Efficient Dynamic Malware Analysis Based on Network Behavior Using Deep Learning

Shibahara, Toshiki; Yagi, T.; Akiyama, Mitoshi; Chiba, Daiki; Yada, Takeshi

doi:10.1109/glocom.2016.7841778

Cited by 67 publications

(41 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The core concept is only to record dynamic data if it will improve accuracy, either by omitting some files from dynamic data collection or by stopping data collection early. Shibahara et al [16] decide when to stop analysis for each sample based on changes in network communication, reducing the total time taken by 67% compared with a "conventional" method that analyses samples for 15 minutes each. Neugschwandtner et al [17] used static data to determine dissimilarity to known malware variants using a clustering algorithm.…”

Section: Related Workmentioning

confidence: 99%

Early-stage malware prediction using recurrent neural networks

Rhode

Burnap

Jones

2018

Computers & Security

232

142

View full text Add to dashboard Cite

Static malware analysis is well-suited to endpoint anti-virus systems as it can be conducted quickly by examining the features of an executable piece of code and matching it to previously observed malicious code. However, static code analysis can be vulnerable to code obfuscation techniques. Behavioural data collected during file execution is more difficult to obfuscate, but takes a relatively long time to capture -typically up to 5 minutes, meaning the malicious payload has likely already been delivered by the time it is detected.In this paper we investigate the possibility of predicting whether or not an executable is malicious based on a short snapshot of behavioural data. We find that an ensemble of recurrent neural networks are able to predict whether an executable is malicious or benign within the first 5 seconds of execution with 94% accuracy. This is the first time general types of malicious file have been predicted to be malicious during execution rather than using a complete activity log file post-execution, and enables cyber security endpoint protection to be advanced to use behavioural data for blocking malicious payloads rather than detecting them post-execution and having to repair the damage.

show abstract

Section: Related Workmentioning

confidence: 99%

Early-stage malware prediction using recurrent neural networks

Rhode

Burnap

Jones

2018

Computers & Security

232

142

View full text Add to dashboard Cite

show abstract

“…Real-time processing: Most existing deep learning based security schemes such as the DNN-based authentication in [4] and the RNN-based malware detection in [11] require long training time and are too complicated to be implemented in the practical MCS systems for real-time processing. The widely used hardware for deep learning computation such as graphics processing units (GPUs), is not applicable for most mobile devices such as smartphones in MCS systems.…”

Section: Discussionmentioning

confidence: 99%

“…A RNN-based malware detection scheme as developed in [11] uses RNN to capture the domain and content-based malware characteristics and determine whether to suspend the dynamic detection based on the network behavior. As shown in Fig.…”

Section: Dl-based Intrusion Detectionmentioning

confidence: 99%

Secure mobile crowdsensing based on deep learning

Xiao

Jiang

et al. 2018

China Commun.

View full text Add to dashboard Cite

In order to stimulate secure sensing for Internet of Things (IoT) applications such as healthcare and traffic monitoring, mobile crowdsensing (MCS) systems have to address security threats, such as jamming, spoofing and faked sensing attacks, during both the sensing and the information exchange processes in large-scale dynamic and heterogenous networks. In this article, we investigate secure mobile crowdsensing and present how to use deep learning (DL) methods such as stacked autoencoder (SAE), deep neural network (DNN), and convolutional neural network (CNN) to improve the MCS security approaches including authentication, privacy protection, faked sensing countermeasures, intrusion detection and anti-jamming transmissions in MCS. We discuss the performance gain of these DL-based approaches compared with traditional security schemes and identify the challenges that need to be addressed to implement them in practical MCS systems.

show abstract

“…Shibahara et al [38] proposed a slightly different algorithm that is using RNN on changes in network communication with a goal of reducing malware analysis time. This approach is not DGAonly specific but rather generic and attempts to cover other types of malware.…”

Section: Related Workmentioning

confidence: 99%

Detecting DGA domains with recurrent neural networks and side information

Curtin

Gardner

Grzonkowski

et al. 2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector-such as an endpoint security application-or alternately the model could be used as a part of a larger malware detection system. CCS CONCEPTS• Security and privacy → Malware and its mitigation; Artificial immune systems; Web protocol security; • Computing methodologies → Neural networks.

show abstract

Efficient Dynamic Malware Analysis Based on Network Behavior Using Deep Learning

Cited by 67 publications

References 13 publications

Early-stage malware prediction using recurrent neural networks

Early-stage malware prediction using recurrent neural networks

Secure mobile crowdsensing based on deep learning

Detecting DGA domains with recurrent neural networks and side information

Contact Info

Product

Resources

About