E-Secure: An Automated Behavior Based Malware Detection System for Corporate E-Mail Traffic

Abstract

Over the year’s cyber-attacks have become much more sophisticated, bringing new challenges to the cyber world. Cyber security is becoming one of the major concerns in the area of network security these days. In recent times attackers have found new ways to bypass the malware detection technologies that are used in the security domain. The static analysis of malware is no longer considered an effective method compared to the propagating rate of malware bypassing static analysis. The first step that has to be followed to protect a system is to have a deep knowledge about existing malware, different types of malware, a method to detect the malware, and the method to bypass the effects caused by the malware. E-Secure is a behavior based malware detection system for corporate e-mail traffic. This paper proposes a malware security system as a solution to detect the malicious file that is passed through the e-mail of corporate network, and externally a file uploaded separately through a website for analysis. Since signature-based methods cannot identify the sophisticated malware effectively, the dynamic analysis is used to identify the malware. The Cuckoo Sandbox plays an important role in analyzing the behavior of malware but has no feature to extract the behavior, cluster it and produce results graphically in a way that is easier to understand. An application programming interface is used to extract the behavior of the malware and to train the machines automatically by feeding the extracted behavior. K-Means algorithm is used to cluster the malware based on the same behaviors. An application programming Interface is developed to illustrate the clusters graphically. After the completion of the training process, when a new malware arrives again an application programming interface is developed to identify the type of the malware. Risk analysis is used to state the criticality of a malware. The output of the whole process can be viewed through the E-Secure web interface which helps even a junior network security administrator to understand the detected malware and how critical the malware is.