Accurate Malware Detection Research Articles

Malware Detection Based on API Call Sequence Analysis: A Gated Recurrent Unit–Generative Adversarial Network Model Approach

Malware remains a major threat to computer systems, with a vast number of new samples being identified and documented regularly. Windows systems are particularly vulnerable to malicious programs like viruses, worms, and trojans. Dynamic analysis, which involves observing malware behavior during execution in a controlled environment, has emerged as a powerful technique for detection. This approach often focuses on analyzing Application Programming Interface (API) calls, which represent the interactions between the malware and the operating system. Recent advances in deep learning have shown promise in improving malware detection accuracy using API call sequence data. However, the potential of Generative Adversarial Networks (GANs) for this purpose remains largely unexplored. This paper proposes a novel hybrid deep learning model combining Gated Recurrent Units (GRUs) and GANs to enhance malware detection based on API call sequences from Windows portable executable files. We evaluate our GRU–GAN model against other approaches like Bidirectional Long Short-Term Memory (BiLSTM) and Bidirectional Gated Recurrent Unit (BiGRU) on multiple datasets. Results demonstrated the superior performance of our hybrid model, achieving 98.9% accuracy on the most challenging dataset. It outperformed existing models in resource utilization, with faster training and testing times and low memory usage.

AppPoet: Large language model based android malware detection via multi-view prompt engineering

Due to the vast array of Android applications, their multifarious functions and intricate behavioral semantics, attackers can adopt various tactics to conceal their genuine attack intentions within legitimate functions. However, numerous learning-based methods suffer from a limitation in mining behavioral semantic information, thus impeding the accuracy and efficiency of Android malware detection. Besides, the majority of existing learning-based methods are weakly interpretive and fail to furnish researchers with effective and readable detection reports. Inspired by the success of the Large Language Models (LLMs) in natural language understanding, we propose AppPoet, a LLM-assisted multi-view system for Android malware detection. Firstly, AppPoet employs a static method to comprehensively collect application features and formulate various observation views. Then, using our carefully crafted multi-view prompt templates, it guides the LLM to generate function descriptions and behavioral summaries for each view, enabling deep semantic analysis of the views. Finally, we collaboratively fuse the multi-view information to efficiently and accurately detect malware through a deep neural network (DNN) classifier and then generate the human-readable diagnostic reports. Experimental results demonstrate that our method achieves a detection accuracy of 97.15% and an F1 score of 97.21%, which is superior to the baseline methods. Furthermore, the case study evaluates the effectiveness of our generated diagnostic reports.

Architecture of an automated program complex based on a multiple kernel svm classifier for analyzing malicious executable files

Subject matter. This article presents the development and architecture of an automated program complex designed to identify and analyze malicious executable files using a classifier based on a multiple kernel support vector machine (SVM). Goal. The aim of the work is to create an automated system that enhances the accuracy and efficiency of malware detection by combining static and dynamic analysis into a single framework capable of processing large volumes of data with optimal time expenditure. Tasks. To achieve this goal, tasks were carried out that included developing a program complex that automates the collection of static and dynamic data from executable files using tools like IDA Pro, IDAPython, and Drakvuf; integrating a multiple kernel SVM classifier to analyze the collected heterogeneous data; validating the system's effectiveness based on a substantial dataset containing 1,389 executable samples; and demonstrating the system's scalability and practical applicability in real-world conditions. Methods. The methods involved a hybrid approach that combines static analysis – extracting byte code, disassembled instructions, and control flow graphs using IDA Pro and IDAPython – with dynamic analysis, which entails monitoring real-time behavior using Drakvuf. The multiple kernel SVM classifier integrates different data representations using various kernels, allowing for both linear and nonlinear relationships to be considered in the classification process. Results. The results of the study show that the system achieves a high level of accuracy and completeness, as evidenced by key performance metrics such as an F-score of 0.93 and ROC AUC and PR AUC values. The automated program complex reduces the analysis time of a single file from an average of 11 minutes to approximately 5 minutes, effectively doubling the throughput compared to previous methods. This significant reduction in processing time is critically important for deployment in environments where rapid and accurate malware detection is necessary. Furthermore, the system's scalability allows for efficient processing of large data volumes, making it suitable for real-world applications. Conclusions. In conclusion, the automated program complex developed in this study demonstrates significant improvements in the accuracy and efficiency of malware detection. By integrating multiple kernel SVM classification with static and dynamic analysis, the system shows potential for real-time malware detection and analysis. Its scalability and practical applicability indicate that it could become an important tool in combating modern cyber threats, providing organizations with an effective means to enhance their cybersecurity.

Optimal Weighted Voting-Based Collaborated Malware Detection for Zero-Day Malware: A Case Study on VirusTotal and MalwareBazaar

We propose a detection system incorporating a weighted voting mechanism that reflects the vote’s reliability based on the accuracy of each detector’s examination, which overcomes the problem of cooperative detection. Collaborative malware detection is an effective strategy against zero-day attacks compared to one using only a single detector because the strategy might pick up attacks that a single detector overlooked. However, cooperative detection is still ineffective if most anti-virus engines lack sufficient intelligence to detect zero-day malware. Most collaborative methods rely on majority voting, which prioritizes the quantity of votes rather than the quality of those votes. Therefore, our study investigated the zero-day malware detection accuracy of the collaborative system that optimally rates their weight of votes based on their malware categories of expertise of each anti-virus engine. We implemented the prototype system with the VirusTotal API and evaluated the system using real malware registered in MalwareBazaar. To evaluate the effectiveness of zero-day malware detection, we measured recall using the inspection results on the same day the malware was registered in the MalwareBazaar repository. Through experiments, we confirmed that the proposed system can suppress the false negatives of uniformly weighted voting and improve detection accuracy against new types of malware.

Certifying Accuracy, Privacy, and Robustness of ML-Based Malware Detection

Recent advances in artificial intelligence (AI) are radically changing how systems and applications are designed and developed. In this context, new requirements and regulations emerge, such as the AI Act, placing increasing focus on strict non-functional requirements, such as privacy and robustness, and how they are verified. Certification is considered the most suitable solution for non-functional verification of modern distributed systems, and is increasingly pushed forward in the verification of AI-based applications. In this paper, we present a novel dynamic malware detector driven by the requirements in the AI Act, which goes beyond standard support for high accuracy, and also considers privacy and robustness. Privacy aims to limit the need of malware detectors to examine the entire system in depth requiring administrator-level permissions; robustness refers to the ability to cope with malware mounting evasion attacks to escape detection. We then propose a certification scheme to evaluate non-functional properties of malware detectors, which is used to comparatively evaluate our malware detector and two representative deep-learning solutions in literature.

RETRACTED: TriCh-LKRepNet: A large kernel convolutional malicious code classification network for structure reparameterisation and triple-channel mapping

In response to escalating cybersecurity threats, this study aims to develop a lightweight deep learning model for efficient and accurate detection and classification of malware. To achieve this goal, the study introduces RGB-MalNet, a novel network architecture that balances performance and resource utilization. The method innovatively transforms malware representations into image channels through RGB three-channel mapping, which improves information richness and discriminative power. RGB-MalNet creates a streamlined framework that optimizes network connections, reduces memory access overhead, and boosts overall efficiency. The model achieves accuracy rates of 99.47% and 97.55% on the Kaggle and DataCon datasets, respectively. Compared to existing methodologies, this approach stands out in terms of performance, resource consumption, and versatility. It offers a viable and efficient solution for malicious code detection and classification.

Tuning the k value in k-nearest neighbors for malware detection

<span>Malicious software, also referred to as malware, poses a serious threat to computer networks, user privacy, and user systems. Effective cybersecurity depends on the correct detection and classification of malware. In order to improve its effectiveness, the K-Nearest Neighbors (KNN) method is applied systematically in this study to the task of malware detection. The study investigates the effect of the number of neighbors (K) parameter on the KNN's performance. MalMem-2022 malware datasets and relevant evaluation criteria like accuracy, precision, recall, and F1-score will be used to assess the efficacy of the suggested technique. The experiments evaluate how parameter tuning affects the accuracy of malware detection by comparing the performance of various parameter setups. The study findings show that careful parameter adjustment considerably boosts the KNN method's malware detection capability. The research also highlights the potential of KNN with parameter adjustment as a useful tool for malware detection in real-world circumstances, allowing for prompt and precise identification of malware.</span>

MeMalDet: A memory analysis-based malware detection framework using deep autoencoders and stacked ensemble under temporal evaluations

Malware attacks continue to evolve, making detection challenging for traditional static and dynamic analysis techniques. On the other hand, memory analysis provides valuable behavioral insights, but prior research lacks temporal evaluations which are critical for robust detection of new malware variants over time. This paper presents MeMalDet, a novel memory analysis-based malware detection technique using deep autoencoders and stacked ensemble learning. We introduce an improved dataset with temporal attributes enabling more realistic evaluations of memory-based malware detection techniques under concept drift (temporal data split). MeMalDet extracts optimal features from memory dumps using deep autoencoders in an unsupervised manner, avoiding manual feature engineering. A stacked ensemble of supervised classifiers then performs highly accurate malware detection. Extensive experiments on our improved large-scale public dataset demonstrate MeMalDet’s ability to maintain high performance when detecting obfuscated malware under temporal splits. We achieve up to 98.82% accuracy and 98.72% F1-score in detecting previously unseen advanced obfuscated malware, significantly improving upon state-of-the-art memory analysis-based malware detection techniques. The improved dataset enables temporally robust evaluations, which is a novel contribution. MeMalDet combines the benefits of representation learning and supervised machine learning ensemble classification for effective malware detection over time using memory analysis. This research provides a new capability for identifying evasive modern malware and combating evolving real-world threats.

Enhanced Profile Hidden Markov Model for Metamorphic Malware Detection

Metamorphic malware poses a significant threat to conventional signature-based malware detection since its signature is mutable. Multiple copies can be created from metamorphic malware. As such, signature- based malware detection is impractical and ineffective. Thus, research in recent years has focused on applying machine learning-based approaches to malware detection. Profile Hidden Markov Model is a probabilistic model that uses multiple sequence alignments and a position-based scoring system. An enhanced Profile Hidden Markov Model was constructed with the following modifications: n-gram analysis to determine the best length of n-gram for the dataset, setting frequency threshold to determine which n-gram opcodes will be included in the malware detection, and adding consensus sequences to multiple sequence alignments. 1000 malware executables files and 40 benign executable files were utilized in the study. Results show that n-gram analysis and adding consensus sequence help increase malware detection accuracy. Moreover, setting the frequency threshold based on the average TF-IDF of n-gram opcodes gives the best accuracy in most malware families than just by getting the top 36 most occurring n-grams, as done in previous studies.

DEF: Deep Ensemble Neural Network Classifier for Android Malware Detection

Malware is one of the threats to security of computer networks and information systems. Since malware instances are available sufficiently, there is increased interest among researchers on usage of Artificial Intelligence (AI). Of late AI-enabled methods such as machine learning (ML) and deep learning paved way for solving many real-world problems. As it is a learning-based approach, accumulated training samples help in improving thequality of training and thus leveraging malware detection accuracy. Existing deep learning methods are focusing on learning-based malware detection systems. However, there is need for improving the state of the art through ensemble approach. Towards this end, in this paper we proposed a framework known as Deep Ensemble Framework (DEF) for automatic malware detection. The framework obtains features from training samples. From given malware instance a grayscale image is generated. There is another process to extract the opcode sequences. Convolutional Neural Network (CNN) and Long Short Term Memory (LSTM) techniques are used to obtain grayscale image and opcode sequence respectively. Afterwards, a stacking ensemble is employed in order to achieve efficient malware detection and classification. Malware samples collected from the Internet sources and Microsoft are used for the empirical study. An algorithm known as Ensemble Learning for Automatic Malware Detection (EL-AML) is proposed to realize our framework. Another algorithm named Pre-Process is proposed to assist the ELAML algorithm for obtaining intermediate features required by CNN and LSTM. Empirical study reveals that our framework outperforms many existing methods in terms of speed-up and accuracy.

A recent survey of image-based malware classification using convolution neural network

<p>Despite numerous breakthroughs in creating and applying new and current approaches to malware detection and classification, the number of malware attacks on computer systems and networks is increasing. Malware authors are continually changing their operations and activities with tools or methodologies, making it tough to categorize and detect malware. Malware detection methods such as static or dynamic detection, although useful, have had challenges detecting zero-day malware and polymorphic malware. Even though machine learning techniques have been applied in this area, deep neural network models using image visualization have proven to be very effective in malware detection and classification, presenting better accuracy results. Hence, this article intends to conduct a survey showing recent works by researchers and their techniques used for malware detection and classification using convolutional neural network (CNN) models highlighting strengths, and identifying areas of potential limitations such as size of datasets and features extraction. Furthermore, a review of relevant research publications on the subject is offered, which also highlights the limitations of models and dataset availability, along with a full tabular comparison of their accuracy in malware detection and classification. Consequently, this review study will contribute to the advancement and serve as a basis for future research in the field of developing CNN models for malware detection and classification.</p>

A multi-objectives framework for secure blockchain in fog–cloud network of vehicle-to-infrastructure applications

The Intelligent Transport System (ITS) is an emerging paradigm that offers numerous services at the infrastructure level for vehicle applications. Vehicle-to-infrastructure (V2I) is an advanced form of ITS where diverse vehicle services are deployed on the roadside unit. V2I consists of distributed computing nodes where transport applications are parallel processed. Many research challenges exist in the presented V2I paradigms regarding security, cyber-attacks, and application processing among heterogeneous nodes. These cyber-attacks, Sybil attacks, and their attempts cause a lack of security and degrade the V2I performance in the presented paradigms. This paper presents a new secure blockchain framework that handles cyber-attacks, as mentioned earlier. This paper formulates this complex problem as a combinatorial problem, encompassing concave and convex problems. The convex function minimizes the given constraints, such as time and security risk, and the concave function improves performance and accuracy. Therefore, numerous constraints, such as time, energy, malware detection accuracy, and application deadlines, require optimization for the considered problem. Combining the jointly non-dominated sorting genetic algorithm (NSGA-II) and long short-term memory (LSTM) schemes is the best way to meet the problem’s limitations. In this study, the paper designed a malware dataset with known and unknown malware. The different kinds of malware lists (e.g., cyber-attacks) are considered in the form of known and unknown malware lists with the characteristics, size of code, where malware comes from, attack on which data, and current status of the workload after being attacked by the malware. Our main idea is to present blockchain, NSGA-II, and LSTM schemes that handle phishing, routing, Sybil, and 51% of cyber-attacks without compromising application performance. Simulation results show that the study reduces delay and energy, improves accuracy, and minimizes security risks for vehicular applications.

Multi-Level Fusion for Enhanced Host-based Malware Detection in ICT-Enabled Smart Cities

In smart cities, the widespread adoption of Information and Communication Technologies (ICTs) presents both opportunities and challenges for security. While ICTs enable increased productivity, data sharing, and improved citizen services, they also create new vulnerabilities for malicious actors to exploit. This necessitates robust host-based security solutions to protect critical infrastructure and data. This paper proposes a novel multi-level fusion approach for enhanced host-based malware detection in ICT-enabled smart cities. By leveraging diverse data sources and employing advanced fusion techniques, our approach achieves significant improvements in malware detection accuracy, network evaluation, and security analysis compared to existing methods. Specifically, our proposed approach demonstrates a 72.1% malware detection rate across various attack scenarios, 69.7% accuracy in host network evaluation, 82.8% reduction in security analysis error, 75.4% accuracy in network probability detection, and an overall accuracy of 67.2%. These results showcase the potential of multi-level fusion for strengthening host-based security in smart cities. This approach offers several advantages over traditional host-based security solutions. Firstly, it provides more comprehensive threat detection by utilizing multiple data sources. Secondly, it reduces the burden on IT administrators by automating security analysis and decision-making. Finally, it enables continuous improvement through adaptive learning and feedback mechanisms. Overall, our multi-level fusion approach represents a promising advancement in host-based security for ICT-enabled smart cities. It offers significant improvements in accuracy and efficiency, paving the way for a more secure and resilient urban environment.

A Comprehensive Study of Efficient and Accurate Malware Detection Using Static and Dynamic Analysis Methods.

A Comprehensive Study of Efficient and Accurate Malware Detection Using Static and Dynamic Analysis Methods.

Optimal feature selection based on OCS for improved malware detection in IoT networks using an ensemble classifier

The increasing amount of IoT devices increases the size of network traffic data, causing an increase in the incidence of security breaches in IoT networks. Cybercriminals have developed malware to compromise the security of sensitive data, among other cyber threats. In the presence of inadequate and robust security mechanisms, sensitive data is prone to vulnerability. Hence, protecting data in the IoT environment is becoming a mandatory task. Various approaches have addressed malware detection using network data features. However, there is still room for improvement in developing superior techniques and utilizing more comprehensive datasets. This paper presents a novel lightweight ensemble voting classifier to detect malware traffic by deploying the best possible network data. The merits of the correlation coefficient and Opposition-Based Crow Search Algorithm (OCS) have been leveraged to compute the best possible features. Another advantage of this proposed experiment is its focus on a dataset tailored to malware traffic features. This focus enables highly accurate malware detection. After feature selection using OCS, the proposed malware classifier is trained and validated with both 5-fold and 10-fold cross-validation techniques. The tested results confirm that the presented malware classifier performs best using a minimal feature set, which is highly advantageous for IoT networks due to resource constraints.

DL-AMDet: Deep learning-based malware detector for android

The Android operating system, with its market share leadership and open-source nature in smartphones, has become the primary target of malware. However, detecting malicious Android processes has become a significant challenge because of the complexity of size, length, and associations of various important and distinctive elements of Android applications, such as API calls and system calls. In this paper DL-AMDet, a deep learning architecture is proposed to detect Android malware applications based on its static and dynamic features. DL-AMDet consists of two main detection models the first one uses CNN-BiLSTM deep learning method for detecting malware using static analysis. The other model utilizes deep Autoencoders as an anomaly detection model to identify the malware based on dynamic analysis. The performance of the DL-AMDet architecture is evaluated using two different datasets. The results show that DL-AMDet achieves a competitive malware detection accuracy of 99.935 % for static and dynamic analysis models combined. Additionally, the results emphasize the significance of CNN-BiLSTM and Deep Autoencoders models used in DL-AMDet to outperform the existing state-of-the-art techniques.

Android Security: Malware Detection with Convolutional Neural Network and Feature Analysis

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source tools. Due to its system efficiency and the multitude of features it offers to users, the Android operating system has taken a leading position in the technology market and often attracts the attention of cybercriminals. As malware continues to evolve, traditional methods for detecting Android malware, such as signature-based approaches, may not be sufficient to detect the latest malware threats. Therefore, this research proposes a deep learning algorithm, specifically Convolutional Neural Network (CNN) and Component Analysis (PCA), for feature extraction to enhance the accuracy of Android malware detection. The dataset used in this study is the CICAndMal2017 dataset. Testing results are evaluated using three parameters: accuracy, precision, and recall. Experimental results indicate that our deep learning approach outperforms many other methods with an accuracy of 91%.

AIS for Malware Detection in a Realistic IoT System: Challenges and Opportunities

With the expansion of the digital world, the number of Internet of things (IoT) devices is evolving dramatically. IoT devices have limited computational power and a small memory. Consequently, existing and complex security methods are not suitable to detect unknown malware attacks in IoT networks. This has become a major concern in the advent of increasingly unpredictable and innovative cyberattacks. In this context, artificial immune systems (AISs) have emerged as an effective malware detection mechanism with low requirements for computation and memory. In this research, we first validate the malware detection results of a recent AIS solution using multiple datasets with different types of malware attacks. Next, we examine the potential gains and limitations of promising AIS solutions under realistic implementation scenarios. We design a realistic IoT framework mimicking real-life IoT system architectures. The objective is to evaluate the AIS solutions’ performance with regard to the system constraints. We demonstrate that AIS solutions succeed in detecting unknown malware in the most challenging conditions. Furthermore, the systemic results with different system architectures reveal the AIS solutions’ ability to transfer learning between IoT devices. Transfer learning is a pivotal feature in the presence of highly constrained devices in the network. More importantly, this work highlights that previously published AIS performance results, which were obtained in a simulation environment, cannot be taken at face value. In reality, AIS’s malware detection accuracy for IoT systems is 91% in the most restricted designed system compared to the 99% accuracy rate reported in the simulation experiment.

Advanced Malware detection with Inception V3 for Enhanced Computer Security

In the domain of computer security, identifying and categorizing malware is of utmost importance. Malicious software frequently employs sophisticated methods to avoid detection, underscoring the urgency of early identification to protect computer networks and the Internet from extensive harm. This study tackles the obstacles related to malware detection and presents an innovative solution leveraging Convolutional Neural Network (CNN) classification through Inception V3.The input dataset is pre-processed to make the procedure easier. Initial stage of pre-processing is performed on dataset followed by data visualization. These data visualizations help identify the abnormalities and their existence or absence, as well as the structure of data. The categorization process is performed by Inception V3, a CNN-based classification network. The Inception V3 is compared with the most accurate models to assess the effectiveness of proposed system. The implementation of the proposed approach is carried out using the Python programming language. The outcomes of this research showcase the proficiency of the developed system, highlighting its potential in enhancing the accuracy and efficiency of malware detection.

Intellectual Feature Ranking Model with Correlated Feature Set based Malware Detection in Cloud environment using Machine Learning

Malware detection for cloud systems has been studied extensively, and many different approaches have been developed and implemented in an effort to stay ahead of this ever-evolving threat. Malware refers to any programme or defect that is designed to duplicate itself or cause damage to the system's hardware or software. These attacks are designed specifically to cause harm to operational systems, but they are invisible to the human eye. One of the most exciting developments in data storage and service delivery today is cloud computing. There are significant benefits to be gained over more conventional protection methods by making use of this fast evolving technology to protect computer-based systems from cyber-related threats. Assets to be secured may reside in any networked computing environment, including but not limited to Cyber Physical Systems (CPS), critical systems, fixed and portable computers, mobile devices, and the Internet of Things (IoT). Malicious software or malware refers to any programme that intentionally compromises a computer system in order to compromise its security, privacy, or availability. A cloud-based intelligent behavior analysis model for malware detection system using feature set is proposed to identify the ever-increasing malware attacks. The suggested system begins by collecting malware samples from several virtual machines, from which unique characteristics can be extracted easily. Then, the malicious and safe samples are separated using the features provided to the learning-based and rule-based detection agents. To generate a relevant feature set for accurate malware detection, this research proposes an Intellectual Feature Ranking Model with Correlated Feature Set (IFR-CFS) model using enhanced logistic regression model for accurate detection of malware in the cloud environment. The proposed model when compared to the traditional feature selection model, performs better in generation of feature set for accurate detection of malware.