MMALE—A Methodology for Malware Analysis in Linux Environments

In a computer environment,an operating system is prone to malware,and even the Linux operating system is not an exception.In recent years,malware has evolved,and attackers have become more qualified compared to a few years ago.Furthermore,Linux-based systems have become more attractive to cybercriminals because of the increasing use of the Linux operating system in web servers and Internet of Things(IoT)devices.Windows is the most employed OS,so most of the research efforts have been focused on its malware protection rather than on other operating systems.As a result,hundreds of research articles,documents,and methodologies dedicated to malware analysis have been reported.However,there has not been much literature concerning Linux security and protection from malware.To address all these new challenges,it is necessary to develop a methodology that can standardize the required steps to perform the malware analysis in depth.A systematic analysis process makes the difference between good and ordinary malware analyses.Additionally,a deep malware comprehension can yield a faster and much more efficient malware eradication.In order to address all mentioned challenges,this article proposed a methodology for malware analysis in the Linux operating system,which is a traditionally overlooked field compared to the other operating systems.The proposed methodology is tested by a specific Linux malware,and the obtained test results have high effectiveness in malware detection.

Android Malware Detection Using ResNet-50 Stacking

There has been an increase in attacks on mobile devices,such as smartphones and tablets,due to their growing popularity.Mobile malware is one of the most dangerous threats,causing both security breaches and financial losses.Mobile malware is likely to continue to evolve and proliferate to carry out a variety of cybercrimes on mobile devices.Mobile malware specifically targets Android operating system as it has grown in popularity.The rapid proliferation of Android malware apps poses a significant security risk to users,making static and manual analysis of malicious files difficult.Therefore,efficient identification and classification of Androidmalicious files is crucial.Several ConvolutionalNeuralNetwork(CNN)basedmethods have been proposed in this regard;however,there is still room for performance improvement.In this work,we propose a transfer learning and stacking approach to efficiently detect the Android malware files by utilizing two wellknown machine learning models,ResNet-50 and Support Vector Machine(SVM).The proposed model is trained on the DREBIN dataset by transforming malicious APK files into grayscale images.Our model yields higher performance measures than state-of-the-art works on the DREBIN dataset,where the reported measures are accuracy,recall,precision,and F1 measures of 97.8%,95.8%,95.7%,and 95.7%,respectively.

Malware Detection Using Deep Learning

Malware represents a real threat to information systems, because of the damage it causes. This threat is growing today, as these programs take on more complex forms. This means they escape traditional malware detection methods. Hence the need for artificial intelligence, more specifically Deep Learning, which could detect malware more effectively. In this article, we’ve proposed a model for malware detection using artificial neural networks. Our approach used data from the characteristics of machines, particularly computers, to train our Deep Learning algorithm. This model demonstrated an accuracy of around 83% in predicting the presence of malware on a machine. Thus, the use of artificial neural networks for malware detection has shown his ability to assimilate complex, non-linear patterns from data.

Static and Dynamic Integrated Analysis Scheme for Android Malware

The Android platform is the most popular mobile operating system.With the increase of the number of Android users,a lot of security issues have occurred.In order to detect the malicious behaviors for the installed Android Apps,in this paper,we propose an Android malware detecting scheme by integrating static and dynamic analysis methods.We use Androguard and Droid Box to extract the features,and then remove the irrelevant features.Then we employ the support vector machine（SVM） to classify the Android malware and benignware.From the result of our proposed scheme,the proposed integrated static and dynamic analysis scheme with SVM can effectively detect the Android malware.

A Novel Framework for Windows Malware Detection Using a Deep Learning Approach

Malicious software(malware)is one of the main cyber threats that organizations and Internet users are currently facing.Malware is a software code developed by cybercriminals for damage purposes,such as corrupting the system and data as well as stealing sensitive data.The damage caused by malware is substantially increasing every day.There is a need to detect malware efficiently and automatically and remove threats quickly from the systems.Although there are various approaches to tackle malware problems,their prevalence and stealthiness necessitate an effective method for the detection and prevention of malware attacks.The deep learning-based approach is recently gaining attention as a suitable method that effectively detects malware.In this paper,a novel approach based on deep learning for detecting malware proposed.Furthermore,the proposed approach deploys novel feature selection,feature co-relation,and feature representations to significantly reduce the feature space.The proposed approach has been evaluated using a Microsoft prediction dataset with samples of 21,736 malware composed of 9 malware families.It achieved 96.01%accuracy and outperformed the existing techniques of malware detection.

Behavioral Intrusion Prediction Model on Bayesian Network over Healthcare Infrastructure

Due to polymorphic nature of malware attack,a signature-based analysis is no longer sufficient to solve polymorphic and stealth nature ofmalware attacks.On the other hand,state-of-the-art methods like deep learning require labelled dataset as a target to train a supervised model.This is unlikely to be the case in production network as the dataset is unstructured and has no label.Hence an unsupervised learning is recommended.Behavioral study is one of the techniques to elicit traffic pattern.However,studies have shown that existing behavioral intrusion detection model had a few issues which had been parameterized into its common characteristics,namely lack of prior information(p(θ)),and reduced parameters(θ).Therefore,this study aims to utilize the previously built Feature Selection Model subsequently to design a Predictive Analytics Model based on Bayesian Network used to improve the analysis prediction.Feature Selection Model is used to learn significant label as a target and Bayesian Network is a sophisticated probabilistic approach to predict intrusion.Finally,the results are extended to evaluate detection,accuracy and false alarm rate of the model against the subject matter expert model,Support Vector Machine(SVM),k nearest neighbor(k-NN)using simulated and ground-truth dataset.The ground-truth dataset from the production traffic of one of the largest healthcare provider in Malaysia is used to promote realism on the real use case scenario.Results have shown that the proposed model consistently outperformed other models.

MobSafe:Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining

With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win＋Intel alliance in PC, Android＋ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app＇s virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework （ASEF） and Static Android Analysis Framework （SAAF）, the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

基于污点和概率的逃逸恶意软件多路径探索

Static analysis is often impeded by malware obfuscation techniques,such as encryption and packing,whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information.Unfortunately,malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly.While known evasive techniques can be explicitly dismantled,the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations,such as logic bombs that rely on uncertain conditions,let alone unsupported evasive techniques,which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations.In this paper,we present Antitoxin,a prototype for automatically exploring evasive malware.Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques.The probabilities of branch execution are derived from dynamic coverage,while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions.Subsequently,Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration.This is achieved through forced execution,which forcefully sets the outcomes of branches on selected paths.Additionally,Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques,thereby reducing exploration overhead.Furthermore,Antitoxin provides valuable insights into sensitive behaviors,facilitating deeper manual analysis.Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner.The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations,enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows.Additionally,taint analysis can accurately identify branches related to logic bombs,facilitating preferential exploration.

Privacy Petri Net and Privacy Leak Software

Private information leak behavior has been widely discovered in malware and suspicious applications. We refer to such software as privacy leak software （PLS）. Nowadays, PLS has become a serious and challenging problem to cyber security. Previous methodologies are of two categories： one focuses on the outbound network traffic of the applications; the other dives into the inside information flow of the applications. We present an abstract model called Privacy Petri Net （PPN） which is more applicable to various applications and more intuitive and vivid to users. We apply our approach to both malware and suspicious applications in real world. The experimental result shows that our approach can effectively find categories, content, procedure, destination and severity of the private information leaks for the target software.