Anti-virus Systems Research Articles

Performance Comparative Study on Zero Day Malware Detection Using XGBoost and Random Forest Classifiers

Zero-day malware is a significant threat to cybersecurity as it is unknown to antivirus systems and can cause significant damage before being detected. Traditional malware detection methods rely on signatures and patterns specific to known malware, but these methods are ineffective against zero-day malware that has not been previously encountered. Machine learning has shown promise in detecting and classifying unknown threats, including zero-day malware. In this research, we propose using machine learning classifiers to detect and classify zero-day malware. The selected classifiers are Random Forest and XGBoost, well-known and widely used in machine learning. To evaluate the effectiveness of our approach, we first collect and pre-process a dataset of known malware. The dataset, Meraz'18, is used to train and test the selected classifiers. This dataset contains PEHeaders with static analysis performed with each section calculated on its entropy. The dataset contains a representation of benign and malicious files that has been use in previous studies for zero-day malware detection, namely during the payload injection phase. To prevent overfitting, 10-fold-cross-validation is utilized. The performance metrics of these classifiers such as F1-score, accuracy, Cohen’s kappa, precision and recall analyzed on the known malware dataset and evaluate their ability to detect and classify zero-day malware. Hyperparameter tuning is used to tune each model to give the best performance of each model. The results show that the proposed classifiers perform extremely well, both achieving up to almost 98% accuracy. Using machine learning classifiers for zero-day malware detection and classification can significantly improve cybersecurity by providing a way to detect and protect against unknown threats. This work is an essential step towards the development of more robust cybersecurity systems that can effectively protect against unknown threats.

Digital Literacy, Skills, and Security: Impact on Digital Leadership in Higher Education

This research examines the influence of digital literacy and social media usage skills on digital leadership in higher education and the moderating role of digital security and antivirus software. This research uses the path analysis method with Smart PLS 4.0 software. They were conducted from January to February 2024, involving 100 management program students using the saturated sampling method. The research results show that digital literacy and social media usage skills positively and significantly affect digital leadership. Digital security also has a positive impact on digital leadership. However, the hypothesis regarding antivirus and security systems as moderating variables was rejected, indicating that they did not increase the influence of digital security or social media skills on digital leadership. This research contributes to developing university curricula and leadership programs by integrating aspects of digital security. The model successfully identified significant influences on digital leadership with high reliability and validity. The rejection of some moderation hypotheses suggests that further research is needed to understand the dynamics between these variables, paving the way for refining the model and exploring other influencing factors.

Anomalous Network Behaviour Detection in Interoperable Health Systems using Machine Learning in Resource Limited Areas

The connection of devices in distributed environments produces and shares a vast amount of data useful for different organisational decision-making. In healthcare service organisations, for example, multiple e-health systems from different departments or facilities connect and share health data and information. During sharing, proper management is important to ensure the information is secure against intruders. Machine learning as a non-conventional security technique can be used along conventional techniques like firewalls, antivirus and intrusion detection systems to predict future network threats and other anomalies using historical backgrounds and other features. However, some machine learning algorithms have complex computation thus requiring resourceful systems in terms of network bandwidth, CPU power, memory, and storage capacity. In resource-constrained environments, therefore, special consideration is needed to ensure that the analysis of the big data is successful and that the benefits associated with them are effectively obtained. In this paper, a Machine Learning algorithm was selected among four algorithms whose performance was compared through various performance metrics. Classification accuracy, Mean Absolute Error (MAE), Root Mean Square Error (RMSE), and Relative Absolute Error (RAE) among other performance metrics were used to compare the ANN, Random forest, Decision trees, and Naïve byes classification algorithms using an extract from CICDDOS2019 dataset. Using the Weka version 3.8.6, the algorithms were compared to choose the best one to classify the data. By using three computers with different resources, the experiments were carried out to determine the performance of those machine learning algorithms. The result revealed that the random forest produced a good average classification performance in resource-limited systems since it surpassed other algorithms in classifying the data at an average of 99 per cent with a low average mean absolute error of 0.0001. Furthermore, as an ensemble that classifies with multiple decision trees algorithm, it likewise uses reasonable time to build and test the model therefore recommended for resource-limited systems.

Biological functions and clinic significance of SAF‑A (Review).

As one member of the heterogeneous ribonucleoprotein (hnRNP) family, scaffold attachment factor A (SAF-A) or hnRNP U, is an abundant nuclear protein. With RNA and DNA binding activities, SAF-A has multiple functions. The present review focused on the biological structure and different roles of SAF-A and SAF-A-related diseases. It was found that SAF-A maintains the higher-order chromatin organization via RNA and DNA, and regulates transcription at the initiation and elongation stages. In addition to regulating pre-mRNA splicing, mRNA transportation and stabilization, SAF-A participates in double-strand breaks and mitosis repair. Therefore, the aberrant expression and mutation of SAF-A results in tumors and impaired neurodevelopment. Moreover, SAF-A may play a role in the anti-virus system. In conclusion, due to its essential biological functions, SAF-A may be a valuable clinical prediction factor or therapeutic target. Since the role of SAF-A in tumors and viral infections may be controversial, more animal experiments and clinical assays are needed.

Testing multiplexed anti-ASFV CRISPR-Cas9 in reducing African swine fever virus.

ASFV is currently a devastating disease with no effective vaccine or treatment available. Our study introduces a multiplexed CRISPR-Cas system targeting nine specific loci in the ASFV genome. This innovative approach successfully inhibits ASFV replication in vitro, and we have successfully engineered pig strains to express this anti-ASFV CRISPR-Cas system constitutively. Despite not observing survival advantages in these transgenic pigs upon ASFV challenges, we did note a delay in infection in some cases. To the best of our knowledge, this study constitutes the first example of a germline-edited animal with an anti-virus CRISPR-Cas system. These findings contribute to the advancement of future anti-viral strategies and the optimization of viral immunity technologies.

MAlign: Explainable static raw-byte based malware family classification using sequence alignment

For a long time, malware classification and analysis have been an arms-race between antivirus systems and malware authors. Though static analysis is vulnerable to evasion techniques, it is still popular as the first line of defense in antivirus systems. But most of the static analyzers failed to gain the trust of practitioners due to their black-box nature. We propose MAlign, a novel static malware family classification approach inspired by genome sequence alignment that can not only classify malware families but can also provide explanations for its decision. MAlign encodes raw bytes using nucleotides and adopts genome sequence alignment approaches to create a signature of a malware family based on the conserved code segments in that family, without any human labor or expertise. We evaluate MAlign on two malware datasets, and it outperforms other state-of-the-art machine learning-based malware classifiers (by 4.49%∼0.07%), especially on small datasets (by 19.48%∼1.2%). Furthermore, we explain the generated signatures by MAlign on different malware families illustrating the kinds of insights it can provide to analysts, and show its efficacy as an analysis tool. Additionally, we evaluate its theoretical and empirical robustness against some common attacks. In this paper, we approach static malware analysis from a unique perspective, aiming to strike a delicate balance among performance, interpretability, and robustness.

Computer Network Virus Defense with Data Mining-based Active Protection

A novel approach is presented in this paper to address the limitations of virtual machine technology, active kernel technology, heuristic killing technology, and behaviour killing technology in computer network virus defence. The proposed method provides data mining technology, specifically Object-Oriented Analysis (OOA) mining, to detect deformed and unknown viruses by analyzing the sequence of Win API calls in PE files. Experimental results showcase the Data Mining-based Antivirus (DMAV) system's superiority over existing virus scanning software in multiple aspects: higher accuracy in deformed virus detection, enhanced active defence capabilities against unknown viruses (with a recognition rate of 92%), improved efficiency, and a reduced false alarm rate for non-virus file detection. Furthermore, the paper introduces an OOA rule generator to optimize feature extraction, enhancing the system's intelligence and robustness. This research provides a promising solution to support virus detection accuracy, active defence mechanisms, and overall efficiency while minimizing false positives in virus scanning, thus contributing significantly to the advancement of computer network security.

Evolving malware variants as antigens for antivirus systems

Evolving malware variants as antigens for antivirus systems

Model for the Propagation of Malicious Objects in a Computer Network with Variable Infection Intensity

There are a significant number of scientific publications that use epidemic models to propagate malicious objects in a computer network. These models are based on Markovian models with a constant intensity of transitions, which does not correspond to real conditions, since the intensity of transitions changes due to the fact that after some time antivirus systems start to recognize malware. This paper proposes an original approach based on an epidemic model with variable infection intensity of hosts in a computer network. In the beginning, when the threat is not recognized, the malware spreads rapidly. After a certain period of time, the antivirus system recognizes the malicious code, which leads to a decrease in the infection intensity. Simulations have been done for different infection intensity and threat recognition. Demonstrated models account for the infection time of hosts in the computer network, latency phase, malware detection, and clearance from the system.

Analysis of the capacity of existing anti-virus protection systems and their based methods for detecting new malware in military information systems

The article solves the task of analyzing the ability of existing anti-virus systems and the methods based on them to detect new malicious software in information systems of critical infrastructure, in particular, the sector of the state defense forces. It is noted that the official data of the developers of antivirus systems often do not confirm the declared level of accuracy of detecting new malicious software in practice. In addition, in most cases, the declared accuracy rate of detecting new malware is higher than the similar rate of detection of known malware, which indicates that the antivirus systems in question are tested in specific conditions that are too different from real ones. The properties of new malicious software are described in order to find the most suitable class of computer viruses. Classes of polymorphic (oligomorphic) and metamorphic viruses demonstrate the most complete compliance with the specified properties, which allows us to assert their significant share in the use of new malicious software. The characteristics of malicious software detection methods are given, which due to their properties are able to adapt to a certain extent to their metamorphic (polymorphic) nature. Methods based on the theory of fuzzy logic demonstrate the most complete correspondence. The direction of improvement of the existing anti-virus systems in order to increase the adaptability to the detection of new (polymorphic, metamorphic) classes of malicious software is proposed. The obtained results should be considered as a basis for the implementation of new approaches to the detection of malicious software in order to identify previously unknown instances of it, which will allow to significantly increase the effectiveness of ensuring cyber security of modern information systems and networks.

Towards a Critical Review of Cybersecurity Risks in Anti-Poaching Systems

Anti-poaching operations increasingly make use of a wide variety of technology for intelligence and communications. These technologies introduce cybersecurity risk, and they need to be secured to provide greater protection to the information and people involved in anti-poaching operations, ultimately protecting vulnerable animals better. A hypothetical network of anti-poaching technologies was simulated in Graphical Network Simulator 3 (GNS3), consisting of various field devices identified in the literature, and a main control room with relevant hardware devices. A virtual Kali Linux machine was connected to the network and played the role of a digital attacker or intruder. Several cyber-attacks were carried out, to show the risks inherent to such an interoperable and socio-technical network. These attacks included Man in the Middle (MitM) and Denial of Service (DoS) attacks. These attacks were then mitigated via system configurations. Further risks and threat considerations were identified in the literature. Using the STRIDE, DREAD and Attack Tree threat models, the risks to an anti-poaching network were classified and calculated. The most prevalent threats and the attacks performed in the simulation were all calculated to have a high risk level, posing a great threat to an unsecured network. The STRIDE classes of Denial of Service and Elevation of Privilege posed the most risk to the system, both having a calculated average risk score of 9 out of 10. Mitigations to general network threats and those identified in the simulation are mentioned. Additionally, authentication for such a system was investigated, as improper authentication practices were deemed a risk and provides a foothold for further risks in the network. Recommendations made, include the proper configuration of network devices, especially the router and switch, and the use of anti-virus, firewalls, and intrusion detection systems, as well as having an external audit performed annually. Multi-factor authentication, with a password/fingerprint combination, is recommended.

Hybrid H-DOC: A bait for analyzing cyber attacker behavior

Cyber security is a vital concern for companies with internet-based cloud networks. These networks are constantly vulnerable to attack, whether from inside or outside organization. Due to the ever-changing nature of the cyber world, security solutions must be updated regularly in order to keep infrastructure secure. With the use of attack detection approaches, security systems such as antivirus, firewalls, or intrusion detection systems have become more effective. However, conventional systems are unable to detect zero-day attacks or behavioral changes. These drawbacks can be overcome by setting up a honeypot. In this paper, a hybrid Honeynet model deployed in Docker (H-DOC) bait has been proposed that comprises both low interaction and high interaction honeypot to attract the malicious attacker and to analyze the behavioral patterns. This is a form of bait, designed to detect or block attacks, or to divert an attacker's attention away from the legitimate services. It focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The proposed Hybrid H-DOC method identify ransomware activity, attack trends, and timely decision-making through the use of an effective rule and tunes the firewall. The attack detection accuracy of the proposed Hybrid H-DOC method when compared with IDH, Decepti-SCADA, AS-IDS and HDCM is 13.97%, 11.82%, 8.60% and 5.07% respectively.

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and tele-education are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods.

Performance Evaluation of Antivirus Systems for Computer Networks

Performance Evaluation of Antivirus Systems for Computer Networks

Technical Analysis of Thanos Ransomware

Ransomware is a developing menace that encrypts users’ files and holds the decryption key hostage until the victim pays a ransom. This particular class of malware has been in charge of extortion hundreds of millions of dollars every year. Adding to the problem, generating new variations is cheap. Therefore, new malware can detect antivirus and intrusion detection systems and evade them or manifest in ways to make themselves undetectable. We must first understand the characteristics and behavior of various varieties of ransomware to create and construct effective security mechanisms to combat them. This research presents a novel dynamic and behavioral analysis of a newly discovered ransomware called Thanos. It was founded in 2020 and is building up to be the leading malware used by low-to-medium-level attackers. It is part of a new ransomware class known as RaaS (Ransomware as a Service), where attackers can customize it for their desired target audience. So far, it is more prevalent in the middle east and North Africa and has over 130 unique samples already. As part of this investigation, the Thanos ransomware is carefully being analyzed. A testbed is created in the virtual artificial environment that mimics a regular operating system and identifies malware interactions with user data. Using this testbed, we can study how ransomware generally affects our system, how it spreads, and how it continually persists to access the user’s information. We can design a new security mechanism to detect and mitigate Thanos and similar ransomware based on behavior examination results.

ANTIVIRUS SYSTEM BASED ON ARTIFICIAL INTELLIGENCE CROSS¬LEARNING TECHNOLOGY

The work is devoted to the priority task in the field of digital transformation, namely, ensuring the protection of information systems and technologies. Artificial intelligence has become one of the key tools in solving this problem. The paper considers an anti-virus system based on artificial intelligence crosstraining technology. It presents statistical data confirming the need to implement the technology described in the paper due to a sharp increase in the number of infections of information systems and cyber attacks in recent years. The purpose of this development is to increase the efficiency and reliability of anti-virus systems, providing adaptability to the appearance of new types of cyberthreats. Based on a review of existing analogues for implementing artificial intelligence in cybersecurity, the main drawbacks of using this technology were identified, which were taken into account when developing an antivirus system based on artificial intelligence cross-training technology. The working principle of the proposed solution and the expected benefits from its use are formulated. Two main components of the system – the operation algorithm and the database – are considered in detail. The structural scheme of interaction between the elements in the cross-learning method is presented. The constituent elements of this scheme are described and the purpose of each of them is dissected. The structures of the proposed neural networks are considered. The fundamental logic of the used algorithms and types of mathematical methods is given. All databases necessary to provide the functionality of the described learning algorithm, and their purpose are disassembled. The choice of tools to implement cross-learning technology is justified. In conclusion, a conclusion is made about the possibilities of application of the antivirus system described in the work and about the main difficulties of its implementation.

NUMERICAL-ANALYTIC SOLUTION OF ONE MODELING PROBLEM OF FRACTIONAL-DIFFERENTIAL DYNAMICS OF COMPUTER VIRUSES

The paper considers the problem of modeling the dynamics of computer viruses spreading using a model based on the mathematical theory of biological epidemics. The urgency of the considered problem arises from the need to build effective anti-virus protection systems for computer networks based on the results of mathematical modeling of the spread of malicious software. We consider the SIES-model (Gan C., Yang X., Zhu Q.), that studies spread dynamics of computer viruses separating the influence of the action of computers accessible and unavailable on the Internet. In order to take into account non-local effects in this model, in particular memory effects, its modification on the ideas of the theory of fractional-order integro-differentiation is proposed. The technique of obtaining a numerical-analytical solution of the problem of modeling of computer viruses spread dynamics on the base of the fractional-differential counterpart of the SIES-model is presented. Closed forms solutions of the problems for the number of vulnerable and external computers are obtained, and a finite-difference scheme of the fractional Adams method for the problem of determining the number of infected computers is constructed. The results of computational experiments based on the developed technique of numerical-analytical solution show that there is a subdiffusion evolution of the system to the steady state. At the same time, for the number of external computers, a fast short-term growth is observed at the initial stages of process development with subsequent smooth and slow decrease towards the steady state. For medium and large values of the time variable, the evolution of the number of infected computers to the steady state occurs in an ultra-slow mode. Thus, the proposed technique makes it possible to study the families of dynamic reactions in the process of computer viruses spreading, including fast transient processes and ultra-slow evolution of systems with memory.

Systematic Literature Review over IDPS, Classification and Application in its Different Areas

Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). Network security is vital for any organization connected to the Internet. Rock solid network security is a major challenge that can be overcome by strengthening the network against threats such as hackers, malware, botnets, data thieves, etc. Firewalls, antivirus, and intrusion detection systems are used to protect the network. The firewall can control network traffic, but reliance on this type of security alone is not enough. Attackers use open ports such as port 80 of the web server (http) and port 110 of the POP server to infiltrate networks. The Intrusion Detection System (IDS) minimizes security breaches and improves network security by scanning network packets to filter out malicious packets. Real-time detection with prevention using Intrusion Detection and Prevention Systems (IDPS) has elevated network security to an advanced level by strengthening the network against malicious activities. In this Survey paper focuses on Classifying various kinds of IDS with the major types of attacks based on intrusion methods. Presenting a classification of network anomaly IDS evaluation metrics and discussion on the importance of the feature selection. Evaluation of available IDS datasets discussing the challenges of evasion techniques.

ICT security in tax administration - AV protection systems

The article discusses the topic of ICT security in tax administration. This paper presents a study of the security level of endpoints8, servers using three antivirus protection systems. It discusses three independent solutions used to ensure the protection of ICT equipment in public administration.

A new classification method for encrypted internet traffic using machine learning

The rate of internet usage in the world is over 62% and this rate is increasing day by day. With this increase, it becomes important to ensure the confidentiality of the information in the traffic flowing over the internet. Encryption algorithms and protocols are used for this purpose. This situation, which is beneficial for normal users, is also used by attackers to hide. Cyber attackers or hackers gain the ability to bypass security precautions such as IDS/IPS and antivirus systems with using encrypted traffic. Since payload analysis cannot be performed without deciphering the encrypted traffic, existing commercial security solutions fall short in this situation. In this study, it is aimed to classify the network traffic by analysing the outgoing and incoming data over the encrypted traffic using extreme gradient boosting (XGBoost), decision tree and random forest classification methods. Thus, without deciphering, it is possible to classify packets passing through encrypted traffic using some metadata like size and duration and to take precautions against attacks. ISCX VPN-NonVPN dataset was used to test the proposed model in this study. With the created framework, encrypted traffic was classified with a high success rate and 94.53% success was achieved by using the XGBoost classification method.