Malware Analysis, Part 1

	Malware Analysis, Part 1

Malware detection, analysis, and classification are perennial issues in cybersecurity.  The research presented here advances malware analysis in some unique and interesting ways.  The works cited were published or presented in 2014.  Because of the volume of work,  the bibliography will be broken into multiple parts.

Alam, S.; Horspool, R.N.; Traore, I., "MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection," Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on, pp.480,489, 13-16 May 2014. doi: 10.1109/AINA.2014.59 Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6% and a false positive rate of 4%.
Keywords: binary codes; digital signatures; encoding; invasive software; real-time systems; MARD; behavioral signature; dynamic binary code; malware analysis process automation; malware industry; metamorphic malware analysis and real-time detection; metamorphism encoding; obfuscation techniques; opcode; Malware; Optimization; Pattern matching; Postal services; Real-time systems; Runtime; Software; Automation; Control Flow Analysis; End Point Security; Malware Analysis and Detection; Metamorphism (ID#: 15-4638)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6838703&isnumber=6838626

Miles, C.; Lakhotia, A.; LeDoux, C.; Newsom, A.; Notani, V., "VirusBattle: State-of-the-art malware analysis for better cyber threat intelligence," Resilient Control Systems (ISRCS), 2014 7th International Symposium on, pp.1,6, 19-21 Aug. 2014. doi: 10.1109/ISRCS.2014.6900103 Discovered interrelationships among instances of malware can be used to infer connections among seemingly unconnected objects, including actors, machines, and the malware itself. However, such malware interrelationships are currently underutilized in the cyber threat intelligence arena. To fill that gap, we are developing VirusBattle, a system employing state-of-the-art malware analyses to automatically discover interrelationships among instances of malware. VirusBattle analyses mine malware interrelationships over many types of malware artifacts, including the binary, code, code semantics, dynamic behaviors, malware metadata, distribution sites and e-mails. The result is a malware interrelationships graph which can be explored automatically or interactively to infer previously unknown connections.
Keywords: computer viruses; data mining; graph theory; VirusBattle; binary; code semantics; cyber threat intelligence; distribution sites; dynamic behaviors ;e-mails; malware analysis; malware artifacts; malware interrelationship mining; malware interrelationships graph; malware metadata; Computers; Data visualization; Electronic mail; Malware; Performance analysis; Semantics; Visualization (ID#: 15-4639)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6900103&isnumber=6900080

Allix, K.; Jerome, Q.; Bissyande, T.F.; Klein, J.; State, R.; Le Traon, Y., "A Forensic Analysis of Android Malware -- How is Malware Written and How it Could Be Detected?," Computer Software and Applications Conference (COMPSAC), 2014 IEEE 38th Annual, pp.384,393, 21-25 July 2014. doi: 10.1109/COMPSAC.2014.61 We consider in this paper the analysis of a large set of malware and benign applications from the Android ecosystem. Although a large body of research work has dealt with Android malware over the last years, none has addressed it from a forensic point of view. After collecting over 500,000 applications from user markets and research repositories, we perform an analysis that yields precious insights on the writing process of Android malware. This study also explores some strange artifacts in the datasets, and the divergent capabilities of state-of-the-art antivirus to recognize/define malware. We further highlight some major weak usage and misunderstanding of Android security by the criminal community and show some patterns in their operational flow. Finally, using insights from this analysis, we build a naive malware detection scheme that could complement existing antivirus software.
Keywords: Android (operating system); digital forensics; invasive software; Android ecosystem; Android malware; Android security; antivirus software; criminal community; forensic analysis; malware detection; operational flow patterns; writing process; Androids; Bioinformatics; Genomics; Google; Humanoid robots; Malware; Software; Android Security; Digital Forensics; Malware Analysis; Malware development (ID#: 15-4640)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6899240&isnumber=6899181

Kruczkowski, M.; Szynkiewicz, E.N., "Support Vector Machine for Malware Analysis and Classification," Web Intelligence (WI) and Intelligent Agent Technologies (IAT), 2014 IEEE/WIC/ACM International Joint Conferences on, vol.2, no., pp.415,420, 11-14 Aug. 2014. doi: 10.1109/WI-IAT.2014.127 Malware is widely used to disrupt computer operation, gain access to users' computer systems or gather sensitive information. Nowadays, malware is a serious threat of the Internet. Extensive analysis of data on the Web can significantly improve the results of malware detection. However malware analysis has to be supported by methods capable of events correlation and cross-layer correlation detection, heterogeneous data classification, etc. Recently, a class of learning methods building on kernels have emerged as a powerful techniques for combining diverse types of data. The Support Vector Machine (SVM) is a widely used kernel-based method for binary classification. SVM is theoretically well founded and has been already applied to many practical problems. In this paper, we evaluate the results of the application of SVM to threat data analysis to increase the efficiency of malware detection. Our results suggest that SVM is a robust and efficient method that can be successfully used to heterogeneous web datasets classification.
Keywords: Internet; data analysis; invasive software; pattern classification; support vector machines; Internet threat; SVM; Web data analysis; binary classification; computer operation; cross-layer correlation detection; heterogeneous Web dataset classification; heterogeneous data classification; kernel-based method; learning methods; malware analysis; malware classification; malware detection; support vector machine; threat data analysis; user computer system access; Computer networks; Correlation; Kernel; Malware; Support vector machines; Training; Vectors; Support Vector Machine; machine learning; malware classification (ID#: 15-4641)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6927654&isnumber=6927590

Vasilescu, M.; Gheorghe, L.; Tapus, N., "Practical Malware Analysis Based On Sandboxing," RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference, 2014 , vol., no., pp.1,6, 11-13 Sept. 2014. doi: 10.1109/RoEduNet-RENAM.2014.6955304 The past years have shown an increase in the both number and sophistication of cyber-attacks targeting Windows and Linux operating systems. Traditional network security solutions such as firewalls are incapable of detecting and stopping these attacks. In this paper, we describe our distributed firewall solution Distfw and its integration with a sandbox for malware analysis and detection. We demonstrate the effectiveness and shortcomings of such a solution. We use Cuckoo to perform automated analysis of malware samples and compare the results with the ones from manual analysis. We discover that Cuckoo provides similar results in a considerable amount of time.
Keywords: Linux; invasive software; Cuckoo; Distfw solution; Linux operating system; Windows operating system; cyber-attacks; distributed firewall solution; malware analysis; malware detection; network security solutions; sandboxing; Firewalls (computing);IP networks; Malware; Manuals; Operating systems; Servers; malware; malware analysis; network security; sandbox (ID#: 15-4642)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6955304&isnumber=6955289

Pandey, S.K.; Mehtre, B.M., "A Lifecycle Based Approach for Malware Analysis," Communication Systems and Network Technologies (CSNT), 2014 Fourth International Conference on, pp.767,771, 7-9 April 2014. doi: 10.1109/CSNT.2014.161 Most of the detection approaches like Signature based, Anomaly based and Specification based are not able to analyze and detect all types of malware. Signature-based approach for malware detection has one major drawback that it cannot detect zero-day attacks. The fundamental limitation of anomaly based approach is its high false alarm rate. And specification-based detection often has difficulty to specify completely and accurately the entire set of valid behaviors a malware should exhibit. Modern malware developers try to avoid detection by using several techniques such as polymorphic, metamorphic and also some of the hiding techniques. In order to overcome these issues, we propose a new approach for malware analysis and detection that consist of the following twelve stages Inbound Scan, Inbound Attack, Spontaneous Attack, Client-Side Exploit, Egg Download, Device Infection, Local Reconnaissance, Network Surveillance, & Communications, Peer Coordination, Attack Preparation, and Malicious Outbound Propagation. These all stages will integrate together as interrelated process in our proposed approach. This approach had solved the limitations of all the three approaches by monitoring the behavioral activity of malware at each any every stage of life cycle and then finally it will give a report of the maliciousness of the files or software's.
Keywords: invasive software; anomaly based approach; attack preparation; client-side exploit; device infection; egg download; hiding techniques; inbound attack; inbound scan; lifecycle based approach; local reconnaissance; malicious outbound propagation; malware analysis; network surveillance; peer coordination; signature-based approach; specification-based detection; spontaneous attack; Computers; Educational institutions; Malware; Monitoring; Reconnaissance; Malware; Metamorphic; Polymorphic; Reconnaissance; Signature based; Zero day attack (ID#: 15-4643)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6821503&isnumber=6821334

Suarez-Tangil, G.; Tapiador, J.E.; Peris-Lopez, P.; Ribagorda, A., "Evolution, Detection and Analysis of Malware for Smart Devices," Communications Surveys & Tutorials, IEEE, vol.16, no.2, pp.961, 987, Second Quarter 2014. doi: 10.1109/SURV.2013.101613.00077 Smart devices equipped with powerful sensing, computing and networking capabilities have proliferated lately, ranging from popular smartphones and tablets to Internet appliances, smart TVs, and others that will soon appear (e.g., watches, glasses, and clothes). One key feature of such devices is their ability to incorporate third-party apps from a variety of markets. This poses strong security and privacy issues to users and infrastructure operators, particularly through software of malicious (or dubious) nature that can easily get access to the services provided by the device and collect sensory data and personal information. Malware in current smart devices -mostly smartphones and tablets- have rocketed in the last few years, in some cases supported by sophisticated techniques purposely designed to overcome security architectures currently in use by such devices. Even though important advances have been made on malware detection in traditional personal computers during the last decades, adopting and adapting those techniques to smart devices is a challenging problem. For example, power consumption is one major constraint that makes unaffordable to run traditional detection engines on the device, while externalized (i.e., cloud-based) techniques rise many privacy concerns. This article examines the problem of malware in smart devices and recent progress made in detection techniques. We first present a detailed analysis on how malware has evolved over the last years for the most popular platforms. We identify exhibited behaviors, pursued goals, infection and distribution strategies, etc. and provide numerous examples through case studies of the most relevant specimens. We next survey, classify and discuss efforts made on detecting both malware and other suspicious software (grayware), concentrating on the 20 most relevant techniques proposed between 2010 and 2013. Based on the conclusions extracted from this study, we finally provide constructive discussion on open- research problems and areas where we believe that more work is needed.
Keywords: data privacy; invasive software; notebook computers ;smart phones; telecommunication security; Internet appliances; cloud-based technique; computing capabilities; distribution strategies; exhibited behavior identification; externalized techniques; infection identification; malicious software; malware analysis; malware detection; malware evolution; networking capabilities; personal computers; privacy issues; pursued goal identification; security architectures; security issues; sensing capabilities; smart TV; smart devices; smartphones; tablets; third-party apps; Androids; Humanoid robots; Malware; Privacy; Smart phones; Software; grayware; malware; privacy; security; smart devices; smartphones (ID#: 15-4644)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6657497&isnumber=6811383

Park, Wonjoo; Lee, Kyong-Ha; Cho, Kee-Seong; Ryu, Won, "Analyzing and Detecting Method Of Android Malware Via Disassembling And Visualization," Information and Communication Technology Convergence (ICTC), 2014 International Conference on, pp.817,818, 22-24 Oct. 2014. doi: 10.1109/ICTC.2014.6983300 In light of their rapid growth, there is a pressing need to develop analysis and decision solutions whether or not. However, most of protections are limited understanding of these mobile malware and sophisticated analyzing. In this paper, we propose a method of analyzing and deciding malware on the basis of similarity with existing malware families on the popular platform, Android. We focus on the checking visual similarity among Android malwares and deciding the degree of similarity with other malware families to help distributing to inspector appropriately.
Keywords: Accuracy; Androids; Humanoid robots; Malware; Mobile communication; Smart phones; Visualization; Android malware; Smartphone security; malware analysis (ID#: 15-4645)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6983300&isnumber=6983064

Mendez-Garcia, V.; Jimenez-Ramirez, P.; Melendez-Ramirez, M.A.; Torres-Martinez, F.M.; Llamas-Contreras, R.; Gonzalez, H., "Comparative analysis of banking malware," Central America and Panama Convention (CONCAPAN XXXIV), 2014 IEEE, pp.1,5, 12-14 Nov. 2014. doi: 10.1109/CONCAPAN.2014.7000412 The research focused on the analysis of banking malware such as Zeus, Citadel, Carberp, SpeEye and Soraya, which infected personal computers between 2006–2014. This work described briefly each malware, compared major features and ranked the malware by impact. An experiment was performed running the samples and then analyzing the network traffic for each infected machine.
Keywords: Banking; Encyclopedias; IP networks; Internet; Malware; Silicon compounds; Software; banking malware; malware analysis (ID#: 15-4646)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7000412&isnumber=7000388

Raphael, R.; Vinod, P.; Omman, B., "X-ANOVA and X-Utest Features For Android Malware Analysis," Advances in Computing, Communications and Informatics (ICACCI, 2014 International Conference on, pp. 1643, 1649, 24-27 Sept. 2014. doi: 10.1109/ICACCI.2014.6968608 In this paper we proposed a static analysis framework to classify the android malware. The three different feature likely (a) opcode (b) method and (c) permissions are extracted from the each android .apk file. The dominant attributes are aggregated by modifying two different ranked feature methods such as ANOVA to Extended ANOVA (X-ANOVA) and Wann-Whiteney U-test to Extended U-Test (X-U-Test). These two statistical feature ranking methods retrieve the significant features by removing the irrelevant attributes based on their score. Accuracy of the proposed system is computed by using three different classifiers (J48, ADAboost and Random forest) as well as voted classification technique. The X-U-Test exhibits better accuracy results compared with X-ANOVA. The highest accuracy 89.36% is obtained with opcode while applying X-U-Test and X-ANOVA shows high accuracy of 87.81% in the case of method as a feature. The permission based model acquired highest accuracy in independent (90.47%) and voted (90.63%) classification model.
Keywords: Android (operating system); invasive software; learning (artificial intelligence); program diagnostics; program testing; statistical analysis; AdaBoost;Android malware analysis; Wann-Whiteney U-test; X-ANOVA; X-U-Test; X-Utest features; extended U-Test; opcode; random forest; static analysis; Accuracy; Analysis of variance; Equations; Malware; Mathematical model; Smart phones; Training; ANOVA; Android Malware; Classifiers; Feature Ranking; Mobile Malware; U-Test; Wann-Whiteney Test (ID#: 15-4647)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6968608&isnumber=6968191

Aswini, A.M.; Vinod, P., "Droid Permission Miner: Mining Prominent Permissions For Android Malware Analysis," Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the, pp.81,86, 17-19 Feb. 2014. doi: 10.1109/ICADIWT.2014.6814679 In this paper, we propose static analysis of android malware files by mining prominent permissions. The proposed technique is implemented by extracting permissions from 436 .apk files. Feature pruning is carried out to investigate the impact of feature length on accuracy. The prominent features that give way to lesser misclassification are determined using Bi-Normal Separation (BNS) and Mutual Information (MI) feature selection techniques. Results suggest that Droid permission miner can be used for preliminary classification of Android package files.
Keywords: Android (operating system);data mining; feature selection; invasive software; mobile computing; pattern classification; smart phones; Android package file classification; BNS; Droid permission miner; MI feature selection; android malware analysis; bi-normal separation; mutual information; permission extraction; prominent permission mining; static analysis; Accuracy; Androids; Feature extraction; Humanoid robots; Malware; Smart phones; Training; Androguard; Android malware; Feature extraction; Static analysis (ID#: 15-4648)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6814679&isnumber=6814661

Vlad, M.; Reiser, H.P., "Towards a Flexible Virtualization-Based Architecture for Malware Detection and Analysis," Database and Expert Systems Applications (DEXA), 2014 25th International Workshop on, pp.303,307, 1-5 Sept. 2014. doi: 10.1109/DEXA.2014.67 The complexity and sophistication of malicious attacks against IT systems have steadily increased over the past decades. Tools used to detect and analyse such attacks need to evolve continuously as well in order to cope with such attacks. In this paper, we identify some limitation of existing approaches and propose a novel architecture for an attack detection and analysis framework. This architecture is based on virtualization technology to execute target systems, supports a broad spectrum of low-level tracing modules and sophisticated, extensible virtual-machine introspection mechanisms, combined with an extensible plug-in interface for specialized detection and analysis mechanisms, and it offers support for deployment in cloud infrastructures.
Keywords: cloud computing; invasive software; virtual machines; virtualisation; IT systems; analysis mechanisms; cloud infrastructures; extensible plug-in interface; flexible virtualization-based architecture; low-level tracing modules; malicious attacks; malware analysis; malware detection; specialized detection mechanisms; virtual-machine introspection mechanisms; virtualization technology; Computer architecture; Computers; Hardware; Malware; Virtual machining; Virtualization; Intrusion Detection; Malware Analysis; attack detection; plug-in architecture (ID#: 15-4649)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6974866&isnumber=6974758

Aydogan, E.; Sen, S., "Analysis of Machine Learning Methods On Malware Detection," Signal Processing and Communications Applications Conference (SIU), 2014 22nd, pp.2066,2069, 23-25 April 2014. doi: 10.1109/SIU.2014.6830667 Nowadays, one of the most important security threats are new, unseen malicious executables. Current anti-virus systems have been fairly successful against known malicious softwares whose signatures are known. However they are very ineffective against new, unseen malicious softwares. In this paper, we aim to detect new, unseen malicious executables using machine learning techniques. We extract distinguishing structural features of softwares and, employ machine learning techniques in order to detect malicious executables.
Keywords: invasive software; learning (artificial intelligence); anti-virus systems; machine learning methods; malicious executables detection; malicious softwares; malware detection; security threats; software structural features; Conferences; Internet; Malware; Niobium; Signal processing; Software; machine learning; malware analysis and detection (ID#: 15-4650)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6830667&isnumber=6830164

Guanhua Yan, "Finding Common Ground Among Experts' Opinions On Data Clustering: With Applications In Malware Analysis," Data Engineering (ICDE), 2014 IEEE 30th International Conference on, pp.15,27, March 31 2014-April 4 2014. doi: 10.1109/ICDE.2014.6816636 Data clustering is a basic technique for knowledge discovery and data mining. As the volume of data grows significantly, data clustering becomes computationally prohibitive and resource demanding, and sometimes it is necessary to outsource these tasks to third party experts who specialize in data clustering. The goal of this work is to develop techniques that find common ground among experts' opinions on data clustering, which may be biased due to the features or algorithms used in clustering. Our work differs from the large body of existing approaches to consensus clustering, as we do not require all data objects be grouped into clusters. Rather, our work is motivated by real-world applications that demand high confidence in how data objects - if they are selected - are grouped together. We formulate the problem rigorously and show that it is NP-complete. We further develop a lightweight technique based on finding a maximum independent set in a 3-uniform hypergraph to select data objects that do not form conflicts among experts' opinions. We apply our proposed method to a real-world malware dataset with hundreds of thousands of instances to find malware clusters based on how multiple major AV (Anti-Virus) software classify these samples. Our work offers a new direction for consensus clustering by striking a balance between the clustering quality and the amount of data objects chosen to be clustered.
Keywords: computational complexity; computer viruses; data mining; graph theory; pattern clustering;3-uniform hypergraph; AV software; NP-complete; antivirus software; clustering quality; common ground; consensus clustering; data clustering; data mining; data objects; expert opinions; knowledge discovery; malware analysis; malware clusters; Feature extraction (ID#: 15-4651)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6816636&isnumber=6816620

Mead, N.R.; Morales, J.A., "Using Malware Analysis To Improve Security Requirements On Future Systems," Evolving Security and Privacy Requirements Engineering (ESPRE), 2014 IEEE 1st Workshop on, pp.37, 41, 25-25 Aug. 2014. doi: 10.1109/ESPRE.2014.6890526 In this position paper, we propose to enhance current software development lifecycle models by including use cases, based on previous cyberattacks and their associated malware, and to propose an open research question: Are specific types of systems prone to specific classes of malware exploits? If this is the case, developers can create future systems that are more secure, from inception, by including use cases that address previous attacks.
Keywords: invasive software; software engineering; cyberattacks; malware analysis; malware exploits; security requirement improvement; software development lifecycle models; use cases; Authentication; Computer crime; Malware; Software; Software engineering; Standards; SDLC; cyberattacks; malware; software security (ID#: 15-4652)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6890526&isnumber=6890516

Adeel, M.; Tokarchuk, L.N.; Azam, M.A.; Khan, S.K.A.; Khalil, M.A., "Propagation Analysis of Malware Families in Mobile P2P Networks," Information Technology: New Generations (ITNG), 2014 11th International Conference on, pp.220,226, 7-9 April 2014. doi: 10.1109/ITNG.2014.123 Viral propagation modelling acts as sandbox for testing intensity of malware, understand patterns adopted for malware propagation and consequently help device strategies for malware detection. Success of P2P networks has encouraged mobile vendors to offer P2P services on mobile networks. Handheld mobile devices though constrained in memory, power and processing resources are capable of using communication technologies like Bluetooth, MMS, SMS, Infrared and WLAN services. Such versatility has however exposed mobile devices to threats like mobile P2P malware. With the number of mobile phone malware escalating to an alarming figure of more than one thousand, it has become ever more important to analyze the affects of propagation of such malware in the wild that could subsequently act as the baseline for protection against such malware. This paper initially presents propagation analysis of generic mobile P2P malware categories and then provides a detailed analysis of propagation of real-world malware from three malware families accommodating around 100 well known mobile P2P malware. Paper is aimed at providing a much needed insight into propagation characteristics of mobile P2P malware like their propagation speed and battery depletion affect.
Keywords: invasive software; mobile computing; peer-to-peer computing; Viral propagation modelling; handheld mobile device; malware detection; malware propagation analysis; mobile P2P network; mobile phone malware; Batteries; Bluetooth; Grippers; Malware; Mathematical model; Mobile communication; Viruses (medical);Malware classification; Malware propagation; Mobile P2P;Mobile malware families (ID#: 15-4653)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6822202&isnumber=6822158

Yerima, S.Y.; Sezer, S.; McWilliams, G., "Analysis of Bayesian Classification-Based Approaches For Android Malware Detection," Information Security, IET, vol.8, no.1, pp.25, 36, Jan. 2014. doi: 10.1049/iet-ifs.2013.0095 Mobile malware has been growing in scale and complexity spurred by the unabated uptake of smartphones worldwide. Android is fast becoming the most popular mobile platform resulting in sharp increase in malware targeting the platform. Additionally, Android malware is evolving rapidly to evade detection by traditional signature-based scanning. Despite current detection measures in place, timely discovery of new malware is still a critical issue. This calls for novel approaches to mitigate the growing threat of zero-day Android malware. Hence, the authors develop and analyse proactive machine-learning approaches based on Bayesian classification aimed at uncovering unknown Android malware via static analysis. The study, which is based on a large malware sample set of majority of the existing families, demonstrates detection capabilities with high accuracy. Empirical results and comparative analysis are presented offering useful insight towards development of effective static-analytic Bayesian classification-based solutions for detecting unknown Android malware.
Keywords: invasive software; learning (artificial intelligence);operating system kernels; pattern classification; smart phones; Android malware detection; machine learning; mobile malware; signature based scanning; smartphones; static analysis; static analytic Bayesian classification (ID#: 15-4654)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6687155&isnumber=6687150

Naidu, V.; Narayanan, A., "Further Experiments In Biocomputational Structural Analysis Of Malware," Natural Computation (ICNC), 2014 10th International Conference on, pp.605,610, 19-21 Aug. 2014. doi: 10.1109/ICNC.2014.6975904 Initial work on structural analysis of malware using the nature-inspired technique of projecting malware signatures into the amino acid/protein domain was promising in a number of ways, including the demonstration of potential links with real-world pathogen proteins. That initial work was necessarily speculative and limited by a number of experimental factors. The aim of the research reported here is to address some of these limitations and to repeat, with malware code and signatures that can be assured as genuine, the experiments previously reported but with enhancements and improvements. Intriguingly, the outcome is the same: for some reason that is not yet known, matching artificial malware code consensuses after multiple alignment against protein databases returns a high proportion of naturally occurring viral proteins.
Keywords: digital signatures; invasive software; amino acid; artificial malware code consensuses; biocomputational structural analysis; malware signatures; nature-inspired technique; protein databases; real-world pathogen proteins; viral proteins; Amino acids; Biological information theory; Grippers; Malware; Matrices; Payloads; Proteins; Blaster worm; automatic signature generation; malware modelling; malware structural analysis (ID#: 15-4655)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975904&isnumber=6975799

Moghaddam, Samaneh Hosseini; Abbaspour, Maghsood, "Sensitivity Analysis Of Static Features For Android Malware Detection," Electrical Engineering (ICEE), 2014 22nd Iranian Conference on, pp.920,924, 20-22 May 2014. doi: 10.1109/IranianCEE.2014.6999667 The recent explosion of the number of mobile malware in the wild, significantly increases the importance of developing techniques to detect them. There are many published research in this area which employed traditional desktop malware detection approaches like dynamic and static analysis techniques to detect mobile malwares, but none of them applied a thorough study on the sensitivity analysis of the features used. In this paper we divide static features of classification-based Android malware detection techniques proposed in different papers into some related categories and study the influence of using each category of features on the efficiency of classification-based Android malware detections technique using all the static features.
Keywords: Androids; Feature extraction; Humanoid robots; Malware; Mobile communication; Sensitivity analysis; Smart phones; Android malware detection; mobile malware detection; sensitivity analysis; static analysis; static feature (ID#: 15-4656)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6999667&isnumber=6999486

Kuriakose, J.; Vinod, P., "Ranked Linear Discriminant Analysis Features For Metamorphic Malware Detection," Advance Computing Conference (IACC), 2014 IEEE International, pp.112,117, 21-22 Feb. 2014. doi: 10.1109/IAdCC.2014.6779304 Metamorphic malware modifies the code of every new offspring by using code obfuscation techniques. Recent research have depicted that metamorphic writers make use of benign dead code to thwart signature and Hidden Markov based detectors. Failure in the detection is due to the fact that the malware code appear statistically similar to benign programs. In order to detect complex malware generated with hacker generated tool i.e. NGVCK known to the research community, and the intricate metamorphic worm available as benchmark data we propose, a novel approach using Linear Discriminant Analysis (LDA) to rank and synthesize most prominent opcode bi-gram features for identifying unseen malware and benign samples. Our investigation resulted in 99.7% accuracy which reveals that the current method could be employed to improve the detection rate of existing malware scanner available in public.
Keywords: hidden Markov models; security of data; benign dead code; code obfuscation technique; hidden Markov based detectors ;intricate metamorphic worm; metamorphic malware detection; opcode bi-gram features; ranked linear discriminant analysis features; thwart signature; Conferences; Decision support systems; Handheld computers; Nickel; linear discriminant analysis; metamorphic malware; obfuscation; optimal features (ID#: 15-4657)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779304&isnumber=6779283

Zolotukhin, M.; Hamalainen, T., "Detection of Zero-Day Malware Based On The Analysis Of Opcode Sequences," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp.386,391, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866599 Today, rapid growth in the amount of malicious software is causing a serious global security threat. Unfortunately, widespread signature-based malware detection mechanisms are not able to deal with constantly appearing new types of malware and variants of existing ones, until an instance of this malware has damaged several computers or networks. In this research, we apply an anomaly detection approach which can cope with the problem of new malware detection. First, executable files are analyzed in order to extract operation code sequences and then n-gram models are employed to discover essential features from these sequences. A clustering algorithm based on the iterative usage of support vector machines and support vector data descriptions is applied to analyze feature vectors obtained and to build a benign software behavior model. Finally, this model is used to detect malicious executables within new files. The scheme proposed allows one to detect malware unseen previously. The simulation results presented show that the method results in a higher accuracy rate than that of the existing analogues.
Keywords: invasive software; iterative methods; pattern clustering; support vector machines; anomaly detection approach; benign software behavior model; clustering algorithm; global security threat; iterative usage; malicious software; n-gram models; opcode sequences analysis; operation code sequences; support vector data descriptions; support vector machines; widespread signature-based malware detection mechanism; zero-day malware detection; Feature extraction; Malware; Software; Software algorithms; Support vector machines; Training; Vectors (ID#: 15-4658)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6866599&isnumber=6866537

Rai, S., "Combining register value analysis with similarity based technique for metamorphic malware detection," Signal Propagation and Computer Technology (ICSPCT), 2014 International Conference on, pp.720,725, 12-13 July 2014. doi: 10.1109/ICSPCT.2014.6884974 Metamorphic malwares are one of the most deceiving category of malwares inspired from a natural phenomenon of camouflaging. The variation occurs in appearance only without interfering with the core element or properties of subject. It is implemented by utilizing simple code obfuscation techniques like dead code, sequence reordering etc. Nevertheless, Anti-Virus (AV) companies are struggling to tackle this strategy of malware writers due to incompetent syntactic signature pattern based detection. This paper discusses feasibility of malware evasion from detectors and a comparative study of detection methods to deal with metamorphic malware such as Zero transform, Hidden Markov Model, semantic analysis etc.is presented. In this paper, I propose an approach for combining value analysis of registers with other similarity based techniques for improved rate of detection with reduced false negative.
Keywords: hidden Markov models; invasive software; transforms; AV companies; antivirus companies; code obfuscation techniques; false negative reduction; hidden Markov model; malware evasion; malware writers; metamorphic malware detection; register value analysis; semantic analysis; similarity based technique; syntactic signature pattern-based detection; zero transform; Automata; Cryptography; Hidden Markov models; Malware; Reactive power; Registers; Transforms; Code obfuscation; Cyber Security; Detection techniques; Malware; Metamorphic malwares (ID#: 15-4659)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6884974&isnumber=6884878

Koniaris, I.; Papadimitriou, G.; Nicopolitidis, P.; Obaidat, M., "Honeypots Deployment For The Analysis And Visualization Of Malware Activity And Malicious Connections," Communications (ICC), 2014 IEEE International Conference on, pp.1819,1824, 10-14 June 2014. doi: 10.1109/ICC.2014.6883587 Honeypots are systems aimed at deceiving threat agents. In most of the cases the latter are cyber attackers with financial motivations, and malicious software with the ability to launch automated attacks. Honeypots are usually deployed as either production systems or as research units to study the methods employed by attackers. In this paper we present the results of two distinct research honeypots. The first acted as a malware collector, a device usually deployed in order to capture self-propagating malware and monitor their activity. The second acted as a decoy server, dropping but logging every malicious connection attempt. Both of these systems have remained online for a lengthy period of time to study the aforementioned malicious activity. During this assessment it was shown that human attackers and malicious software are constantly attacking servers, trying to break into systems or spread across networks. It was also shown that the usage of honeypots for malware monitoring and attack logging can be very effective and provide valuable data. Lastly, we present an open source visualization tool which was developed to help security professionals and researchers during the analysis and conclusion drawing phases, for use with one of the systems fielded in our study.
Keywords: data visualisation; invasive software; public domain software; cyber attackers; financial motivations ;honeypots deployment; malicious connections; malicious software; malware activity; open source visualization tool; threat agents; Data visualization; Grippers; IP networks; Malware; Ports (Computers);Servers; Software; data visualization; honeypot; intrusion detection; log file analysis; malware (ID#: 15-4660)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883587&isnumber=6883277

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.