conducted.

show abstract

“…2) Malware classification. A meta-learning algorithm [37] and two-dimensional image processing techniques [38] have been proposed for obfuscated malware classification. One of the current issues is timely reconstruction of up-to-date malware datasets [14], ML models [16], and classifiers [17] to keep up with evolving malware such as XLoader.…”

Section: Related Workmentioning

confidence: 99%

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Saeki

Kitayama

Koga³

et al. 2022

IEEE Access

View full text Add to dashboard Cite

XLoader and FakeSpy, the two major smishing botnets targeting Japan, change their attack strategies over various timescales. Based on recent observations of the botnets and Twitter data, we present empirical facts about their strategies and activity patterns and applied some of these strategic and activity patterns to malware detection and malicious domain detection. All the proposed methods yielded small false positive and negative rates, and are expected to run on user devices owing to their small computational cost. Recent malware detection methods based on traffic analysis extract TCP/IP traffic features if the upper layers of TCP are encrypted. In this study, Frida's hooking capability was employed to decode the upper layers (WebSocket and JSON-RPC) to create a list of all commands flowing over the botnet channel. The command-level traffic analysis presents decisive attack features because commands are transmitted according to strategies developed by the attackers. The proposed malicious domain detection method, on the other hand, exploited the tendency of the attackers to create domains in batches. Previous researchers focused on how benign and malicious domains were registered and used on the name servers. The proposed method, on the other hand, focuses on the arrival rate of SMS messages with URL links. The error rates become significantly small when users do not receive such messages very often.

show abstract

Task-Aware Meta Learning-based Siamese Neural Network for Classifying Obfuscated Malware

Cited by 5 publications

References 39 publications

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

A Ransomware Triage Approach using a Task Memory based on Meta-Transfer Learning Framework

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Contact Info

Product

Resources

About