Academic literature on the topic 'FILE-LESS MALWARE'

Introduction/purpose: This paper reports on a pilot comparative analysis of the Cuckoo and Drakvuf sandboxes. These sandboxes are selected as the subjects of the analysis because of their popularity in the professional community and their complementary approaches to analyzing malware behavior. Methods: Both sandboxes were set up with basic configurations and confronted with the same set of malware samples. The evaluation was primarily conducted with respect to the question of to what extent a sandbox is helpful to the human analyst in malware analysis. Thus, only the information available in Web console reports was considered. Results: Drakvuf is expected to perform better when confronted with evasive malware and so-called "file-less" malware. Although still not mature in terms of integration, customization and tools, this sandbox is considered a second generation sandbox because of its agentless design. On the other hand, the Cuckoo sandbox creates a better overall experience: it is supported through good documentation and strong professional community, better integrated with various tools, support more virtualization, operating system and sample types, and generates more informative reports. Even with a smaller capacity to prevent evasive malware, its Python 2 agent script makes it more powerful than Drakvuf. Conclusion: To achieve the optimal open-source sandbox-based protection, it is recommended to apply both the Cuckoo and Drakvuf sandboxes. In circumstances of limited resources, applying the Cuckoo sandbox is preferable, especially if exposure to malware deploying evading techniques is not frequently expected.

To autonomously identify cyber threats is a non-trivial research topic. One area where this is most apparent is in the evolution of evasive cyber assaults, which are becoming better at masking their existence and obscuring their attack methods (for example, file-less malware). Particularly stealthy Advanced Persistent Threats may hide out in the system for a long time without being spotted. This study presents a novel method, dubbed CapJack, for identifying illicit bitcoin mining activity in a web browser by using cutting-edge CapsNet technology. Thus far, it is aware that deep learning framework CapsNet is pertained to the problem of detecting malware effectively using a heuristic based on system behaviour. Even more, in multitasking situations when several apps are all active at the same time, it is possible to identify fraudulent miners with greater efficiency.

The emergence of a large number of new malicious code poses a serious threat to network security, and most of them are derivative versions of existing malicious code. The classification of malicious code is helpful to analyze the evolutionary trend of malicious code families and trace the source of cybercrime. The existing methods of malware classification emphasize the depth of the neural network, which has the problems of a long training time and large computational cost. In this work, we propose the shallow neural network-based malware classifier (SNNMAC), a malware classification model based on shallow neural networks and static analysis. Our approach bridges the gap between precise but slow methods and fast but less precise methods in existing works. For each sample, we first generate n-grams from their opcode sequences of the binary file with a decompiler. An improved n-gram algorithm based on control transfer instructions is designed to reduce the n-gram dataset. Then, the SNNMAC exploits a shallow neural network, replacing the full connection layer and softmax with the average pooling layer and hierarchical softmax, to learn from the dataset and perform classification. We perform experiments on the Microsoft malware dataset. The evaluation result shows that the SNNMAC outperforms most of the related works with 99.21% classification precision and reduces the training time by more than half when compared with the methods using DNN (Deep Neural Networks).

Abstract: The deliberate breach of a security strategy is what intrusion exposure is. In order to look for any malicious actions or extortions, invasion discovery systems monitornetwork traffic passing across numerous types of computer systems and deliver warnings when it perceives any hazards. Systems for identifying extortions should be able to recognize every injurious software and occurrence in the linkage. All forms of occurrences,comprising intrusion, file less malware, botnets, and malware, are changing the threat environment. In order to identify harmful events by investigating the program's negotiating pattern, a learning recognition system is essential. In this situation, we have form the structure to stipulate the type of attack that machine learning has accepted. Malicious action exposure can be alienated into two classes: signature grounded discovery and misuse discovery. For both types of revealing, an IDS mustgather the essential data, assess it, and then associate it to outbreak signs retained in big databanks. In our paper, we advised a technique for generating nominal IDS employing either the stacking procedure or the decision tree procedure. According to the outcomes, the recommended method achieves more precisely and professionally than other approaches like logistic regression and random forest. The accurateness rate values for the results formed by the proposed technique are 99.36%. Outbreak analyzer method uses four dissimilar procedures to assess numerous kinds of protocols constraints and endorse users. After that, it stacks approaches with and without characters choice to assess the accuracy and choose the best algorithm to recognize which types of outbreaks such as, port scans, brute force attacks, benign, DoS, botattacks, infiltration, and web attacks.

Static analysis and detection of malware is a crucial phase for handling security threats. Most researchers stated that the problem with the static analysis is an imbalance in the dataset, causing invalid result metrics. It requires more time for extracting features from the raw binaries, and methods like neural networks require more time for the training. Considering these problems, we proposed a model capable of building a feature set from the dataset and classifying static PE files efficiently. The research work was conducted to emphasize the importance of feature extraction rather than focusing on model building. The well-extracted features help to provide better results when fed to neural networks with minimal numbers of layers. Using minimum layers will enhance the performance of the model and take fewer resources and time for the processing and evaluation. In this research work, EMBER datasets published by Endgame Inc. containing PE file information are used. Feature extraction, data standardization, and data cleaning techniques are performed to handle the imbalance and impurities from the dataset. Later the extracted features were scaled into a standard form to avoid the problems related to range variations. A total of 2381 features are extracted and pre-processed from both the 2017 and 2018 datasets, respectively. The pre-processed data is then given to a deep learning model for training. The deep learning model created using dense and dropout layers to minimize the resource strain on the model and deliver more accurate results in less amount of time. The results obtained during experimentation for EMBER v2017 and v2018 datasets are 97.53% and 94.09%, respectively. The model is trained for ten epochs with a learning rate of 0.01, and it took 4 minutes/epoch, which is one minute lesser than the Decision Tree model. In terms of precision metrics, our model achieved 98.85%, which is 1.85% more as compared to the existing models.

Introduction: Digitalisation affects all sectors of human activity, resulting in the creation of a variety of software that implements business logic and technical processes in complex systems. Under these conditions, the issue of identifying malware becomes even more important. The solution to this problem is complicated by the lack of source code and the need to quickly make a decision on the presence or absence of malicious functionality. Research Aim: The aim of the research is to create an approach to assess the information security of software without source code. It is proposed that the approach is based on the use of a hypervisor that provides control over the operation of software with memory as a key characteristic of the presence/absence of its malicious functionality. It is proposed to calculate a software security score as a security metric. Methods: the solution of the set issue is based on the use of virtualization mechanism providing control over all operations over the memory realized by the software and on the use of probability theory methods to get a complex security estimate which takes into account the reliability of the software functioning and its security. Results: the methodology of getting a complex estimation of software functioning security is developed which takes into account the security of software functioning; network security — vulnerabilities and network ports detected by scanning; potentially insecure changes in file system and register and also potentially dangerous operations connected with the use of memory. The architecture of the software prototype that implements the proposed approach is described and its experimental testing is carried out, as a result of which only regular software samples received high security assessment. Practical significance: the developed system can be used for automated analysis of software operating in various complex systems. An important advantage of the software prototype is its scalability and trustworthiness ensured through the use of virtualization tools that do not allow damaging the work of a computer system in case of detection of malicious software.

Due to the superfluous growth of IoT devices in the current digital world, where lots of devices are becoming smart by being able to connect internet with many smart features, IoT devices have become the main target of cyber-attacks for the hackers these days. Since the IoT devices are very light in terms of processing power and memory, it has become an easy target for hackers to intrude in to the network easily. The file-less attacks, that usually doesn’t require any files to be downloaded and installed gets bypassed by anti-malwares. Very less effort has been put to learn the characteristics of attack patterns in IoT devices to do the research and development efforts to defend against them. This paper deep dives to understand the attacks on IoT devices in the network. HoneyNetCloud has been made with four hardware honeypots and hundred software honeypots setup that are meant to attract wide variety of attacks from the real world. Huge range of data was recorded for the span of 12 months. This study leads to multifold insights towards developing the IoT Network Forensics Methodology.

Today, Everything is present digitally on our computer system and every organisation uses the computer for its daily work, Nearly 50 billion devices are currently connected to the Internet. Every device which is connected to the internet is vulnerable to cyberattack, to protect them from any attack multiple techniques are introduced like, Anomaly-based detection, Specification-based detection and Signature-based detection but with the evolution, in cybersecurity measures, the threat has also evolved with time, especially in the field of malware. Typically, malware is based on the file system which can be detected by the antivirus software. To overcome this file-less malware is developed by the attackers which do not use any file system, so it bypasses any signature-based detection. File-less malware can be dangerous for any organisation because of its persistence to over come from the danger of file-less malware few method are developed like, Detection on the basis of system behaviour, detection on the basis of rules and detection on the basis of attack. To make the computer system secure continuous analysis of the malware is necessary, So that malware can be detected easily. This project uses 4 different machine learning algorithms i.e Logistic Regression, K Neared Neighbour, Decision Tree and Support Vector Machine all the algorithm comes under supervised learning and are capable of detecting any type of labeled value. Our dataset contains 10 different file-less malware and we have applied the all the algorithm in it for the detection part.