Malware detection by behavioural sequential patterns

Ahmadi, Mansour; Sami, Ashkan; Rahimi, Habibollah; Yadegari, Babak

doi:10.1016/s1361-3723(13)70072-1

Cited by 53 publications

(23 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Elisan (2012) states that static analysis would seem like the obvious choice for malware in terms of ease and efficiency; however, he also notes that the results gathered during a static analysis are less useful as the malware is inactive when analyzed [5]. The observations of Ahmadi et al (2013) on static analysis, hold a similar view to Elisan on using static analysis and comment malicious coders can utilize a diverse range of techniques that make static analysis of malware inaccurate, they mention that the techniques used include entry point obfuscation code packing and control flow [1]. Vidyarthi (2015) confirms this view expressing that if a sample of malware is packed, encrypted, complex or a large sample a static analysis can become very difficult [2].…”

Section: Malware Analysismentioning

confidence: 99%

“…Although malware exists that targets Linux systems, this is relatively rare: the majority of malware targets Windows systems (in part due to targeting of market share). Furthermore, Linux software repositories provide a trusted source for software installation, which also reduces the likelihood of malware on B Z. Cliffe Schreuders c.schreuders@leedsbeckett.ac.uk 1 Cybercrime and Security Innovation (CSI) Centre, Leeds Beckett University, Headingley Campus, Leeds LS6 3QS, UK Linux. Common practice is to not run anti-malware software on Linux systems.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security implications of running windows software on a Linux system using Wine: a malware analysis study

Duncan

Schreuders

2018

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Linux is considered to be less prone to malware compared to other operating systems, and as a result Linux users rarely run anti-malware. However, many popular software applications released on other platforms cannot run natively on Linux. Wine is a popular compatibility layer for running Windows programs on Linux. The level of security risk that Wine poses to Linux users is largely undocumented. This project was conducted to assess the security implications of using Wine, and to determine if any specific types of malware or malware behavior have a significant effect on the malware being successful in Wine. Dynamic analysis (both automated and manual) was applied to 30 malware samples both in a Windows environment and Linux environment running Wine. Behavior analyzed included file system, registry, and network access, and the spawning of processes, and services. The behavior was compared to determine malware success in Wine. The study results provide evidence that Wine can pose serious security implications when used to run Windows software in a Linux environment. Five samples of Windows malware were run successfully through Wine on a Linux system. No significant relationships were discovered between the success of the malware and its high-level behavior or malware type. However, certain API calls could not be recreated in a Linux environment, and led to failure of malware to execute via Wine. This suggests that particular malware samples that utilize these API calls will never run completely successfully in a Linux environment. As a consequence, the success of some samples can be determined from observing the API calls when run within a Windows environment.

show abstract

Section: Malware Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Security implications of running windows software on a Linux system using Wine: a malware analysis study

Duncan

Schreuders

2018

J Comput Virol Hack Tech

View full text Add to dashboard Cite

show abstract

“…Algumas dessas abordagens incluem: a) modelagem estatística dos padrões de código gerados pelos motores metamórficos [5] [6] [7]; b) análise das distribuições das ocorrências de sequências de opcodes de instruções [8]; c) análise estatística composta pela combinação de métodos de ranqueamento de características de grupos de opcodes de instruções [9]; e d) análise de representações intermediárias que expressam as semânticas do código, tais como: grafos de controle de fluxo [10] [11], grafos de chamadas a APIs do sistema [12] e grafos de dependência de dados [13] [4].…”

Section: Introductionunclassified

Improving the detection of metamorphic malware through data dependency graphs indexing

Aguilera¹,

Souto²,

Martins³

2018

J. Inf. Secur. Cryptogr.

View full text Add to dashboard Cite

Abstract-Metamorphism have been successfully used in original malicious code to the creation and proliferation of new malware instances, making them harder to detect. This work presents an approach that identifies metamorphic malware through data dependency graphs comparison. Features are extracted on data dependency graphs to build an index that is used to determine which malware family a suspicious code belongs to. Experimental results on 3045 samples of metamorphic malware showed that our proposed approach obtained accuracy rate higher than most commercial anti-malware tools.Index Terms-malware, metamorfismo, grafos de dependência, engenharia reversa, aprendizagem de máquina. I. INTRODUÇÃOApesar dos crescentes investimentos e esforços realizados pelas companhias de segurança na criação de soluções de detecção de software maliciosos (e.g. antivirus, antispyware e adware), a infecção de malware continua sendo uma das principais ameaças a segurança dos sistemas computacionais no mundo. A sofisticação dos ataques e o aumento cada vez maior das famílias de malware tem tornado a defesa contra cibercriminosos uma tarefa ainda mais difícil. De acordo com a empresa AV-Test [2], considerando somente os anos de 2013 e 2014, a quantidade de novas amostras de malware aumentou de 83 para 142 milhões, representando uma taxa de crescimento superiorà 71%. Um relatório produzido pela Symantec descreve um aumento de 274 milhões de amostras de vírus em 2014 para 357 milhões em 2016 [3]. Esses estudos reconhecem a falta de capacidade das ferramentas de detecção de malware existentes em lidar com as técnicas usadas pelos atacantes para evadir tais ferramentas.Essa dificuldade ocorre principalmente porque os criadores de programas maliciosos empregam várias técnicas de evasão como polimorfismo e metamorfismo de código para criar novas variantes de um malware a partir de uma mesma instância de código original, gerando diversas estruturas e padrões de código aleatórios [4]. Tal nível de variedade pode ser obtido de forma automatizada, a uma taxa exponencial, o que torna a criação de modelos de identificação de malware um processo ainda mais difícil.Este artigo corresponde a uma versão estendida do artigo:"Detecção de malware metamórfico baseada na indexação de grafos Dentre as abordagens citadas, o uso de Grafos de Dependência de Dados (GDDs) se apresenta como uma alternativa promissora para detecção de malware metamórficos, visto que as relações semânticas representadas pelos GDDs se mantêm praticamente inalteradas mesmo quando uma nova versão de malwareé criada. Um GDDé uma representação que usa uma notação baseada em grafos para descrever todas as relações de dependências de dados existentes entre as instruções de um programa de computador. Liu et al. [14] e Kim e Moon [13], por exemplo, demonstraram que possível usar GDDs para identificar efetivamente pelo menos cinco tipos diferentes de técnicas de ofuscação de código: i) alteração de formato; ii) mudança no nome das variáveis; iii) reordenamento de estruturas; iv) troca de estr...

show abstract

“…On the other hand code obfuscation techniques and polymorphic malwares fails at dynamic analysis [6] because it analyses the runtime behavior of a program by monitoring the program while in execution. The main advantage is that it analyses the runtime behavior of a program which is hard to obfuscate [7,8]. But there are some limitations to dynamic analysis.…”

Section: Introductionmentioning

confidence: 99%

Android Malware Detection Using Haml

Choudhary¹

2017

ijarcs

View full text Add to dashboard Cite

Abstrac:The malware is a very common term in today's scenario. It is very harmful for our device. It is continuously gaining the rise in its quantity. It is proving to be a challenging task to detect the malware because whenever we come to evade a technique for its detection, the attackers also evade the new technique to overcome with our detection technique. Presently we have two techniques for the analysis of an application to be a malware or a goodware. these are : static analysis and dynamic analysis Mostly anti-virus software uses signature-based detection technique but it is inefficient in the today's scenario because of the rapid increase in the number and variants of malware. The signature is a unique identifier for a binary file, which is created by analyzing the binary file using static analysis methods. The dynamic analysis uses the actions and behavior during runtime to find out the type of executable (either malware or benign). Both methods have their own benefits as well as drawbacks. This paper proposes a new technique which uses HAML(Hybrid Analysis with Machine Learning).Hybrid analysis is the combined form of static and dynamic analysis to analyses the executable file Machine Learning is used to classify an unknown executable file. In this method, known type of malware and the benign programs are used as training data. By analysis of the binary code and dynamic behavior, the feature vector is selected. The proposed method utilizes the benefits of both static and dynamic analysis thus the efficiency, and the classification result is improved. Our experimental results show an accuracy of 95.87% using static, 97.17% using dynamic and 98.72% using the embedded method. As Compare to the standalone dynamic and static methods, our HAML method gives the more accurate results and is proved to be more efficient.

show abstract

Malware detection by behavioural sequential patterns

Cited by 53 publications

References 4 publications

Security implications of running windows software on a Linux system using Wine: a malware analysis study

Security implications of running windows software on a Linux system using Wine: a malware analysis study

Improving the detection of metamorphic malware through data dependency graphs indexing

Android Malware Detection Using Haml

Contact Info

Product

Resources

About