Добірка наукової літератури з теми "Active Malware Analysis"

Abstract: Organizations have been threatened by malware for a long time, but timely detection of the virus remains a challenge. Malware may quickly damage the system by doing pointless tasks that burden it and prevent it from operating efficiently. There are two ways to detect malware: the traditional method that relies on the malware's signature and the behavior-based approach. The malware's behavior is characterized by the action it conducts when active in the machine, such as executing the operating system functions and downloading infected files from the internet. Based on how it behaves, the suggested algorithm finds the virus. The suggested model in this study is a hybrid of Support Vector Machine and Principle Component Analysis. For real Malware, our suggested model obtained an accuracy of 92.70% during validation, with 96% precision, 96.32% recall, and an f1- score of .96

Purpose This paper proposes an approach to deal with malware and botnets, which in recent years have become one of the major threats in the cyber world. These malicious pieces of software can cause harm not only to the infected victims but also to actors at a much larger scale. For this reason, defenders, namely, security researchers and analysts, and law enforcement have fought back and contained the spreading infections. However, the fight is fundamentally asymmetric. Design/methodology/approach In this paper, the authors argue the need to equip defenders with more powerful active defence tools such as malware and botnets, called antidotes, which must be used as last resort to mitigate malware epidemics. Additionally, the authors argue the validity of this approach by considering the ethical and legal concerns of leveraging sane and compromised hosts to mitigate malware epidemics. Finally, the authors further provide evidence of the possible success of these practices by applying their approach to Hlux, Sality and Zeus malware families. Findings Although attackers have neither ethical nor legal constraints, defenders are required to follow much stricter rules and develop significantly more intricate tools. Additionally, attackers have been improving their malware to make them more resilient to takeovers. Originality/value By combining existing research, the authors provide an analysis and possible implication of a more intrusive yet effective solution for fighting the spreading of malware.

To evaluate the steady-state availability of heterogeneous edge computing-enabled wireless sensor networks (HECWSNs) with malware infections, we first propose a Stackelberg attack-defence game to predict the optimal strategies of malware and intrusion detection systems (IDSs) deployed in heterogeneous sensor nodes (HSNs). Next, we present a new malware infection model—heterogeneous susceptible-threatened-active-recovered-dead (HSTARD) based on epidemic theory. Then, considering the heterogeneity of sink sensor nodes and common sensor nodes and the malware attack correlation, we derive the state transition probability matrix of an HSN based on a semi-Markov process (SMP), as well as the steady-state availability of an HSN. Furthermore, based on a data flow analysis of HSNs, we deduce the steady-state availability of HECWSNs with various topologies, including the star topology, cluster topology, and mesh topology. Finally, numerical analyses illustrate the influence of the IDS parameters on the optimal infection probability of malware and reveal the effect of multiple factors on the steady-state availability of HSNs, including the initial infection rate, the infection change rate, and the malware attack correlation. In addition, we present data analyses of the steady-state availability of HECWSNs with various topologies, including the star topology, cluster topology, and mesh topology, which provide a theoretical basis for the design, deployment, and maintenance of high-availability HECWSNs.

Android applications have recently witnessed a pronounced progress, making them among the fastest growing technological fields to thrive and advance. However, such level of growth does not evolve without some cost. This particularly involves increased security threats that the underlying applications and their users usually fall prey to. As malware becomes increasingly more capable of penetrating these applications and exploiting them in suspicious actions, the need for active research endeavors to counter these malicious programs becomes imminent. Some of the studies are based on dynamic analysis, and others are based on static analysis, while some are completely dependent on both. In this paper, we studied static, dynamic, and hybrid analyses to identify malicious applications. We leverage machine learning classifiers to detect malware activities as we explain the effectiveness of these classifiers in the classification process. Our results prove the efficiency of permissions and the action repetition feature set and their influential roles in detecting malware in Android applications. Our results show empirically very close accuracy results when using static, dynamic, and hybrid analyses. Thus, we use static analyses due to their lower cost compared to dynamic and hybrid analyses. In other words, we found the best results in terms of accuracy and cost (the trade-off) make us select static analysis over other techniques.

Android is an operating system which currently has over one billion active users for all their mobile devices, a market impact that is influencing an increase in the amount of information that can be obtained from different users, facts that have motivated the development of malicious software by cybercriminals. To solve the problems caused by malware, Android implements a different architecture and security controls, such as a unique user ID (UID) for each application, while an API permits its distribution platform, Google Play applications. It has been shown that there are ways to violate that protection, so the developer community has been developing alternatives aimed at improving the level of safety. This paper presents: the latest information on the various trends and security solutions for Android, and SafeCandy, an app proposed as a new system for analysis, validation and configuration of Android applications that implements static and dynamic analysis with improved ASEF. Finally, a study is included to evaluate the effectiveness in threat detection of different malware antivirus software for Android.

As the popularity of content sharing websites has increased, they have become targets for spam, phishing and the distribution of malware. On YouTube, the facility for users to post comments can be used by spam campaigns to direct unsuspecting users to malicious third-party websites. In this paper, we demonstrate how such campaigns can be tracked over time using network motif profiling, i.e. by tracking counts of indicative network motifs. By considering all motifs of up to five nodes, we identify discriminating motifs that reveal two distinctly different spam campaign strategies, and present an evaluation that tracks two corresponding active campaigns.

Symmetric and asymmetric patterns are fascinating phenomena that show a level of co-existence in mobile application behavior analyses. For example, static phenomena, such as information sharing through collaboration with known apps, is a good example of a symmetric model of communication, and app collusion, where apps collaborate dynamically with unknown malware apps, is an example of a serious threat with an asymmetric pattern. The symmetric nature of app collaboration can become vulnerable when a vulnerability called PendingIntent is exchanged during Inter-Component Communication (ICC). The PendingIntent (PI) vulnerability enables a flexible software model, where the PendingIntent creator app can temporarily share its own permissions and identity with the PendingIntent receiving app. The PendingIntent vulnerability does not require approval from the device user or Android OS to share the permissions and identity with other apps. This is called a PI leak, which can lead to malware attacks such as privilege escalation and component hijacking attacks. This vulnerability in the symmetric behavior of an application without validating an app’s privileges dynamically leads to the asymmetric phenomena that can damage the robustness of an entire system. In this paper, we propose MULBER, a lightweight machine learning method for the detection of Android malware communications that enables a cybersecurity system to analyze multiple patterns and learn from them to help prevent similar attacks and respond to changing behavior. MULBER can help cybersecurity teams to be more proactive in preventing dynamic PI-based communication threats and responding to active attacks in real time. MULBER performs a static binary analysis on the APK file and gathers approximately 10,755 features, reducing it to 42 key features by grouping the permissions under the above-mentioned four categories. Finally, MULBER learns from these multivariate features using evolutionary feature selection and the Mahalanobis distance metric and classifies them as either benign or malware apps. In an evaluation of 22,638 malware samples from recent Android APK malware databases such as Drebin and CICMalDroid-2020, MULBER outperformed others by clustering applications based on the Mahalanobis distance metric and detected 95.69% of malware with few false alarms and the explanations provided for each detection revealed the relevant properties of the detected malware.

The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach (i.e., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection (i.e., 100%) for inter-category obfuscations.

The Narrowband Internet of Things (NB-IoT) is a main stream technology based on mobile communication system. The combination of NB-IoT and WSNs can active the application of WSNs. In order to evaluate the influence of node heterogeneity on malware propagation in NB-IoT based Heterogeneous Wireless Sensor Networks, we propose a node heterogeneity model based on node distribution and vulnerability differences, which can be used to analyze the availability of nodes. We then establish the node state transition model by epidemic theory and Markov chain. Further, we obtain the dynamic equations of the transition between nodes and the calculation formula of node availability. The simulation result is that when the degree of node is small and the node vulnerability function is a power function, the node availability is the highest; when the degree of node is large and the node vulnerability function satisfies the exponential function and the power function, the node availability is high. Therefore, when constructing a NBIOT-HWSNs network, node protection is implemented according to the degree of node, so that when the node vulnerability function satisfies the power function, all nodes can maintain high availability, thus making the entire network more stable.