API Calls Research Articles

Enhancement in Security of Android Devices Using Malware Prediction with Machine Learning

Due to large number of malicious applications in android devices, security of user data has become a serious issue. We need to detect and predict malware in android application to keep devices secure. SIGPID (Significant Permission Identification) approach extracts Significant Permission required in android application and uses this information to predict malware using supervised learning algorithm. DREBIN method performs broad static analysis and gathers required features from manifest file and application code. The features like network addresses, API calls, hardware components, permissions are mapped into joint vector space. Applying suitable machine learning algorithm to this vector space the system classifies application as malicious or benign application which results into improvement in the prediction accuracy. SIGPID aims to use less number of permissions to predict the malware presence whereas DREBIN aims at giving accurate predictions. We have used principles of these two algorithms to implemented malware detection system Safroid which aims to use less number of permissions and give accurate predictions.

Right ventricular free wall longitudinal strain and strain rate quantification with cardiovascular magnetic resonance based tissue tracking

Cardiovascular magnetic resonance based tissue tracking (CMR-TT) was reported to provide detailed insight into left ventricular mechanical features. However, inadequate knowledge of the right ventricle (RV) mechanical deformation has been acquired by this advanced technique so far. It was the aim of this study to establish reference values of RV free wall (RVFW) global, regional and segmental longitudinal peak strain and strain rate (LS and LSR), and to investigate the gender- and age-related difference as well as the base-to-apex gradient of RVFW-LS and LSR with CMR-TT. 150 healthy volunteers (75 males/females) were retrospectively and continuously recruited and subdivided into three age groups (G20–40, G41–60 and G61–80). RVFW global, regional (basal, middle-cavity and apical) and segmental LS (GLS, RLS, SLS) along with systolic and diastolic LSR were generated by post-hoc CMR-TT analysis of standard steady-state free precession long-axis four-chamber view cine images acquired at 1.5T field strength. The reference value of myocardial RVFW-GLS was − 24.9 ± 5.2%. We found that females showed more negative GLS than males except in the youngest group, and no age-related difference of GLS was observed in both gender groups. RLS and SLS presented with the same age-related tendency as GLS. The basal and middle-cavity LS were similar between each other and significantly larger than apical LS. RVFW-GLSR resulted as − 1.73 ± 0.58 s−1 and 1.69 ± 0.65 s−1 during systolic and diastolic phases, respectively. The diastolic GLSR of males tended to decline with the ageing and was significantly lower than that of females in G61–80 group. Regional and segmental LSR showed significant gender-related differences in certain basal and apical region/segments without any age-related effects. CMR-TT overcomes the difficulty in measuring RV global and segmental deformation. The establishment of the vendor-, gender- and segment-specific reference values of RVFW-LS and LSR is essential for the rapid and efficient utilization of CMR-TT modality in the clinical routine.

Optimizing Extreme Learning Machines Using Chains of Salps for Efficient Android Ransomware Detection

Nowadays, smartphones are an essential part of people’s lives and a sign of a contemporary world. Even that smartphones bring numerous facilities, but they form a wide gate into personal and financial information. In recent years, a substantial increasing rate of malicious efforts to attack smartphone vulnerabilities has been noticed. A serious common threat is the ransomware attack, which locks the system or users’ data and demands a ransom for the purpose of decrypting or unlocking them. In this article, a framework based on metaheuristic and machine learning is proposed for the detection of Android ransomware. Raw sequences of the applications API calls and permissions were extracted to capture the ransomware pattern of behaviors and build the detection framework. Then, a hybrid of the Salp Swarm Algorithm (SSA) and Kernel Extreme Learning Machine (KELM) is modeled, where the SSA is used to search for the best subset of features and optimize the KELM hyperparameters. Meanwhile, the KELM algorithm is utilized for the identification and classification of the apps into benign or ransomware. The performance of the proposed (SSA-KELM) exhibits noteworthy advantages based on several evaluation measures, including accuracy, recall, true negative rate, precision, g-mean, and area under the curve of a value of 98%, and a ratio of 2% of false positive rate. In addition, it has a competitive convergence ability. Hence, the proposed SSA-KELM algorithm represents a promising approach for efficient ransomware detection.

A TAN based hybrid model for android malware detection

Android devices are very popular because of their availability at reasonable prices. However, there is a rapid rise of malware applications in Android platform in the recent past years due to its security vulnerabilities. The existing static malware detection mechanisms can locate malicious components associated with the source code of an application and dynamic analysis can identify exploits in the runtime environment. Hence, the advantages of both static and dynamic mechanisms need to be combined to form a hybrid analysis mechanism for achieving better accuracy in malware detection. The existing machine learning based hybrid malware analysis mechanisms do not check the interdependency of static and dynamic features used in their machine learning classifiers. This interdependency can lead to multicollinearity problem which can affect the classifier’s performance. Hence, in this paper we propose a novel TAN (Tree Augmented naive Bayes) based hybrid malware detection mechanism by employing the conditional dependencies among relevant static and dynamic features (API calls, permissions and system calls) which are required for the functionality of an application. We trained three ridge regularized logistic regression classifiers corresponding to API calls, permission and system calls of an application and modeled their output relationships as a TAN (Tree Augmented naive Bayes) for identifying whether the application is malicious or not. The experimental results show that the proposed mechanism can detect malicious applications over a long period with an accuracy of 0.97.

Semantically find similar binary codes with mixed key instruction sequence

Abstract Context Software similarity comparison has always been a common technique for software reuse detection, plagiarism detection, and defect detection. Objective Considering the role of API calls and arithmetic operations in software execution, a semantic-based dynamic software analysis method–mixed key instruction sequence (MKIS) is proposed. Method MKIS embeds key value sets into a vector and constructs a novel software execution sequence that contains API calls and arithmetic operations during software execution. To determine the location of key values, a key-value equivalent matching algorithm is proposed, combined with the longest common subsequence algorithm to optimize the software execution sequence. Results Experiments show that MKIS can accurately compare the similarity of binary programs without obtaining the software source code, and has better resiliency and credibility. Conclusion Moreover, in the case when the software source code is changed with some main function-independent modification and code obfuscator, software reuse can be successfully detected.

Clustering-Aided Multi-View Classification: A Case Study on Android Malware Detection

Recognizing malware before its installation plays a crucial role in keeping an android device safe. In this paper we describe a supervised method that is able to analyse multiple information (e.g. permissions, api calls and network addresses) that can be retrieved through a broad static analysis of android applications. In particular, we propose a novel multi-view machine learning approach to malware detection, which couples knowledge extracted via both clustering and classification. In an assessment, we evaluate the effectiveness of the proposed method using benchmark Android applications and established machine learning metrics.

A3: Assisting Android API Migrations Using Code Examples

The fast-paced evolution of Android APIs has posed a challenging task for Android app developers. To leverage Android's frequently released APIs, developers must often spend considerable effort on API migrations. Prior research and Android official documentation typically provide enough information to guide developers in identifying the API calls that must be migrated and the corresponding API calls in an updated version of Android (what to migrate). However, API migration remains a challenging task since developers lack the knowledge of how to migrate the API calls. There exist code examples, such as Google Samples, that illustrate the usage of APIs. We posit that by analyzing the changes of API usage in code examples, we can learn API migration patterns to assist developers with API Migrations. In this paper, we propose an approach that learns API migration patterns from code examples, applies these patterns to the source code of Android apps for API migration, and presents the results to users as potential migration solutions. To evaluate our approach, we migrate API calls in open source Android apps by learning API migration patterns from code examples. We find that our approach can successfully learn API migration patterns and provide API migration assistance in 71 out of 80 cases. Our approach can either migrate API calls with little to no extra modifications needed or provide guidance to assist with the migrations. Through a user study, we find that adopting our approach can reduce the time spent on migrating APIs, on average, by 29%. Moreover, our interviews with app developers highlight the benefits of our approach when seeking API migrations. Our approach demonstrates the value of leveraging the knowledge contained in software repositories to facilitate API migrations.

Decompiled APK based malicious code classification

Due to the increasing growth in the variety of Android malware, it is important to distinguish between the unique types of each. In this paper, we introduce the use of a decompiled source code for malicious code classification. This decompiled source code provides deeper analysis opportunities and understanding of the nature of malware. Malicious code differs from text due to syntax rules of compilers and the effort of attackers to evade potential detection. Hence, we adapt Natural Language Processing-based techniques under some constraints for malicious code classification. First, the proposed methodology decompiles the Android Package Kit files, then API calls, keywords, and non-obfuscated tokens are extracted from the source code and categorized to stop-tokens, feature-tokens, and long-tail-tokens. We also introduce the use of generalized N-tokens to represent tokens that are typically less frequent. Our approach was evaluated, in comparison to the use of API calls and permissions for features, as a baseline, and their combination, as well as in comparison to the use of neural network architectures based on decompiled Android Package Kits. A rigorous evaluation of comprehensive public real-world Android malware datasets, including 24,553 apps that were categorized to 71 families for the malicious families classification, and 60,000 apps for malicious code detection was performed. Our approach outperformed the baselines in both tasks.

Dynamic Malware Analysis with Feature Engineering and Feature Learning

Dynamic malware analysis executes the program in an isolated environment and monitors its run-time behaviour (e.g. system API calls) for malware detection. This technique has been proven to be effective against various code obfuscation techniques and newly released (“zero-day”) malware. However, existing works typically only consider the API name while ignoring the arguments, or require complex feature engineering operations and expert knowledge to process the arguments. In this paper, we propose a novel and low-cost feature extraction approach, and an effective deep neural network architecture for accurate and fast malware detection. Specifically, the feature representation approach utilizes a feature hashing trick to encode the API call arguments associated with the API name. The deep neural network architecture applies multiple Gated-CNNs (convolutional neural networks) to transform the extracted features of each API call. The outputs are further processed through bidirectional LSTM (long-short term memory networks) to learn the sequential correlation among API calls. Experiments show that our solution outperforms baselines significantly on a large real dataset. Valuable insights about feature engineering and architecture design are derived from the ablation study.

Actor Critic Deep Reinforcement Learning for Neural Malware Control

In addition to using signatures, antimalware products also detect malicious attacks by evaluating unknown files in an emulated environment, i.e. sandbox, prior to execution on a computer's native operating system. During emulation, a file cannot be scanned indefinitely, and antimalware engines often set the number of instructions to be executed based on a set of heuristics. These heuristics only make the decision of when to halt emulation using partial information leading to the execution of the file for either too many or too few instructions. Also this method is vulnerable if the attackers learn this set of heuristics.
 Recent research uses a deep reinforcement learning (DRL) model employing a Deep Q-Network (DQN) to learn when to halt the emulation of a file. In this paper, we propose a new DRL-based system which instead employs a modified actor critic (AC) framework for the emulation halting task. This AC model dynamically predicts the best time to halt the file's execution based on a sequence of system API calls. Compared to the earlier models, the new model is capable of handling adversarial attacks by simulating their behaviors using the critic model. The new AC model demonstrates much better performance than both the DQN model and antimalware engine's heuristics. In terms of execution speed (evaluated by the halting decision), the new model halts the execution of unknown files by up to 2.5% earlier than the DQN model and 93.6% earlier than the heuristics. For the task of detecting malicious files, the proposed AC model increases the true positive rate by 9.9% from 69.5% to 76.4% at a false positive rate of 1% compared to the DQN model, and by 83.4% from 41.2% to 76.4% at a false positive rate of 1% compared to a recently proposed LSTM model.

RETRACTED ARTICLE: Hypervisor injection attack using X-cross API calls (HI-API attack)

Progressive cyber-attacks emphasize secrecy and industriousness the more they are able to move alongside, exfiltration of information and cause harm. The more they stay under radar. The abusers swing progressively to cross-process infusion to preserve a strategic distance from identification. Cross-process infusion helps attackers to execute malicious codes that take on truly project appearance. Code infusion does not require aggressors to use specific procedures that can be quickly differentiated. Alternatively, they incorporate malignancy code into the normal procedure, allowing their operations a wider range of secrecy and naivety (e.g. explorer.exe, regsvr32.exe, svchost.exe…). For the purpose of detect malware injection The hypervisor injection attack proposed in this paper by using a method of X-cross application programming interface calls (API-HI-attack) raises awareness that malware is injecting into the simulation tool with X-cross-language API calls. The experimental results of the proposed work shows antimalware protector need to take more attention on API call hooking at process level injection by X-cross languages. The results proposed method with high true positive (92.96%) and less false positive (0.07%) over the existing methods.

Towards using unstructured user input request for malware detection

Privacy analysis techniques for mobile apps are mostly based on system-centric data originating from well-defined system API calls. But these apps may also collect sensitive information via their unstructured input sources that elude privacy analysis. The consequence is that users are unable to determine the extent to which apps may impact on their privacy when downloaded and installed on mobile devices. To this end, we present a privacy analysis framework for unstructured input. Our approach leverages app meta-data descriptions and taxonomy of sensitive information, to identify sensitive unstructured user input. The outcome is an understanding of the level of user privacy risk posed by an app based on its unstructured user input request. Subsequently, we evaluate the usefulness of the unstructured sensitive user input for malware detection. We evaluate our methods using 175K benign apps and 175K malware APKs. The outcome highlights that malicious app detector built on unstructured sensitive user achieve an average balance accuracy of 0.996 demonstrated with Trojan-Banker and Trojan-SMS when the malware family and target applications are known and balanced accuracy of 0.70 with generic malware.

Assessment of supervised machine learning algorithms using dynamic API calls for malware detection

ABSTRACT Detection of malware using traditional malware detection techniques is very hard. Machine Learning (ML) algorithms provide a solution to detect the malware which is being developed at a very high pace. ML automatic anti-malware system can be developed which can update the system with incoming malware to keep the system secure. To train the malware classifiers runtime features are captured through Cuckoo Sandbox. During execution, malware can drop other malicious payloads and every payload performs different malicious activities. API calls of every process executed by malware or benign file are extracted. In this paper, parameter tuning of Machine Learning (ML) is done to produce the high accuracy results in a binary classification of binary files into malware or benign. In machine learning algorithms, a few essential parameters like k value, kernel function, depth of the tree, loss function, splitting criteria, learning rate, and n-estimators are evaluated using API calls for achieving the high accurate results of the malware classifiers. At last, supervised machine learning classification algorithms were assessed with 6434 benign and 8634 malware samples. Malware classifier produced 99.1% accuracy using ensemble algorithms. This paper provides insight into the parameter tuning of ML algorithms for detecting the malware using API calls.

Sub-curve HMM: A malware detection approach based on partial analysis of API call sequences

Malicious software (Malware) plays an important role in penetrating and extracting sensitive information. Based on dynamic program’s behavior monitoring, existing solutions have shown that the Hidden Markov Model (HMM) is efficient in detecting malware using sequences of API calls. However, an obfuscation technique could insert minimal data stealing code into a large set of legitimate instructions, which makes the detector ineffective. Additionally, existing solutions require a whole picture of a program’s actions, and hence a small chunk of activities is much harder to detect. Substantial performance degradation can occur during the detection when a long sequence of APIs is used. This paper proposes the Sub-Curve HMM feature extraction approach that focuses on matching subsets of activities from the running processes that potentially lead to data exfiltration incidents. Sequences of API calls are used to train HMMs and test the likelihood of matching to the model. Malicious and benign activities gain different matching scores over an adjoining set of API calls. By projecting a sequence of matching score into a curve, our approach discriminates malicious actions using discontinuities in the slope of the curve. The experimental results show that the proposed approach outperforms existing solutions in detecting six (6) families of malware: the detection accuracy of Sub-Curve HMM is over 94% compared to 83% for the baseline HMM approach and 73% for Information Gain.

A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence

Malware API call graph derived from API call sequences is considered as a representative technique to understand the malware behavioral characteristics. However, it is troublesome in practice to build a behavioral graph for each malware. To resolve this issue, we examine how to generate a simple behavioral graph that characterizes malware. In this paper, we introduce the use of word embedding to understand the contextual relationship that exists between API functions in malware call sequences. We also propose a method that segregating individual functions that have similar contextual traits into clusters. Our experimental results prove that there is a significant distinction between malware and goodware call sequences. Based on this distinction, we introduce a new method to detect and predict malware based on the Markov chain. Through modeling the behavior of malware and goodware API call sequences, we generate a semantic transition matrix which depicts the actual relation between API functions. Our models return an average detection precision of 0.990, with a false positive rate of 0.010. We also propose a prediction methodology that predicts whether an API call sequence is malicious or not from the initial API calling functions. Our model returns an average accuracy for the prediction of 0.997. Therefore, we propose an approach that can block malicious payloads instead of detecting them after their post-execution and avoid repairing the damage.

Detection of malicious software by analyzing the behavioral artifacts using machine learning algorithms

Malicious software deliberately affects the computer systems. Malware are analyzed using static or dynamic analysis techniques. Using these techniques, unique patterns are extracted to detect malware correctly. In this paper, a behavior-based malware detection technique is proposed. Various runtime features are extracted by setting up a dynamic analysis environment using the Cuckoo sandbox. Three primary features are processed for developing malware classifier. Firstly, printable strings are processed word by word using text mining techniques which produced a very high dimension matrix of the string features. Then we apply the singular value decomposition technique for reducing dimensions of string features. Secondly, Shannon entropy is computed over the printable strings and API calls to consider the randomness of API and PSI features. In addition to these features, behavioral features regarding file operations, registry key modification and network activities are used in malware detection. Finally, all features are integrated in the training feature set to develop the malware classifiers using the machine learning algorithms. The proposed technique is validated with 16489 malware and 8422 benign files. Our experimental results show the accuracy of 99.54% in malware detection using ensemble machine learning algorithms. Moreover, it aims to develop a behavior-based malware detection technique of high accuracy by processing the runtime features in a new way.

Malware Detection by Risky Zone “Signature” Extraction from API Calls String Transformation using (AOSSR) Technique

Low accuracy of malware detection exists in malware detectors that are based on various malware representation architectures due to several problems as in case of API call graph construction and matching algorithms, where a major issue of building a precise call graph from the information collected about malware samples, also graph matching algorithms are having NP-Complete Problems and slow because of their computational complexity [1], [2]. Moreover, increasing the malware detection accuracy based on API call graphs by enhancing the graph matching and construction algorithms, experiences more computational time taken for matching process and in construction process as there are many graphs created which makes it so difficult to fetch or identify the malware (Elhadi et al., 2013) [3]. It has been further argued by (Li et al., 2018) that in case of malevolent activities, it is comparatively intricate to find whether the software will fall under the spell of malicious occurrences or not, since the duty to determine whether the conduct of a program is malicious is quite complex [4]. This research proposes enhancement of API String-based representation technique through the implementation of a malware detection framework that adopts String-based representation of the malware signature which is a compact representation of the malware risky zone where only the set of API calls representing the actual malware behaviour is accounted in the String using Absolute Order Signature String Representation technique (AOSSR) to represent the malware Strings resulting in a better performance of malware detection accuracy. The Methodology this research work follows mainly composed of three phases. The first phase deals with the conversion of the known malware samples from text format to string format. The second phase addresses the extractaction of the risky zone of an input file which is the file that needs to be checked, by the help of the file signatures already been presented in the database. The third phase addresses how to match two strings efficiency. The Application of the research is very clear as last experiment conducted on 515 malware samples demonstrates that the proposed malware detection architecture has 98% accuracy and 0 false positive rates. Comparing three families, using Analysis of Variance (ANOVA) test it is proven there is no significant difference (p>0.05) in the detection rate of algorithm across the three families of malwares. The algorithms performance is consistent. The result also shows that the Receiver Operating Characteristics (ROC) curves display a better True Positives Rate (TPR) for the proposed architecture over the previous attempts, which reflect significant improvement of TPR.

An Approach for Reconstructing Applications to Develop Container-Based Microservices

Microservices are small-scale services that can operate independently. An application consisting of microservice units can be developed independently as a service unit, and it can handle individual logic without being affected by other services. In addition, it is possible to rapidly distribute the configured microservices by a container, and a container orchestration technology that manages the distributed multiple containers can be realized; thus, it is possible to update and distribute the microservices separately. Therefore, many companies are moving away from existing monolithic structures and attempting to switch to microservices. In this paper, we present a method for reconstructing a monolithic application into a container-based microservice unit. The microservices of data units are derived through the collection and analysis of monolithic design data. Furthermore, we propose a method to generate a template script based on deployment design data so that the derived microservice and support distribution can be implemented in a container environment. The results of a case study conducted verified that the container-based microservices deployed in this study work properly. In addition, for the development of monolithic applications and the development of container-based microservices presented in this paper, we confirmed that developing on the basis of microservices is efficient by conducting execution time performance evaluation for API calls at various iterations. Finally, we show that microservices constructed using the proposed method have higher reusability than those constructed using existing methods.

MANNWARE: A Malware Classification Approach with a Few Samples Using a Memory Augmented Neural Network

The ability to stop malware as soon as they start spreading will always play an important role in defending computer systems. It must be a huge benefit for organizations as well as society if intelligent defense systems could themselves detect and prevent new types of malware as soon as they reveal only a tiny amount of samples. An approach introduced in this paper takes advantage of One-shot/Few-shot learning algorithms to solve the malware classification problems using a Memory Augmented Neural Network in combination with the Natural Language Processing techniques such as word2vec, n-gram. We embed the malware’s API calls, which are very valuable sources of information for identifying malware’s behaviors, in the different feature spaces, and then feed them to the one-shot/few-shot learning models. Evaluating the model on the two datasets (FFRI 2017 and APIMDS) shows that the models with different parameters could yield high accuracy on malware classification with only a few samples. For example, on the APIMDS dataset, it was able to guess 78.85% correctly after seeing only nine malware samples and 89.59% after fine-tuning with a few other samples. The results confirmed very good accuracies compared to the other traditional methods, and point to a new area of malware research.

A multiview learning method for malware threat hunting: windows, IoT and android as case studies

Malware remains a threat to our cyberspace and increasingly digitalized society. Current malware hunting techniques employ a variety of features, such as OpCodes, ByteCodes, and API calls, to distinguish malware from goodware. However, existing malware hunting approaches generally focus on a single particular view, such as using dynamic information or opcodes only. While single-view malware hunting systems may provide lean and optimized basis for detecting a specific type of malware, their performance can be significantly limited when dealing with other types of malware; thus, making it trivial for an advanced attacker to develop malware that simply obfuscates features monitored by a single-view malware detection system. To address these limitations, we propose a multi-view learning method that uses multiple views including OpCodes, ByteCodes, header information, permission, attacker’s intent and API call to hunt malicious programs. Our system automatically assigns weights to different views to optimize detection in different environment. Using experiments conducted on various Windows, Android and Internet of Things (IoT) platforms, we demonstrate that our method offers high accuracy with a low false positive rate on these case study platforms. Moreover, we also investigate the robustness of detection against weak views (features with low power of discrimination). The proposed method is the first malware threat hunting method that can be applied to different platforms, at the time of this research, and it is considerably difficult for attackers to evade detection (since it requires attackers to obfuscate multiple different views).