This summarizes a research paper that proposes developing a new framework to optimize malware detection in digital forensics investigations. The paper discusses challenges with existing detection methods, such as signature-based approaches requiring extensive manual analysis. Through a market research survey of forensics professionals, the paper finds weaknesses in current skills, tools, and accuracy rates. Most respondents agreed a new customized detection tool is needed that employs both dynamic and static analysis methods. The proposed framework aims to address these issues to more effectively detect and analyze malware.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...CSCJournals
Some malware are sophisticated with polymorphic techniques such as self-mutation and emulation based analysis evasion. Most anti-malware techniques are overwhelmed by the polymorphic malware threats that self-mutate with different variants at every attack. This research aims to contribute to the detection of malicious codes, especially polymorphic malware by utilizing advanced static and advanced dynamic analyses for extraction of more informative key features of a malware through code analysis, memory analysis and behavioral analysis. Correlation based feature selection algorithm will be used to transform features; i.e. filtering and selecting optimal and relevant features. A machine learning technique called K-Nearest Neighbor (K-NN) will be used for classification and detection of polymorphic malware. Evaluation of results will be based on the following measurement metrics-True Positive Rate (TPR), False Positive Rate (FPR) and the overall detection accuracy of experiments.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...ijsptm
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
COMPARISON OF MALWARE CLASSIFICATION METHODS USING CONVOLUTIONAL NEURAL NETWO...IJNSA Journal
Malicious software is constantly being developed and improved, so detection and classification of malwareis an ever-evolving problem. Since traditional malware detection techniques fail to detect new/unknown malware, machine learning algorithms have been used to overcome this disadvantage. We present a Convolutional Neural Network (CNN) for malware type classification based on the API (Application Program Interface) calls. This research uses a database of 7107 instances of API call streams and 8 different malware types:Adware, Backdoor, Downloader, Dropper, Spyware, Trojan, Virus,Worm. We used a 1-Dimensional CNN by mapping API calls as categorical and term frequency-inverse document frequency (TF-IDF) vectors and compared the results to other classification techniques.The proposed 1-D CNN outperformed other classification techniques with 91% overall accuracy for both categorical and TF-IDF vectors.
Analysis of Malware Infected Systems & Classification with Gradient-boosted T...Darshan Gorasiya
Analysis of Malware Infected Systems with MapReduce, Pig, Hive, SparkSQL & Classification with Spark MLlib Gradient-boosted Tree on Big Data Platform (Hadoop)
A framework to detect novel computer viruses via system callsUltraUploader
This document describes a framework for detecting email viruses based on system calls. It involves injecting DLLs to monitor and log system calls from an email client. The framework includes a training period where it is exposed to known viruses to derive malicious system calls, which are stored in a database. Normal email usage is also tested to identify unique virus-related system calls. This allows detection of new viruses based on abnormal system calls, without needing pre-existing virus signatures.
Automated classification and analysis of internet malwareUltraUploader
The document summarizes research on analyzing how existing anti-virus software classifies malware. It finds that anti-virus products provide labels for malware that are inconsistent across products, incomplete in covering all malware, and lack concise semantics. To address these limitations, the research proposes a new technique for classifying malware based on its behavior and system changes, and automatically grouping similar behaviors. It evaluates the approach using large and diverse malware datasets.
A SURVEY ON MALWARE DETECTION AND ANALYSIS TOOLSIJNSA Journal
This document summarizes a survey paper on malware detection and analysis tools. It provides an overview of different types of malware like viruses, worms, Trojans, rootkits, spyware and keyloggers. It describes techniques for malware analysis, including static analysis which examines code without execution, and dynamic analysis which analyzes behavior during execution. It also lists some limitations of static analysis and the need for dynamic analysis. Finally, it discusses various tools available for malware detection, analysis, reverse engineering and debugging.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...CSCJournals
Some malware are sophisticated with polymorphic techniques such as self-mutation and emulation based analysis evasion. Most anti-malware techniques are overwhelmed by the polymorphic malware threats that self-mutate with different variants at every attack. This research aims to contribute to the detection of malicious codes, especially polymorphic malware by utilizing advanced static and advanced dynamic analyses for extraction of more informative key features of a malware through code analysis, memory analysis and behavioral analysis. Correlation based feature selection algorithm will be used to transform features; i.e. filtering and selecting optimal and relevant features. A machine learning technique called K-Nearest Neighbor (K-NN) will be used for classification and detection of polymorphic malware. Evaluation of results will be based on the following measurement metrics-True Positive Rate (TPR), False Positive Rate (FPR) and the overall detection accuracy of experiments.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...ijsptm
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
COMPARISON OF MALWARE CLASSIFICATION METHODS USING CONVOLUTIONAL NEURAL NETWO...IJNSA Journal
Malicious software is constantly being developed and improved, so detection and classification of malwareis an ever-evolving problem. Since traditional malware detection techniques fail to detect new/unknown malware, machine learning algorithms have been used to overcome this disadvantage. We present a Convolutional Neural Network (CNN) for malware type classification based on the API (Application Program Interface) calls. This research uses a database of 7107 instances of API call streams and 8 different malware types:Adware, Backdoor, Downloader, Dropper, Spyware, Trojan, Virus,Worm. We used a 1-Dimensional CNN by mapping API calls as categorical and term frequency-inverse document frequency (TF-IDF) vectors and compared the results to other classification techniques.The proposed 1-D CNN outperformed other classification techniques with 91% overall accuracy for both categorical and TF-IDF vectors.
Analysis of Malware Infected Systems & Classification with Gradient-boosted T...Darshan Gorasiya
Analysis of Malware Infected Systems with MapReduce, Pig, Hive, SparkSQL & Classification with Spark MLlib Gradient-boosted Tree on Big Data Platform (Hadoop)
A framework to detect novel computer viruses via system callsUltraUploader
This document describes a framework for detecting email viruses based on system calls. It involves injecting DLLs to monitor and log system calls from an email client. The framework includes a training period where it is exposed to known viruses to derive malicious system calls, which are stored in a database. Normal email usage is also tested to identify unique virus-related system calls. This allows detection of new viruses based on abnormal system calls, without needing pre-existing virus signatures.
Automated classification and analysis of internet malwareUltraUploader
The document summarizes research on analyzing how existing anti-virus software classifies malware. It finds that anti-virus products provide labels for malware that are inconsistent across products, incomplete in covering all malware, and lack concise semantics. To address these limitations, the research proposes a new technique for classifying malware based on its behavior and system changes, and automatically grouping similar behaviors. It evaluates the approach using large and diverse malware datasets.
A SURVEY ON MALWARE DETECTION AND ANALYSIS TOOLSIJNSA Journal
This document summarizes a survey paper on malware detection and analysis tools. It provides an overview of different types of malware like viruses, worms, Trojans, rootkits, spyware and keyloggers. It describes techniques for malware analysis, including static analysis which examines code without execution, and dynamic analysis which analyzes behavior during execution. It also lists some limitations of static analysis and the need for dynamic analysis. Finally, it discusses various tools available for malware detection, analysis, reverse engineering and debugging.
Novel Malware Clustering System Based on Kernel Data Structureiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
The document discusses a proposed method for detecting viruses and malware that evade existing antivirus software. It uses a combination of analyzing files with VirusTotal's database of known threats and applying natural language processing techniques like suffix trees and TF-IDF to identify malicious patterns in files. An evaluation shows the proposed method can detect viruses that existing antivirus and VirusTotal miss, achieving a 97% accuracy rate in testing.
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
This document discusses using a Bayesian Belief Network (BBN) to analyze malware risk on a university campus network. It begins by introducing the campus network monitoring tools and SIR epidemiological model used to model malware propagation. It then provides background on BBN principles, including defining nodes, conditional probabilities, and using the network to compute joint probabilities. The document proposes applying a BBN to assess malware prevalence risk by relating threat, vulnerability, and cost impact on network assets. It aims to provide understandable risk assessments to inform decision making.
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...ijcsit
This document describes a proposed hybrid intrusion detection model that uses feature selection and machine learning algorithms with misuse detection. The model first selects important features from the NSL-KDD dataset and generates rules based on the behaviors of those features using J48 and CART algorithms. These rules are then used to build an intrusion detection framework that is tested on the NSL-KDD dataset, achieving an accuracy of 88.23%, outperforming other models that require prior learning of attacks. The proposed model works on the concept of misuse detection and can detect intrusions based on feature behaviors without any previous training.
This document proposes an email worm vaccine architecture that uses behavior-based anomaly detection to intercept incoming emails and scan attachments in virtual machines to detect malicious software. The system includes a virtual machine cluster to open attachments safely, a host-based intrusion detection system to monitor for dangerous behaviors, and an email-aware mail transfer agent to classify messages and communicate with the detection system. The implementation demonstrates detecting malware using parallel virtual machines while maintaining a low false positive rate.
With the development and rapid growth in IT infrastructure, malicious code attacks are considered as the
main threat to cybersecurity. Malicious JavaScript’s which are intentionally crafted by the attackers inside the web page
over the web as an emerging security issue affecting millions of users. In past few years, a number of studies have been
conducted based on machine learning for detection of malicious JavaScript code attacks has demonstrated a poor
detection accuracy and increased performance overheads. In this paper, an effective interceptor approach for detection of
multivariate and novel malicious JavaScript’s based on deep learning is proposed and evaluated. Hybrid feature set based
on static and dynamic analysis were used. The dataset which was used in this study consists of 32,000 benign webpages
and 12,900 malicious pages. The experimental results show that this approach was able to detect 99.01% of new malicious
code variants.
International Journal of Computer Science and Information Security,IJCSIS ISSN 1947-5500, Pittsburgh, PA, USA
Email: ijcsiseditor@gmail.com
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...IJNSA Journal
Malicious software is abundant in a world of innumerable computer users, who are constantly faced withthese threats from various sources like the internet, local networks and portable drives. Malware is potentially low to high risk and can cause systems to function incorrectly, steal data and even crash. Malware may be executable or system library files in the form of viruses, worms, Trojans, all aimed at breaching the security of the system and compromising user privacy. Typically, anti-virus software is based on a signature definition system which keeps updating from the internet and thus keeping track of known viruses. While this may be sufficient for home-users, a security risk from a new virus could threaten an entire enterprise network. This paper proposes a new and more sophisticated antivirus engine that can not only scan files, but also build knowledge and detect files as potential viruses. This is done by extracting system API calls made by various normal and harmful executable, and using machine learning algorithms to classify and hence, rank files on a scale of security risk. While such a system is processor heavy, it is very effective when used centrally to protect an enterprise network which maybe more prone to such threats.
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SETIJNSA Journal
In network security framework, intrusion detection is one of a benchmark part and is a fundamental way to protect PC from many threads. The huge issue in intrusion detection is presented as a huge number of false alerts; this issue motivates several experts to discover the solution for minifying false alerts according to data mining that is a consideration as analysis procedure utilized in a large data e.g. KDD CUP 99. This paper presented various data mining classification for handling false alerts in intrusion detection as reviewed. According to the result of testing many procedure of data mining on KDD CUP 99 that is no individual procedure can reveal all attack class, with high accuracy and without false alerts. The best accuracy in Multilayer Perceptron is 92%; however, the best Training Time in Rule based model is 4 seconds . It is concluded that ,various procedures should be utilized to handle several of network attacks.
Data Mining Techniques for Providing Network Security through Intrusion Detec...IJAAS Team
Intrusion Detection Systems are playing major role in network security in this internet world. Many researchers have been introduced number of intrusion detection systems in the past. Even though, no system was detected all kind of attacks and achieved better detection accuracy. Most of the intrusion detection systems are used data mining techniques such as clustering, outlier detection, classification, classification through learning techniques. Most of the researchers have been applied soft computing techniques for making effective decision over the network dataset for enhancing the detection accuracy in Intrusion Detection System. Few researchers also applied artificial intelligence techniques along with data mining algorithms for making dynamic decision. This paper discusses about the number of intrusion detection systems that are proposed for providing network security. Finally, comparative analysis made between the existing systems and suggested some new ideas for enhancing the performance of the existing systems.
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
Basic survey on malware analysis, tools and techniquesijcsa
The term malware stands for malicious software. It is a program installed on a system without the
knowledge of owner of the system. It is basically installed by the third party with the intention to steal some
private data from the system or simply just to play pranks. This in turn threatens the computer’s security,
wherein computer are used by one’s in day-to-day life as to deal with various necessities like education,
communication, hospitals, banking, entertainment etc. Different traditional techniques are used to detect
and defend these malwares like Antivirus Scanner (AVS), firewalls, etc. But today malware writers are one
step forward towards then Malware detectors. Day-by-day they write new malwares, which become a great
challenge for malware detectors. This paper focuses on basis study of malwares and various detection
techniques which can be used to detect malwares.
Survey on classification techniques for intrusion detectioncsandit
Intrusion detection is the most essential component
in network security. Traditional Intrusion
Detection methods are based on extensive knowledge
of signatures of known attacks. Signature-
based methods require manual encoding of attacks by
human experts. Data mining is one of the
techniques applied to Intrusion Detection that prov
ides higher automation capabilities than
signature-based methods. Data mining techniques suc
h as classification, clustering and
association rules are used in intrusion detection.
In this paper, we present an overview of
intrusion detection, KDD Cup 1999 dataset and detai
led analysis of different classification
techniques namely Support vector Machine, Decision
tree, Naïve Bayes and Neural Networks
used in intrusion detection.
Automatic Insider Threat Detection in E-mail System using N-gram TechniqueIRJET Journal
This document summarizes research on automatic insider threat detection in email systems using n-gram techniques. It discusses how n-grams can be used to classify documents and detect potential data leakage through email. The system would verify emails sent outside the network using SHA, n-grams and thresholds. If a threat is detected, the user would be blocked. The document also provides a literature review on 10 other papers related to insider threat detection using methods like user profiling, activity logs, data mining and visualization techniques. It describes how n-grams work by breaking words into character sequences and creating profiles based on frequency to classify documents.
Malicious activities (malcodes) are self replicating
malware and a major security threat in a network environment.
Timely detection and system alert flags are very essential to
prevent rapid malcodes spreading in the network. The difficulty
in detecting malcodes is that they evolve over time. Despite the fact
that signature-based tools, are generally used to secure systems,
signature-based malcode detectors neglect to recognize muddled
and beforehand concealed malcode executables. Automatic signature
generation systems has likewise been use to address the issue
of malcodes, yet there are many works required for good detection.
Base on the behavior way of malcodes, a behavior approach is
required for such detection. Specifically, we require a dynamic
investigation and behavior Rule Base system that distinguishes
malcodes without erroneously block legitimate traffic or increase
false alarms. This paper proposed and discussed the approach
using Machine learning and Indicators of Compromise (IOC) to
analyze intrusion in a network, to identify the cause of the attack
and to provide future detection. This paper proposed the use of
behaviour malware analysis framework to analyze intrusion data,
apply clustering algorithm on the analyzed data and generate IOC
from the clustered data for IOCRule, which will be implemented
into Snort Intrusion Detection System (IDS) for malicious code
detection.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
This document proposes a deep learning approach for detecting Android malware using autoencoders. It extracts five different feature sets from Android apps, including permissions, intent filters, API calls, additional APK files, and certificate information. These features are used to train an autoencoder model to classify apps as either benign or malicious. The methodology involves decompiling apps, extracting features, constructing the feature sets, training the autoencoder in a semi-supervised manner on labeled and unlabeled data, and testing the trained model. Experimental results show the proposed approach can identify malware with high accuracy.
The document discusses a proposed intrusion detection framework for mobile database systems. It introduces a unique profiling method using carefully selected database objects and data concerning the location of database requests. Experiments implementing the system achieved promising detection rates with low false alarm rates. The document reviews existing literature on intrusion detection systems, location-aware IDS, and IDS at the database level. It identifies gaps in current approaches, including high false positive/negative rates. The proposed framework aims to provide a more robust detection method for insider threats in mobile environments.
A STATIC MALWARE DETECTION SYSTEM USING DATA MINING METHODSijaia
This document presents a static malware detection system using data mining techniques. The system extracts raw features from Windows Portable Executable (PE) files including PE header information, DLLs, and API functions. It then selects important features using Information Gain and reduces dimensions using Principal Component Analysis. Three classifiers (SVM, J48, Naive Bayes) are trained on the transformed feature vectors to classify files as malicious or benign. When evaluated on a dataset of over 247,000 files, the system achieved a detection rate of 99.6%.
Network Intrusion Detection And Countermeasure Selection In Virtual Network (...ClaraZara1
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in detecting abnormal content in the traffic data during information passing from one node to another and also detects known attack signature and unknown attack. This approach is tested by running the artificial network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially overcome these deceits by observing the actual behaviour of the code execution. In this regard, various methods, techniques and tools have been proposed. However, because of the diverse concepts and strategies used in the implementation of these methods and tools, security researchers and malware analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s implementation strategy, analysis approach, system-wide analysis support and its overall handling of binaries, helping them to select a suitable and effective one for their study and analysis.
Abstract: The exponential growth of the internet and new technology lead today's world in a hectic situation both positive as well as the negative module. Cybercriminals gamble in the dark net using numerous techniques. This leads to cybercrime. Cyber threats like Malware attempt to infiltrate the computer or mobile device offline or internet, chat(online), and anyone can be a potential target. Malware is also known as malicious software is often used by cybercriminals to achieve their goal by tracking internet activity, capturing sensitive information, or blocking computer access. Reverse engineering is one of the best ways to prevent and is a powerful tool to keep the fight against cyber attacks. Most people in the cyber world see it as a black hat—It is said as being used to steal data and intellectual property. But when it is in the hands of cybersecurity experts, reverse engineering dons the white hat of the hero. Looking at the program from the outside in –often by a third party that had no hand in writing the code. It allows those who practice it to understand how a given program or system works when no source code is available. Reverse engineering accomplishing several tasks related to cybersecurity: finding system vulnerabilities, researching malware &analyzing the complexity of restoring core software algorithms that can further protect against theft. It is hard to hack certain software.
Keywords: Malware, threat, vulnerablity, detection, reverse engineering, analysis.
Title: Malware analysis and detection using reverse Engineering
Author: B.Rashmitha, J. Alwina Beauty Angelin, E.R. Ramesh
International Journal of Computer Science and Information Technology Research
ISSN 2348-1196 (print), ISSN 2348-120X (online)
Vol. 10, Issue 2, Month: April 2022 - June 2022
Page: (1-4)
Published Date: 01-April-2022
Research Publish Journals
Available at: www.researchpublish.com
You can Direct download full research paper at given below link:
https://www.researchpublish.com/papers/malware-analysis-and-detection-using-reverse-engineering
Academia Link: https://www.academia.edu/76069664/Malware_analysis_and_detection_using_reverse_Engineering_Available_at_www_researchpublish_com_journal_name_International_Journal_of_Computer_Science_and_Information_Technology_Research
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis
approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially
overcome these deceits by observing the actual behaviour of the code execution. In this regard, various
methods, techniques and tools have been proposed. However, because of the diverse concepts and
strategies used in the implementation of these methods and tools, security researchers and malware
analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to
contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call
monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic
malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s
implementation strategy, analysis approach, system-wide analysis support and its overall handling of
binaries, helping them to select a suitable and effective one for their study and analysis.
Novel Malware Clustering System Based on Kernel Data Structureiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
The document discusses a proposed method for detecting viruses and malware that evade existing antivirus software. It uses a combination of analyzing files with VirusTotal's database of known threats and applying natural language processing techniques like suffix trees and TF-IDF to identify malicious patterns in files. An evaluation shows the proposed method can detect viruses that existing antivirus and VirusTotal miss, achieving a 97% accuracy rate in testing.
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
This document discusses using a Bayesian Belief Network (BBN) to analyze malware risk on a university campus network. It begins by introducing the campus network monitoring tools and SIR epidemiological model used to model malware propagation. It then provides background on BBN principles, including defining nodes, conditional probabilities, and using the network to compute joint probabilities. The document proposes applying a BBN to assess malware prevalence risk by relating threat, vulnerability, and cost impact on network assets. It aims to provide understandable risk assessments to inform decision making.
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...ijcsit
This document describes a proposed hybrid intrusion detection model that uses feature selection and machine learning algorithms with misuse detection. The model first selects important features from the NSL-KDD dataset and generates rules based on the behaviors of those features using J48 and CART algorithms. These rules are then used to build an intrusion detection framework that is tested on the NSL-KDD dataset, achieving an accuracy of 88.23%, outperforming other models that require prior learning of attacks. The proposed model works on the concept of misuse detection and can detect intrusions based on feature behaviors without any previous training.
This document proposes an email worm vaccine architecture that uses behavior-based anomaly detection to intercept incoming emails and scan attachments in virtual machines to detect malicious software. The system includes a virtual machine cluster to open attachments safely, a host-based intrusion detection system to monitor for dangerous behaviors, and an email-aware mail transfer agent to classify messages and communicate with the detection system. The implementation demonstrates detecting malware using parallel virtual machines while maintaining a low false positive rate.
With the development and rapid growth in IT infrastructure, malicious code attacks are considered as the
main threat to cybersecurity. Malicious JavaScript’s which are intentionally crafted by the attackers inside the web page
over the web as an emerging security issue affecting millions of users. In past few years, a number of studies have been
conducted based on machine learning for detection of malicious JavaScript code attacks has demonstrated a poor
detection accuracy and increased performance overheads. In this paper, an effective interceptor approach for detection of
multivariate and novel malicious JavaScript’s based on deep learning is proposed and evaluated. Hybrid feature set based
on static and dynamic analysis were used. The dataset which was used in this study consists of 32,000 benign webpages
and 12,900 malicious pages. The experimental results show that this approach was able to detect 99.01% of new malicious
code variants.
International Journal of Computer Science and Information Security,IJCSIS ISSN 1947-5500, Pittsburgh, PA, USA
Email: ijcsiseditor@gmail.com
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...IJNSA Journal
Malicious software is abundant in a world of innumerable computer users, who are constantly faced withthese threats from various sources like the internet, local networks and portable drives. Malware is potentially low to high risk and can cause systems to function incorrectly, steal data and even crash. Malware may be executable or system library files in the form of viruses, worms, Trojans, all aimed at breaching the security of the system and compromising user privacy. Typically, anti-virus software is based on a signature definition system which keeps updating from the internet and thus keeping track of known viruses. While this may be sufficient for home-users, a security risk from a new virus could threaten an entire enterprise network. This paper proposes a new and more sophisticated antivirus engine that can not only scan files, but also build knowledge and detect files as potential viruses. This is done by extracting system API calls made by various normal and harmful executable, and using machine learning algorithms to classify and hence, rank files on a scale of security risk. While such a system is processor heavy, it is very effective when used centrally to protect an enterprise network which maybe more prone to such threats.
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SETIJNSA Journal
In network security framework, intrusion detection is one of a benchmark part and is a fundamental way to protect PC from many threads. The huge issue in intrusion detection is presented as a huge number of false alerts; this issue motivates several experts to discover the solution for minifying false alerts according to data mining that is a consideration as analysis procedure utilized in a large data e.g. KDD CUP 99. This paper presented various data mining classification for handling false alerts in intrusion detection as reviewed. According to the result of testing many procedure of data mining on KDD CUP 99 that is no individual procedure can reveal all attack class, with high accuracy and without false alerts. The best accuracy in Multilayer Perceptron is 92%; however, the best Training Time in Rule based model is 4 seconds . It is concluded that ,various procedures should be utilized to handle several of network attacks.
Data Mining Techniques for Providing Network Security through Intrusion Detec...IJAAS Team
Intrusion Detection Systems are playing major role in network security in this internet world. Many researchers have been introduced number of intrusion detection systems in the past. Even though, no system was detected all kind of attacks and achieved better detection accuracy. Most of the intrusion detection systems are used data mining techniques such as clustering, outlier detection, classification, classification through learning techniques. Most of the researchers have been applied soft computing techniques for making effective decision over the network dataset for enhancing the detection accuracy in Intrusion Detection System. Few researchers also applied artificial intelligence techniques along with data mining algorithms for making dynamic decision. This paper discusses about the number of intrusion detection systems that are proposed for providing network security. Finally, comparative analysis made between the existing systems and suggested some new ideas for enhancing the performance of the existing systems.
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
Basic survey on malware analysis, tools and techniquesijcsa
The term malware stands for malicious software. It is a program installed on a system without the
knowledge of owner of the system. It is basically installed by the third party with the intention to steal some
private data from the system or simply just to play pranks. This in turn threatens the computer’s security,
wherein computer are used by one’s in day-to-day life as to deal with various necessities like education,
communication, hospitals, banking, entertainment etc. Different traditional techniques are used to detect
and defend these malwares like Antivirus Scanner (AVS), firewalls, etc. But today malware writers are one
step forward towards then Malware detectors. Day-by-day they write new malwares, which become a great
challenge for malware detectors. This paper focuses on basis study of malwares and various detection
techniques which can be used to detect malwares.
Survey on classification techniques for intrusion detectioncsandit
Intrusion detection is the most essential component
in network security. Traditional Intrusion
Detection methods are based on extensive knowledge
of signatures of known attacks. Signature-
based methods require manual encoding of attacks by
human experts. Data mining is one of the
techniques applied to Intrusion Detection that prov
ides higher automation capabilities than
signature-based methods. Data mining techniques suc
h as classification, clustering and
association rules are used in intrusion detection.
In this paper, we present an overview of
intrusion detection, KDD Cup 1999 dataset and detai
led analysis of different classification
techniques namely Support vector Machine, Decision
tree, Naïve Bayes and Neural Networks
used in intrusion detection.
Automatic Insider Threat Detection in E-mail System using N-gram TechniqueIRJET Journal
This document summarizes research on automatic insider threat detection in email systems using n-gram techniques. It discusses how n-grams can be used to classify documents and detect potential data leakage through email. The system would verify emails sent outside the network using SHA, n-grams and thresholds. If a threat is detected, the user would be blocked. The document also provides a literature review on 10 other papers related to insider threat detection using methods like user profiling, activity logs, data mining and visualization techniques. It describes how n-grams work by breaking words into character sequences and creating profiles based on frequency to classify documents.
Malicious activities (malcodes) are self replicating
malware and a major security threat in a network environment.
Timely detection and system alert flags are very essential to
prevent rapid malcodes spreading in the network. The difficulty
in detecting malcodes is that they evolve over time. Despite the fact
that signature-based tools, are generally used to secure systems,
signature-based malcode detectors neglect to recognize muddled
and beforehand concealed malcode executables. Automatic signature
generation systems has likewise been use to address the issue
of malcodes, yet there are many works required for good detection.
Base on the behavior way of malcodes, a behavior approach is
required for such detection. Specifically, we require a dynamic
investigation and behavior Rule Base system that distinguishes
malcodes without erroneously block legitimate traffic or increase
false alarms. This paper proposed and discussed the approach
using Machine learning and Indicators of Compromise (IOC) to
analyze intrusion in a network, to identify the cause of the attack
and to provide future detection. This paper proposed the use of
behaviour malware analysis framework to analyze intrusion data,
apply clustering algorithm on the analyzed data and generate IOC
from the clustered data for IOCRule, which will be implemented
into Snort Intrusion Detection System (IDS) for malicious code
detection.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
This document proposes a deep learning approach for detecting Android malware using autoencoders. It extracts five different feature sets from Android apps, including permissions, intent filters, API calls, additional APK files, and certificate information. These features are used to train an autoencoder model to classify apps as either benign or malicious. The methodology involves decompiling apps, extracting features, constructing the feature sets, training the autoencoder in a semi-supervised manner on labeled and unlabeled data, and testing the trained model. Experimental results show the proposed approach can identify malware with high accuracy.
The document discusses a proposed intrusion detection framework for mobile database systems. It introduces a unique profiling method using carefully selected database objects and data concerning the location of database requests. Experiments implementing the system achieved promising detection rates with low false alarm rates. The document reviews existing literature on intrusion detection systems, location-aware IDS, and IDS at the database level. It identifies gaps in current approaches, including high false positive/negative rates. The proposed framework aims to provide a more robust detection method for insider threats in mobile environments.
A STATIC MALWARE DETECTION SYSTEM USING DATA MINING METHODSijaia
This document presents a static malware detection system using data mining techniques. The system extracts raw features from Windows Portable Executable (PE) files including PE header information, DLLs, and API functions. It then selects important features using Information Gain and reduces dimensions using Principal Component Analysis. Three classifiers (SVM, J48, Naive Bayes) are trained on the transformed feature vectors to classify files as malicious or benign. When evaluated on a dataset of over 247,000 files, the system achieved a detection rate of 99.6%.
Network Intrusion Detection And Countermeasure Selection In Virtual Network (...ClaraZara1
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in detecting abnormal content in the traffic data during information passing from one node to another and also detects known attack signature and unknown attack. This approach is tested by running the artificial network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially overcome these deceits by observing the actual behaviour of the code execution. In this regard, various methods, techniques and tools have been proposed. However, because of the diverse concepts and strategies used in the implementation of these methods and tools, security researchers and malware analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s implementation strategy, analysis approach, system-wide analysis support and its overall handling of binaries, helping them to select a suitable and effective one for their study and analysis.
Abstract: The exponential growth of the internet and new technology lead today's world in a hectic situation both positive as well as the negative module. Cybercriminals gamble in the dark net using numerous techniques. This leads to cybercrime. Cyber threats like Malware attempt to infiltrate the computer or mobile device offline or internet, chat(online), and anyone can be a potential target. Malware is also known as malicious software is often used by cybercriminals to achieve their goal by tracking internet activity, capturing sensitive information, or blocking computer access. Reverse engineering is one of the best ways to prevent and is a powerful tool to keep the fight against cyber attacks. Most people in the cyber world see it as a black hat—It is said as being used to steal data and intellectual property. But when it is in the hands of cybersecurity experts, reverse engineering dons the white hat of the hero. Looking at the program from the outside in –often by a third party that had no hand in writing the code. It allows those who practice it to understand how a given program or system works when no source code is available. Reverse engineering accomplishing several tasks related to cybersecurity: finding system vulnerabilities, researching malware &analyzing the complexity of restoring core software algorithms that can further protect against theft. It is hard to hack certain software.
Keywords: Malware, threat, vulnerablity, detection, reverse engineering, analysis.
Title: Malware analysis and detection using reverse Engineering
Author: B.Rashmitha, J. Alwina Beauty Angelin, E.R. Ramesh
International Journal of Computer Science and Information Technology Research
ISSN 2348-1196 (print), ISSN 2348-120X (online)
Vol. 10, Issue 2, Month: April 2022 - June 2022
Page: (1-4)
Published Date: 01-April-2022
Research Publish Journals
Available at: www.researchpublish.com
You can Direct download full research paper at given below link:
https://www.researchpublish.com/papers/malware-analysis-and-detection-using-reverse-engineering
Academia Link: https://www.academia.edu/76069664/Malware_analysis_and_detection_using_reverse_Engineering_Available_at_www_researchpublish_com_journal_name_International_Journal_of_Computer_Science_and_Information_Technology_Research
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis
approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially
overcome these deceits by observing the actual behaviour of the code execution. In this regard, various
methods, techniques and tools have been proposed. However, because of the diverse concepts and
strategies used in the implementation of these methods and tools, security researchers and malware
analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to
contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call
monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic
malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s
implementation strategy, analysis approach, system-wide analysis support and its overall handling of
binaries, helping them to select a suitable and effective one for their study and analysis.
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection A...Drjabez
This document describes a proposed approach for anomaly detection in intrusion detection systems using outlier detection. It begins with background on intrusion detection systems and issues with existing approaches. It then presents the proposed two-stage approach using outlier detection: 1) Training with large normal datasets in a distributed storage environment, and 2) Testing intrusion datasets to compute an error value compared to the trained model. If the error value exceeds a threshold, the test data is flagged as anomalous. Experimental results on network packet datasets demonstrate the approach can effectively identify anomalies.
MACHINE LEARNING APPLICATIONS IN MALWARE CLASSIFICATION: A METAANALYSIS LITER...IJCI JOURNAL
With a text mining and bibliometrics approach, this study reviews the literature on the evolution
of malware classification using machine learning. This work takes literature from 2008 to 2022
on the subject of using machine learning for malware classification to understand the impact of
this technology on malware classification. Throughout this study, we seek to answer three main
research questions: RQ1: Is the application of machine learning for malware classification
growing? RQ2: What is the most common machine-learning application for malware
classification? RQ3: What are the outcomes of the most common machine learning
applications? The analysis of 2186 articles resulting from a data collection process from peerreviewed databases shows the trajectory of the application of this technology on malware
classification as well as trends in both the machine learning and malware classification fields of
study. This study performs quantitative and qualitative analysis using statistical and N-gram
analysis techniques and a formal literature review to answer the proposed research questions.
The research reveals methods such as support vector machines and random forests to be
standard machine learning methods for malware classification in efforts to detect maliciousness
or categorize malware by family. Machine learning is a highly researched technology with
many applications, from malware classification and beyond.
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.
Ransomware Attack Detection based on Pertinent System Calls Using Machine Lea...IJCNCJournal
In the last few years, the evolution of information technology has resulted in the development of several interesting and sensitive fields such as the dark Web and cyber-criminality, especially using ransomware attacks. This paper aims to bring out only critical features and make their observation, or not, in software behaviour sufficient to decide whether it is ransomware or not. Therefore, we propose a new solution for ransomware detection based on machine learning algorithms and system calls. First, we introduce our produced dataset of collected system calls of both ransomware and Benignware. Then, we push preprocessing steps deeply to reduce efficiently data dimensionality. After that, we introduce a new technique to select pertinent features. Next, we bring out the critical system calls, their importance and their contribution to the distinction between dataset elements. Finally, we present our model that achieves an overall accuracy of 99.81% after K-Fold cross-validation.
Ransomware Attack Detection Based on Pertinent System Calls Using Machine Lea...IJCNCJournal
In the last few years, the evolution of information technology has resulted in thedevelopmentof several interesting and sensitive fields such as the dark Web and cyber-criminality, especially using ransomware attacks. This paper aims to bring out only critical features and make their observation, or not, in software behaviour sufficient to decide whether it is ransomware or not. Therefore, we propose a new solution for ransomware detection based on machine learning algorithms and system calls. First, we introduce our produced dataset of collected system calls of both ransomware and Benignware. Then, we push pre-processing steps deeply to reduce efficiently data dimensionality. After that, we introduce a new technique to select pertinent features. Next, we bring out the critical system calls, their importance and their contribution to the distinction between dataset elements. Finally, we present our model that achieves an overall accuracy of 99.81% after K-Fold cross-validation.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
Forensic the word which indicate the detective work, which searches for and attempting to discover information. Mainly search is carried out for collecting evidence for investigation which is useful in criminal, civil or corporate investigations. Investigation is applicable in presence of some legal rules.
As criminals are getting smarter to perform crime that is, using data hiding techniques such as encryption and steganography, so forensic department has become alert has introduced a new concept called as Digital Forensic, which handles sensitive data which is responsible and confidential.
This document presents a method for detecting spyware using data mining and decision tree algorithms. Binary features are extracted from executable files using n-grams and feature reduction is applied. The reduced features are used to generate ARFF files for training a decision tree classifier. The decision tree is able to classify unknown files as spyware or benign based on their n-gram patterns. The proposed method aims to detect both known and new, unseen spyware files unlike signature-based detection methods. A prototype application is developed with a graphical user interface to scan for and detect spyware files on a system.
This document discusses using data mining techniques to detect spyware. It begins by defining spyware and artificial intelligence. It then discusses three AI approaches that have been applied to spyware detection: heuristic technology, neural network technology, and data mining techniques. It focuses on using breadth-first search (BFS) within a data mining approach. The document finds that data mining techniques achieve an overall accuracy of 90.5% in detecting spyware, performing better than traditional signature-based or heuristic-based methods.
Utilization Data Mining to Detect Spyware IOSR Journals
This document discusses using data mining techniques to detect spyware. It begins by defining spyware and artificial intelligence. It then discusses three AI approaches that have been applied to spyware detection: heuristic technology, neural network technology, and data mining techniques. It focuses on using breadth-first search (BFS) within a data mining approach. The document finds that data mining techniques perform better than traditional signature-based or heuristic-based detection methods, achieving an overall accuracy of 90.5% at detecting spyware using BFS algorithms.
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Cyber Warfare is the current single greatest emerging threat to National Security. Network security has become an essential component of any computer network. As computer networks and systems become ever more fundamental to modern society, concerns about security has become increasingly important. There are a multitude of different applications open source and proprietary available for the protection +-system administrator, to decide on the most suitable format for their purpose requires knowledge of the available safety measures, their features and how they affect the quality of service, as well as the kind of data they will be allowing through un flagged. A majority of methods currently used to ensure the quality of a networks service are signature based. From this information, and details on the specifics of popular applications and their implementation methods, we have carried through the ideas, incorporating our own opinions, to formulate suggestions on how this could be done on a general level. The main objective was to design and develop an Intrusion Detection System. While the minor objectives were to; Design a port scanner to determine potential threats and mitigation techniques to withstand these attacks. Implement the system on a host and Run and test the designed IDS. In this project we set out to develop a Honey Pot IDS System. It would make it easy to listen on a range of ports and emulate a network protocol to track and identify any individuals trying to connect to your system. This IDS will use the following design approaches: Event correlation, Log analysis, Alerting, and policy enforcement. Intrusion Detection Systems (IDSs) attempt to identify unauthorized use, misuse, and abuse of computer systems. In response to the growth in the use and development of IDSs, we have developed a methodology for testing IDSs. The methodology consists of techniques from the field of software testing which we have adapted for the specific purpose of testing IDSs. In this paper, we identify a set of general IDS performance objectives which is the basis for the methodology. We present the details of the methodology, including strategies for test-case selection and specific testing procedures. We include quantitative results from testing experiments on the Network Security Monitor (NSM), an IDS developed at UC Davis. We present an overview of the software platform that we have used to create user-simulation scripts for testing experiments. The platform consists of the UNIX tool expect and enhancements that we have developed, including mechanisms for concurrent scripts and a record-and-replay feature. We also provide background information on intrusions and IDSs to motivate our work.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
The development of attack toolkits conforms that cybercrime is driven primarily by financial motivations as noted from the significant profits made by both the developers and buyers. In this paper, an enhanced hybrid attack toolkit mitigation model was designed to tackle the economy of the attack toolkits using different techniques to discredit it. The mitigation looked into Zeus, a common and the most frequently used attack toolkit to discover the hidden information used by the attackers to launch attacks. This information helped in creating honey toolkits, honeybot and honeytokens. Honeybots are used to submit honeytoken to botmasters, who sells to the internet black market. Both the botmasters, his mules and buyers attempts to steal huge amount of money using the stolen credentials which includes both real and honeytokens and will be detected by an attack detector which sends an alert on any transaction involving the honeytokens. A reconfirmation process which is secured using enhanced RC6 cryptosystem is enacted. The reconfirmation message in plain text is securely encrypted into cipher text and transmitted from the bank to the legitimate account owner and vise visa. The result of the crypto analysis carried out on the encrypted text using RC6 encryption algorithm showed that the cipher text is not transparent.
This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
Similar to Optimised Malware Detection in Digital Forensics (20)
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
1. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
DOI : 10.5121/ijnsa.2014.6101 01
Optimised Malware Detection in Digital Forensics
SaeedAlmarri and Dr Paul Sant
Institute for Research in Applicable Computing, University of Bedfordshire, Luton,
United Kingdom
Associate Dean, University Campus Milton Keynes, Milton keynes, United Kingdom
Abstract
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Keywords
Denial of service (DOS), Wireshark, Netstat, TCPView, The Sleuth Kit (TSK), Autopsy, Digital Forensics,
Malware analysis, Framework
1. Introduction
Over the last decade, there have been noteworthy improvements in techniques to detect malware
activities [1]. Loading and distributing executable files over the Internet always presents a risk to
the overall security of the system [2]. Malware programmes can be installed by attaching hidden
malicious code in an innocuous file or application. The code can then be activated by a remote
programmer with the aim of threatening the existing system. According to a study by Islam et al.
on the risk of downloading [3], of more than 450,000 files downloaded, approximately 18%
contained malware programs. They also investigated whether different code investigation
techniques yielded the same results. Astonishingly, they found that there were many cases where
forensic investigatory tools were unable to detect the malware content of the infected files.
A significant amount of effort has been expended on developing techniques to perform robust
computer forensic investigations [6]. Such effort has focused on collecting, analysing and
preserving evidence of malware activities, for e.g. a study on botnets [4] and a study of
executable spyware and client-sided honeypots[5] also illustrated defensive mechanism for
securing a system both on the client and server side access. Other reports mentioned in [3][6]
have also focused on acquiring large and diverse samples of malware to enable researchers and
forensic experts to understand their nature and its rationale. Some existing tools like ERA
remover, conficker, etc. can execute hidden and anonymous files and monitor their behaviour.
These tools provide protection from all threats related to the malware functioning in the system.
According to reports by Kasama et al (2012), a single piece of malware can compromise and
infect the entire network system. Thus, protecting systems from unwanted malicious code can be
considered as one of the most critical concerns in information security [6].
2. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
2
Various protocols and services have been implemented to simulate the behaviour of an end user
in a compromised system, which assists researchers to analyse and relate malware behaviour in
order to develop a better detection tool. However, different encryption techniques and complex
programmes make it difficult to detect the activity of malware [1][3]. Commercially, there are
various tools existing, but they are not being used to detect in an optimal way. Hence, this makes
malware a serious threat to the domain of information technology and associated services [7].
1.1 Problem Statement
Malware is an intended program that performs malicious activity. It can be easily installed in any
computer with a malicious intent. In a most apt scenario [2], malware attacks by organised crime
syndicates largely target financial institutes and the banking industry, where they attack on their
online software services that deal with the system of monetary assets ownership. Cybercriminals
also enable malware attacks on customers and businesses dealing with financial institutions [2].
Bradford &Yegneswaran (2007) mentioned their report on the increase in malware activity
through the use of sophisticated tools and methods, making it complicated for its detection
[8].Also in a study by SANS institute (2012) illustration on the challenges in digital investigation
on malware was mentioned. According to the report, gathering and analysing large chunks of
data, obfuscated malware or malicious code are usually time consuming, costly and requires
different techniques The situation becomes even more complex when the same data are present
over a large network or various computational systems. This makes its challenging for an
investigator to gather evidence of illegal distribution with pre-existing forensic tools, pre-defined
malware detection systems and a limited duration at a workstation [9].
In cases where numerous systems or parties are involved in the same crime, the analysis of
independent digital data during the investigation can result in the loss of indispensable correlated
evidence. The loss occurs due to the incapability of digital forensics to craft correlations between
multiple malware cases. It is exceptionally difficult to detect malware and to obtain accurate data
due to numerous obfuscation techniques used by the programmers [10].
As mentioned in [10], this problem can be addressed by focusing on the various digital forensics
techniques currently used to extract, gather and analyse malware-infected systems. A new
correlational technique that focuses on typical features of malware activity and that is capable of
accumulating sufficient forensic evidence against the perpetrator and formulating it to produce
against the perpetrator in the court is needed. The goal of our research is to optimise the research
paradigm for malware analysis and to improve the investigatory experience by employing an
active approach to detect malware programmes. The next section of the report explains the
existing techniques for malware detection. With this in mind, we focus on developing a robust
framework for malware analysis and detection.
2. Malware Detection and Digital Forensics
Digital forensics and malware detection exhibit many similarities. Both involve techniques for
deep and extensive data mining. Comparisons between the two can be exploited to collect
evidence on any incident related to malware activities. Thus a similarity-based technique is
required to make the process of detection much quicker and easier for an investigator to get
results [11]. In contrast to digital forensics, studies on malware detection aim only to find
pathways and traces of malware activity and not the operation of the malware in a live system.
The first step should consider the technical principles of digital forensics, as it can formulate
elements to construct the research base of the investigation. Furthermore, it helps in robust
explorations of the traces of different types of malware present in the system [11].
3. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
2.1. The digital forensics process
The digital forensics process, which was introduced in 2001
specific categories that begin with
[12]. The different categories in digital forensics are
Figure1.V
2.2. File system analysis
The file system refers to the organi
model. An analysis of the file system is
valuable hidden information about system accessibility
file system analysis extracts distinctive layers of
Figure 2 illustrates the layers of abstraction by Farmer
the user and the application view
obtained from these layers can be combined to discover unseen, obfuscated malicious
process is advantageous for malware analysis
behind the data files.
Figure 2. V
International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
rocess
process, which was introduced in 2001–2002 at the SANS Institute
that begin with the identification phase and end with the final decision
digital forensics are illustrated in Figure 1.
.Various categories in a digital forensics process
the organisation of various records contained in a system’s database
ile system is a common process in digital forensics, as it provides
valuable hidden information about system accessibility [13]. At the stage of data collection
distinctive layers of data from the hard disk for later
layers of abstraction by Farmer and Venema [13]. It shows three layers: (a)
the user and the application view, (b) the file system view and (c) the hardware view.
obtained from these layers can be combined to discover unseen, obfuscated malicious
for malware analysis in a case where data is kept hidden or encrypted
. Various distinctive layers of abstraction [13]
International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
3
SANS Institute, includes
final decision stage
system’s database
as it provides
. At the stage of data collection, the
later examination.
three layers: (a)
and (c) the hardware view. The data
obtained from these layers can be combined to discover unseen, obfuscated malicious files. The
in a case where data is kept hidden or encrypted
4. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
4
2.3. Characteristics of malware
In both digital forensics and malware detection, it is vital to acquire sufficient data and definitions
to make the detection system more efficient and the malware easier to recognise. Based on
knowledge obtained from analyses of various malware domains, it is possible to recognise
different patterns of malware, thus allowing an investigator to build a profile of the case.
Different techniques and methods for malware detection proposed in [14][15] can be used to
develop a new framework for a robust system. These techniques include methods such as time
stamping, entropy analysis (File type, hashing, etc.) and obtaining traces from keywords and
identifiers.
• Time stamping: This method includes an analysis of the duration between the attack and the
initial phase of the investigation of the malware infection.
• Entropy analysis: The most commonly infected files are executable files. In some cases, the
infection of these files is very difficult to detect. The infection may be hidden in the indexes,
recycle bins or system folders. An example of this is Windows/system32.
• Keywords and identifiers: The simplest way of identifying malware code is via keywords,
called ‘identifiers’. These identifier scan be used to obtain data from IP addresses, email
addresses and other sources to get the required information mentioned in a communication
pattern. For example, ‘key logger’ can be a string used to find hints regarding any malware
attack on the system.
3. Approaches to Malware Detection and Analysis
In digital forensics, any investigation includes two types of functions: ‘D’, for malware detector,
and ‘P’, for the programme to be investigated. The maximum range for the D function relies on
the range of programme P, which is defined as SET {malicious, genial} [16].
The function of detector D is to scan the programme P to check whether the P is malicious or
genial. D detects the malware on the basis of the machine code, which stores the particulars, or
the ‘signature’, of the malware. The investigation may yield one of three outcomes: false positive,
false negative or the hit ratio [16].
• False positive: A false positive is when a scanner detects malware in a non-infected file. This
means that the characteristics of a particular malicious code are not unique and hence the
code appears in a non-infected file.
• False negative: This occurs when a detector fails to expose a particular malicious code in an
infected domain. This usually happens when a scanner lacks a signature sample of a
particular malware and hence fails to detect the infection.
• Hit ratio: The hit ratio occurs when the detector detects the malware accurately. This is
possible only when the signature of a particular malicious code matches that of a stored
sample in the detector’s database.
Digital forensics distinguishes two types of malware detection methods: signature-based detection
methods and anomaly-based methods.
3.1. Signature-based detection and analysis
Signatures are combinations of bytes, which are a constituent part of malware, or a malicious
code. Malware is categorised into three forms: basic, metamorphic and polymorphic.
Polymorphic is the most common. As this type of malware hides its identity and source of
5. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
5
generation, it becomes very hard for investigators to collect evidence against the plotter [16]. In
basic malware, the source, or the ‘initial point’, of the programme is reformed, and complete
control of the system is transmitted to the malicious payload. In polymorphic malware, the codes
are mutated, while the original data in the system remain intact. This type of malware virus is
replicated via a model-based engine, and thus the virus mutates every time the programme is
executed in the same system. Metamorphic malware is based on reprogramming, which
modulates the characteristics of the parent programme. This produces a new signature for each
child variant that is created at a later stage [16].
Problems
• Extracting and dispensing the signature is very complex.
• Signature-based detection and analysis requires the investigator to perform penetrating
research and analysis, which is only possible manually and in a controlled environment.
• Bypassing a signature during the investigation is a very common problem. Hence, new
signatures should be updated every time before conducting the analysis.
• The ever-growing repositories of malware signatures are becoming very difficult to manage.
3.2. Specification-based detection and analysis [17]
This type of detection system depends on the particular specification of the implementation and
the deployment of a particular application or system file. The process works by learning all
phases of the application development and assuming that any abnormality carries malicious code.
The process uses the concept of reverse engineering, which focuses on reaching the source of the
programme. Sometimes it takes multiple runs to debug the source coding.
Problems
The main problem with this technique is its accuracy. The whole process depends on pre-defined
rules to follow, which makes it hard to conduct practical analysis. Moreover, rules for the process
need to be updated on a regular basis, as it is difficult for an investigator to learn any of it.
4. Requirements for the New Framework
Based on the above conditions faced by investigators, a new framework is required to optimise
the results. This should be integrated into a system to detect and analyse malware efficiently and
effectively. To ensure that analysis is comprehensive, it should perform both as a detector and a
warning system. To understand the precision and the nature of the requirement, an extensive
market research is required in the field to gather information for analysis.
4.1 Market Research
To find the precise problem statement for the research, qualitative and quantitative approaches
were implemented using a questionnaire-based methodology. During the research, a questionnaire
was distributed through email to respective respondents. The questionnaire used a framework
based on a scale of items to assess data gathered from the respondents. A pilot study was
accompanied to authenticate the questionnaire, where 30 completed questionnaires were
collected. Around 43% of the respondents were professionals from IT security, 33% were
forensics experts, 17% were network administrators and 7% belonged to other IT fields. Below
are some of the sample questions:
6. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
6
1. How often you receive case studies related to Malware for investigation?
<5% 5% to 20% 20% to 50% 50 to 80% 80% Above
2. How many of the above cases were solved with accurate results
<5% 5% to 20% 20% to 50% 50 to 80% 80 Above
3. What is your opinion on level of skills and technological tools adopted in your
company to carry investigating process on malware?
Weak Average Strong
4. Do you think there is a need of a new customized tool for malware detection
and analysis?
Yes No Can’t say
4.2 Discussion on the Result
The result from the observations reflects the vulnerabilities in the existing tools and
methodologies present for malware detection. Although most of the experts were aware of the
criticality and complexity of malware detection, still no specific solution for accurate detection
was obtained. Some of the analysis report is explained in the following tables.
Table 1. Important factors from the analysis
Factors Yes No Cant Say
Changes in Malware Landscape 52% 13% 35%
Organizational vulnerabilities 47% 20% 33%
Expertise on Malware 67% 27% 6%
Detection of malware by non-technical employees 17% 53% 30%
7. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
7
Table 2. Level of Skills in Investigation.
Weak Average Strong
13% 60% 25%
Table 3. Level of accuracy during investigation.
<5% 5%to
20%
20% to
50%
50 to
80 %
80 above
7% 20% 43% 27% 3%
Table 4. Choice of tools.
Open
Source
Shareware Commercial Cant
Say
7% 0% 43% 7%
Table 5. Need of new tool.
Yes No Cant Say
90% 3% 7%
Table 6. Preferable Methods.
Dynamic Static Other
57% 33% 10%
4.3. Result on Analysis
The results of the observations reflect the vulnerabilities in the existing tools and methodologies
present for malware detection. Although most of the experts were aware of the criticality and
complexity of malware detection, no specific solution for accurate detection was obtained. Some
important factors from the analysis were identified that provide a clear view of the problem
statement. The analysis is as follows:
• The core problem faced by the investigators was to find the level of malware infection in the
file.
• Most importantly, investigators required using other parameters, such as Malware signature
and behaviour in combination, for optimised detection.
• Most of the infections were both critical and complex. Thus, there is a need for a prerequisite
method to reduce the associated complication.
• Although there are tools that are capable of detecting malware and other malicious code, most
of them produce inaccurate or incomplete results.
• The cost of the tool played an important role in its adoption.
• Most of the investigators wanted to use tools based on both dynamic and static methodology.
• It usually took less time for the investigators to detect the presence of malware, but more time
to investigate it forensically.
• Managing and updating the malware database is a task that should be given priority.
8. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
8
5. Proposed Framework
The required framework is designed for developing an optimised malware detection and analysis
tool, which is based on the analysis of and the results obtained from the secondary research
conducted in the survey report. The entire research pattern is divided into three distinctive phases.
This distinctive framework defines the various policies, categorises the organisational assets and
creates a new environmental variable for the process. The framework is designed for developing
an optimised malware detection system that can confirm the malware infection using any standard
of deployment. It can also assist in developing a robust and redefined metrics model that can
work with a three-stage analysis covering all operational activities within the system. It is an
unbiased model that initialises its operation by first confirming the malware infection, and then by
analysing, detecting and proliferating it. The objective for developing this framework is to
understand the concepts of the detection costs associated with dealing with malware discovery
and analysis in an associated environment in order to provide accurate and precise information
that can be used to increase the performance matrices. The entire process is divided into three
phases:
Phase 1: Malware Acquisition Function,
Phase 2: Detection and Analysis
Phase 3: Database Operational Function.
Below is the diagram that defines the relationship between the different phases of the process.
Each phase is explained by keeping the process of implementation in mind.
9. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
Figure 3. Three
Phase 1: Malware acquisition
Phase 1 initiates its task by confirming the occurrence of malicious code in the data. It deals with
operations concerning the confirmation of the data that is infected by the malware. It also
includes the functionalities that contain
infections in the associated system. This phase includes
• Notification: Acquisition can begin in a variety of
from a third party (such as CMS
or it can be an alert from an endpoint suit. It can act as a platform to determine whether or not
the issues occurring in the syste
• Quarantine: The main objective of this component is to collect the damaged file from the
system and then remove it separately from the
prevent any duplication/replication of malicious
non-infected file [21].
• Triage process: This process only works for identifying the critical nature of the issue that
occurred due to the malware infection. It contains all sorts of analysis processes to categorise
the problem by level of seriousness (high degree of seriousness or low degree of seriousness)
[22].
• Infection confirmation: Up to this point in the process, we have obtained enough
information to know whether or not the selected data is infected. So, now
International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
hree-phase process for malware detection and analysis
cquisition function
Phase 1 initiates its task by confirming the occurrence of malicious code in the data. It deals with
operations concerning the confirmation of the data that is infected by the malware. It also
includes the functionalities that contain components that can detect both active and passive
infections in the associated system. This phase includes the following components:
Acquisition can begin in a variety of ways; including a notification alert sent
from a third party (such as CMS-cash management systems or an online payment processor)
or it can be an alert from an endpoint suit. It can act as a platform to determine whether or not
the issues occurring in the system are realistic [21].
The main objective of this component is to collect the damaged file from the
system and then remove it separately from the rest of the associated files. This activity can
prevent any duplication/replication of malicious code from being transferred into another
This process only works for identifying the critical nature of the issue that
occurred due to the malware infection. It contains all sorts of analysis processes to categorise
level of seriousness (high degree of seriousness or low degree of seriousness)
Up to this point in the process, we have obtained enough
information to know whether or not the selected data is infected. So, now the detection tool
International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
9
Phase 1 initiates its task by confirming the occurrence of malicious code in the data. It deals with
operations concerning the confirmation of the data that is infected by the malware. It also
components that can detect both active and passive
including a notification alert sent
cash management systems or an online payment processor)
or it can be an alert from an endpoint suit. It can act as a platform to determine whether or not
The main objective of this component is to collect the damaged file from the
associated files. This activity can
being transferred into another
This process only works for identifying the critical nature of the issue that
occurred due to the malware infection. It contains all sorts of analysis processes to categorise
level of seriousness (high degree of seriousness or low degree of seriousness)
Up to this point in the process, we have obtained enough
the detection tool
10. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
10
makes a decision and the next appropriate action is determined [22].
Depending on the information that is found during Phase 1, the following actions can occur:
• If the selected data is not infected, then the entire process can be stopped and things can
revert to normal.
• If a malware infection is detected, we can decide whether to conduct an analysis of the
selected malware infection or jump directly to the database remediation.
• If we decide to analyse the data, we must be sure to analyse it properly in order to obtain
more information about the infection [23].
• If we identify the infection and do malware proliferation, we must check whether the selected
infection matches up to the database; if it does not, then operations need to be performed to
add the new information to update the existing malware profile [23].
Phase 2: Detection and analysis
Based on the results from the previous phase, it can now be confirmed that the files are infected
by the malware. Therefore, the question arises as to how we can go about obtaining information
about the activity that the phase was trying to perform on the system, whether the attack consisted
of an attempt to steal a password or an attack on the confidentiality of the data. If it is difficult for
an organisation to determine the exact level of threat, a complete investigation is required in order
to fully analyse the infected file.
Detection and analysis constitutes functional output from the first phase (malware acquisition).
After confirming the presence of a malware infection, the malicious code can be investigated and
its characteristics can be analysed [25]. Defining the characteristics helps in proliferation, which
can contribute to developing and updating the malware database (mentioned in Phase 3). The vital
testing sub-functions include:
Build a control environment
Before doing any analysis, it is important to develop a control environment that can be used to
perform a thorough investigation. This is mainly a one-time operative process, but with changes
in the requirements, one must engage in an on-going analysis in order to achieve the target goals
[24]. The following pre-defined guidelines are required:
• Isolate the infected file: Keep the infected file away from the live data. The infected file should
be kept isolated in a separate network, as doing so can prevent a replication of the infection.
• Provide a separate network: During the investigation, it is important to have access to a
separate Internet service provider system.
• Testing tools: Tools used for creating a previous testing environment should be cleaned perfectly
before starting to work on them again.
• Keep a log file: A log file should be considered to be a special preference in the investigation, as
it carries important information about the malware activities. Log files record each step that the
malicious code used to infect the data file.
• Sandbox: It is always preferable to perform testing on a separate sandbox, as it becomes easy to
conduct a specific investigation on the memory file that may contain a malicious infection.
Static Analysis
This function conducts a core analysis process on the suspected file. All results identified by this
function can be added to the database carrying the malware proliferation function. Malware also
11. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
11
leaves evidence behind; thus, a thorough investigation of the executable files can be used to
identify future threats to the system. Activities can be monitored internally in the system in a
variety of ways, including network accessibility and performing operations on the file system and
on the internal storage. To optimise the static analysis process, the following guidelines need to
be followed (mentioned in [25]):
• Initial analysis: This includes investigating the obvious symptoms of attack in order to
identify the nature of the infected file. First, we try to match up the fingerprint of the file to
identify any existing malware profile in the database. This can usually be done using MD5
hashing.
• Classifying the format of the file: While analysing the Windows files, every executable file
contains a schema, which may yield specific information about the cracker and its intention
for the attack. Analysis of information such as version information, menus and calling
functions can reveal a lot of evidence [25].
• Analysing text strings: It is always important to scan the isolated text strings that are present
in the infected file. Using various keywords in the built-in search field can help in obtaining
the associated evidence.
• Debugging: The last step for static analysis is to conduct a process of disassembly. This helps
determine the patterns that can assist in identifying the attacker [25].
Dynamic analysis
As mentioned above, static analysis is an initial way to investigate malware in an infected file.
We need to maintain the goal of creating a robust malware profile that can prevent all future
malware attack attempts. Although malware infection can be detected at the earliest stage, one
still may not be able to identify the unauthorised modulations that occurred and that compromised
the system after the attack. So, here we also apply the dynamic analysis process. The dynamic
analysis typically gathers information on the following (mentioned in [23]):
• Memory: Malware can bring changes to the buffer flow and can also tamper with the main
memory of critical programmes. Thus, a deep analysis of the volatile memory can assist in
obtaining good information about how/why malware activities were accessing internal
memories.
• Investigation registries: This involves looking for the modifications that were done in the
registry keys. The victimised machine can illustrate the exact changes that occurred in the
machine, which can help the investigator detect easy changes in system.
• Investigation processes and running services: This can show all the processes that were
either started or stopped intentionally by the malware. Analysing the processes illustrates
some of the initial processes that can suggest the track record (origin) of the infected file in
the system.
• Looking for virtual machines: Keeping an eye on the attached virtual machine (VM) can
help an investigator continue the research process. Malware can go dormant after VM is
detected, so the investigator is required to check for the presence of any VM on the hardware
or a VM that is running dissolutely inside the system.
Dynamic analysis can be further differentiated into three types:
• Network analysis
• Device scanning
• File content analysis
While the static function can assist in analysing the features of executable files, the dynamic
12. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
12
function reads the metadata, which include information about the size of the file and its format
and information about the library management system. These data can be accessed to detect
malware in the infected file.
Phase 3: Database operational function
Database management is required to ensure that samples of the malware and information about
the malware are available. This information can be used to update the profile of a particular
malware, which can contribute to the process of performing an analysis and detecting the
mechanism. Any failure in malware notifications (in Phase 1) can be remediated to the database
operation in order to monitor the stage of reinfection of the malware in the system [26].
Malware profiling includes the following:
• Adding the aggregated information.
• Packaging the profile to make it more reliable for screening and scanning.
• Categorising the profiles so as to make it convenient for other investigators to access the
information.
• Revisiting the malware profile periodically in order to prevent malware reinfection (an
updated malware profile is another important function to consider).
6. Implementation of the Approach
By emphasising the described approaches in section 5, an experimental operation and evaluation
can be undertaken to develop an optimised technique based on pre-defined correlational
methodologies for robust malware detection. The following steps can be undertaken during the
experiment:
6.1File content analysis
A file is an important part of the system, as it carries data processed by the user that demonstrates
all activities done on the system before it was compromised. Hence, analysing file content can
provide a major clue about the source and the characteristics of the malware.
One major problem faced by all previous detection techniques is the inability of the system to
recognise obscure malware (e.g. malicious codes that are fully encrypted). In such cases,
analysing the file content is always preferable compared to the previously mentioned approaches.
File content analysis can be done either by calculating the entropy of the file or by analysing the
particular string structure [15].
The entropy calculation method can be used to examine compressed files that are encrypted and
hence modulated into different formats [15]. In the proposed scenario, the entropy calculation for
any file type can be done with the ‘Ent tool’, which presents the difference in the sizes between
an original file and an infected file in a tabular formation. String method analysis involves
searching for particular keywords. Such analysis can be undertaken with the ICAT tool (from
TSK), where TSK stands for The Sleuth Kit and Autopsy Browser (which acts as GUI for TSK)
and can be employed to search for strings [18]
6.2Network analysis
A large amount of malware is distributed over the network to create redundancy and to ensure
13. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
13
effective propagation. An optimised network should be able to detect malware and other
malicious codes. Trojan is the most commonly distributed malware. In this study, the netstat
command and network packet analysis are discussed as follows:
• Netstat command
This performs the analysis on the TCP/IP network protocol. The conditions of the connection
before and after deployment of malware on the system will provide a comparison result between
the two. Deploying TCPView (for listing TCP and UDP endpoints) and Port Explorer (for
exploring and analysing network sockets) can generate logs and records, which will be matched
up with the original Listening PID to detect malware functioning [19].
• Network packet analysis
This technique investigates network traffic flowing on the network channels. Malicious code
showing unusual activity enables evidence to be collected on the server side [20]. For performing
the analysis, the Wireshark tool will be deployed on a virtual machine to explore the traffic on the
suspected host. The main advantage of using a packet sniffer is to obtain knowledge about the
DNS protocol packets and connections established between the machine and the IP address
generator [20].
The proposed approach provides a robust framework for detecting malware. The following
are its characteristics:
• It avoids allowing data chunks to accumulate, making it easier for investigators to flexibly
detect malware without wasting much time.
• It focuses on distributed networks, as most other methodologies avoid getting into network
data.
• With this approach, it is feasible to track the source of the malware, which can further prevent
the chance of other malware attacks.
7. Conclusion
This paper discussed a new framework and approach for malware detection. Open source tools
can be used in the extraction, investigation and analysis of the data. The report focuses on
malware detection techniques used in digital forensics and data mining. The techniques
mentioned in Section 4 can be used to perform experiments; hence, results pertinent to live
systems will be generated. The overall outcome of the study is multi-fold, where the intention is
to discuss various efficient and optimised techniques for use with malware detection. By
recognising the faults in the existing systems, the new framework can overcome the limitations
and thus can assist an investigator in obtaining evidence of malware to get an optimised result.
References
[1] Carrera,E. &Erdelyi. (2004). ‘Digital genome mapping: Advanced binary malware analysis’, Virus
Bulletin, pp. 175-186.
[2] BITS (2011) ‘Malware Risks and Mitigation Report’ ITS/The Financial Services Roundtable 2011,
Retrieved from http://www.nist.gov/itl/upload/BITS-Malware-Report-Jun2011.pdf
[3] Islam, N.,Anand, R., Jaeger, T.,&Rao, J.R. (2009). ‘A flexible security system for using Internet
content’,Software, IEEE, Vol. 14, No.5, pp. 52,59. Retrieved from
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=605931&isnumber=13290
14. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
14
[4] Jehyun, L., Jonghun, K., Hyo, S., &Heejo, L. (2010). ‘Tracking multiple C&C botnets by analysing
DNS traffic.Secure Network Protocols (NPSec)’,6th IEEE Workshop, pp.67, 72.
[5] Hayatle, O.,Otrok, H., & Youssef, A. (2012).‘A game theoretic investigation for high interaction
honeypots’,Communications (ICC), 2012 IEEE International Conference, Vol. 10, pp.6662-
6667.Retrieved from
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6364760&isnumber=6363631
[6] Kasama, T., Yoshioka, K., Inoue, D., & Matsumoto, L. (2012). ‘Malware detection method by
catching their random behaviour in multiple executions’,Applications and the Internet (SAINT),
IEEE/IPSJ 12th International Symposium, Vol. 2, pp.262,266. Retrieved from
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6305295&isnumber=6305234
[7] Mehdi S, Tanwani A, Farooq M (2009), “IMAD: in-execution malware analysis and detection”,
Proceeding of the 11th Annual conference on Genetic and evolutionary computation, pp: 1553-1560
[8] Barford,P.,&Yegneswaran,V (2007). An inside look at botnets. Special Workshop on Malware
Detection,Advances in Information Security, IEEE Journal.
[9] Zahn K (2012), “Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis
Exercise”, SANS Institute Reading Room site, Retrieved from https://www.sans.org/reading-
room/whitepapers/malicious/case-study-2012-dc3-digital-forensic-challenge-basic-malware-analysis-
exercise-34330
[10] Lim Y; Ryu H; Choi K; Park C; Park W; Kook K (2012) "A Study on Malware Detection System
Model Based on Correlation Analysis Using Live Response Techniques," Information Science and
Applications (ICISA), 2012 International Conference, vol., no., pp.1,6, 23-25
[11] Park J, Kim M, Noh B, Joshi J (2006), “A Similarity based Technique for Detecting Malicious
Executable files for Computer Forensics”, information Reuse and Integration, 2006 IEEE
International Conference, vol., no., pp.188,193, 16-18
[12] Ryder, K. (2002). ‘Computer forensics – We’ve had an incident, who do we get to investigate?’SANS
Institute, GSEC Certification Assignment Version 1.3.
[13] Farmer, D. &Venema, W. (2004).Forensic Discovery.Addison Wesley Professional, USA
[14] Casey E (2002), “Error, Uncertainty, and Loss in Digital Evidence”, International Journal of Digital
Evidence Summer 2002, Volume 1, Issue 2, Retrieved from
https://utica.edu/academic/institutes/ecii/publications/articles/A0472DF7-ADC9-7FDE-
C80B5E5B306A85C4.pdf
[15] Davis T (2009), “Utilizing Entropy to identify Undetected Malware”, White paper by Guidance
Software, cyber security solution, Retrieved from
http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46-4D14-
A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf
[16] Neelakantan, S.&Rao, M. (2008). ‘Threat-aware signature based intrusion-detection approach for
obtaining network-specific useful alarms’,Internet Monitoring and Protection. The Third International
Conference, Vol. 2,No. 3, pp.80,85. Retrieved from
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4561330&isnumber=4561311
[17] Vinod P, Laxmi V, “Survey on Malware Detection Methods”, Department of Computer Engineering,
Malaviya National Institute of Technology, Retrieved from
http://www.security.iitk.ac.in/contents/events/workshops/iitkhack09/papers/vinod.pdf
[18] Dowling A (2006), ‘The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration’, White
paper on TSK manual, Retrieved:
http://www.sjones.co.nz/downloads/Files/Forensics/TSK_v201_Demonstration.pdf
[19] Vigna, G., & Kemmerer, R.A. (2008).‘NetSTAT: A network-based intrusion detection approach’,
Computer Security Applications Conference, Vol. 7, No. 11, pp.25,34.
[20] Broadway, J., Turnbull, B., & Slay, J. (2008). ‘Improving the analysis of lawfully intercepted network
packet data captured for forensic analysis’,Availability, Reliability and Security, 2008. ARES
08. Third International Conference, Vol. 4, No. 7, pp.1361,1368.
15. International Journal of Network Security & Its Applications (IJNSA), Vol.6, No.1, January 2014
15
[21] Park, S. (2012).‘Malware expert: Execution tracking’, Cybercrime and Trustworthy Computing
Workshop (CTC), 2012 Third, Vol. 48, No. 55, pp.29-30.
[22] Blount, J.J.,Tauritz, D.R., Mulder, S.A. (2011). ‘Adaptive rule-based malware detection semploying
learning classifier systems: A proof of concept’, Computer Software and Applications Conference
Workshops (COMPSACW), 2011 IEEE 35th Annual, Vol., No., pp. 110,115, 18-22.
[23] Adeel, M.&Tokarchuk, L.N. (2011). ‘Analysis of mobile P2P malware detection framework through
Cabir&Commwarriorfamilies’, Privacy, security, risk and trust (passat), 2011 IEEE Third
International Conference on SocialComputing (Socialcom), pp.1335,1343, 9-11.
[24] Chen, L., Liu, B.,Hu, H. &Zheng, Q. (2012). ‘A layered malware detection model using VMM’,
Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th
International Conference, pp.1259,1264, 25-27.
[25] Cavallaro L, Saxena P, R. Sekar (2008), “On the Limits of Information Flow Techniques for Malware
Analysis and Containment”, Computer Science Department University of California at Berkeley,
Retrieved from http://www.comp.nus.edu.sg/~prateeks/papers/saxena-dimva08.pdf
[26] Moser, A.,Kruegel, C.&Kirda, E. (2007), ‘Limits of static analysis for malware detection’,
Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, Vol.,
No., pp. 21,430, 10-14.
Authors
SaeedAlmarri received his B.S.c in Information system from Ajman University of Science & Technology,
College of Information Technology in 2008. He got his Master degree in Business information system from
University of Bedfordshire, UK, in 2011. Currently, he is a PhD student at University of Bedfordshire with
a thesis entitled " Malware Detection and Analysis".
Dr. Paul Sant completed his PhD from King's College, London in 2003 with a thesis entitled
"Algorithmics of edge-colouring pairs of 3-regular trees" and prior to this, a BSc. in Computer Science
from the University of Liverpool (1999). Paul is an active member of the British Computer Society and a
Chartered Information Technology Professional (CITP) as well as being a fellow of the Higher Education
Academy. In January 2013 Paul was appointed to a seconded position of Associate Dean working on a
University Campus project. He still maintains strong links with the Department, and is still research
attractive, being a local PI on the EU funded ECENTRE project.