Malware Families Research Articles

Towards Explainable CNNs for Android Malware Detection

Abstract A challenge for implementing deep learning research in the real-world is the availability of techniques that explain predictions of a model, particularly in light of potential legal requirements to give an account of algorithmic outcomes for certain use-cases. Convolutional neural networks are regularly proposed as an effective method of Android malware detection at scale. However there is a lack of studies into actually explaining the predictions of these classifiers, and how well they correlate with other state-of-the-art explainability methods. In this paper we present two research contributions that begin to address this issue. Firstly, a novel method to identify locations deemed important by our CNN in an Android app’s opcode sequence which appear to contribute to malware detection. Secondly, a comparison of such locations highlighted by the CNN with those locations considered important from the state-of-the-art explainability method LIME. Using the publicly available Drebin benchmark dataset, our results show that for eight different malware families, when averaging location importance across all samples in each family, locations in an opcode sequence considered most malicious by our CNN match closely to those considered most malicious by LIME. This gives confidence the CNN is able to focus its attention on patterns of malicious opcodes in an Android app. As well as helping to validate use of CNNs for Android malware detection, our method may benefit the wider field of Android malware analysis to highlight opcode sequence locations worthy of investigation.

Deep learning-based approach for malware classification

Any program that exhibit furtive demonstrations against the interests of the PC client can be considered as a malware. These baleful programs can play out varieties of different capacities, for example, taking, encoding, or erasing dainty information, changing or commandeering centre processing capacities, and examining clients' computer action without their consent. Today, malware is utilised by both governments and black hat hackers, to take individual, financial, or business data. In this paper, put forward a strategy for arranging malware utilising profound learning procedures. Malware binaries are pictured as greyscale pictures, with the perception that for some malware families, the pictures having a place with a similar family show up fundamentally the same as in surface and design. A standard picture highlights grouping strategy is proposed. The exploratory outcomes give 97.45% arrangement classification on a malware database of 9,339 examples with 25 diverse malware families.

SHA-AMD: sample-efficient hyper-tuned approach for detection and identification of Android malware family and category

SHA-AMD: sample-efficient hyper-tuned approach for detection and identification of Android malware family and category

A Hybrid DL-Based Detection Mechanism for Cyber Threats in Secure Networks

The astonishing growth of sophisticated ever-evolving cyber threats and attacks throws the entire Internet-of-Things (IoT) infrastructure into chaos. As the IoT belongs to the infrastructure of interconnected devices, it brings along significant security challenges. Cyber threat analysis is an augmentation of a network security infrastructure that primarily emphasizes on detection and prevention of sophisticated network-based threats and attacks. Moreover, it requires the security of network by investigation and classification of malicious activities. In this study, we propose a DL-enabled malware detection scheme using a hybrid technique based on the combination of a Deep Neural Network(DNN) and Long Short-Term Memory(LSTM) for the efficient identification of multi-class malware families in IoT infrastructure. The proposed scheme utilizes latest 2018 dataset named as N_BaIoT. Furthermore, our proposed scheme is evaluated using standard performance metrics such as accuracy, recall, precision, F1-score, and so forth. The DL-based malware detection system achieves 99.96% detection accuracy for IoT based threats. Finally, we also compare our proposed work with other robust and state-of-the-art detection schemes.

SHA-AMD: sample-efficient hyper-tuned approach for detection and identification of Android malware family and category

SHA-AMD: sample-efficient hyper-tuned approach for detection and identification of Android malware family and category

Binary File’s Visualization and Entropy Features Analysis Combined with Multiple Deep Learning Networks for Malware Classification

In recent years, the research on malware variant classification has attracted much more attention. However, there are still many challenges, including the low accuracy of classification of samples of similar malware families, high time, and resource consumption. This paper proposes a new method of malware classification based on multiple visual features of malware and deep learning algorithms. In prior research, visualization techniques and entropy demonstrated exemplary performance in many areas. This paper extracts numerous visual features from the raw bytes and entropy sequence of the malware, which makes it more sensitive to malware samples of similar families and endows it the ability to classify malware variants more accurately. To evaluate the proposed method, this paper conducted a series of experiments on two malware datasets with a total of more than 20,000 samples provided by the Malware Research Lab and Microsoft Research. Through experiments, the method showed its superiority compared with some leading malware visual classification methods, achieving good performance on the accuracy with at least 1% improvement. The accuracy of the method even could reach 99.73% and 99.54%, respectively, on the two datasets.

USING TRANSFER LEARNING FOR MALWARE CLASSIFICATION

Abstract. In this paper, we propose a malware classification framework using transfer learning based on existing Deep Learning models that have been pre-trained on massive image datasets. In recent years there has been a significant increase in the number and variety of malwares, which amplifies the need to improve automatic detection and classification of the malwares. Nowadays, neural network methodology has reached a level that may exceed the limits of previous machine learning methods, such as Hidden Markov Models and Support Vector Machines (SVM). As a result, convolutional neural networks (CNNs) have shown superior performance compared to traditional learning techniques, specifically in tasks such as image classification. Motivated by this success, we propose a CNN-based architecture for malware classification. The malicious binary files are represented as grayscale images and a deep neural network is trained by freezing the pre-trained VGG16 layers on the ImageNet dataset and adapting the last fully connected layer to the malware family classification. Our evaluation results show that our approach is able to achieve an average of 98% accuracy for the MALIMG dataset.

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

Visual Detection for Android Malware using Deep Learning

The most serious threats to the current mobile internet are Android Malware. In this paper, we proposed a static analysis model that does not need to understand the source code of the android applications. The main idea is as most of the malware variants are created using automatic tools. Also, there are special fingerprint features for each malware family. According to decompiling the android APK, we mapped the Opcodes, sensitive API packages, and high-level risky API functions into three channels of an RGB image respectively. Then we used the deep learning technique convolutional neural network to identify Android application as benign or as malware. Finally, the proposed model succeeds to detect the entire 200 android applications (100 benign applications and 100 malware applications) with an accuracy of over 99% as shown in experimental results.

Comparative analysis of feature representations and machine learning methods in Android family classification

In order to overcome the lasting increase of Android malware, malware family classification, which clusters malware with the same features into one family, has been proposed as an efficient way for malware analysis. Several machine learning based approaches have been proposed for such task of malware family classification. However, due to the adoption of very different features and learning methods in different approaches, it is still an open question to explore: which approach works better for malware family classification? In this paper, we conduct extensive experiments to answer this question. For three widely known Android malware datasets, we design five multi-classification methods for predicting Android malware family. Based on the survey of Android malware analysis literatures and the observation of a large number of Android malware, we construct a set of 250 common features shared by Android malware. And we also collect 16873 documentary features from Android Developer as a comparison. Furthermore, we investigate the effects of transfer learning for adapting the model on three malware datasets on different scales. Our empirical results show that (i) the classification methods perform very closely, with neural network model having marginally better performance (1% to 3% in F1-score), (ii) features contribute most for classification, especially to enhance API features on larger datasets, and (iii) it is model transferable across different malware datasets based on various transfer learning tasks.

DeepAMD: Detection and identification of Android malware using high-efficient Deep Artificial Neural Network

Android smartphones are being utilized by a vast majority of users for everyday planning, data exchanges, correspondences, social interaction, business execution, bank transactions, and almost in each walk of everyday lives. With the expansion of human reliance on smartphone technology, cyberattacks against these devices have surged exponentially. Smartphone applications use permissions to utilize various functionalities of the smartphone that can be maneuvered to launch an attack or inject malware by hackers. Existing studies present various approaches to detect Android malware but lack early detection and identification. Accordingly, there is a dire need to craft an efficient mechanism for malicious applications’ detection before they exploit the data. In this paper, a novel approach DeepAMD to defend against real-world Android malware using deep Artificial Neural Network (ANN) has been adopted including an efficiency comparison of DeepAMD with conventional machine learning classifiers and state-of-the-art studies based on performance measures such as accuracy, recall, f-score, and precision. As per the experimental analysis, DeepAMD outperforms other approaches in detecting and identifying malware attacks on both Static as well as Dynamic layers. On the Static layer, DeepAMD achieves the highest accuracy of 93.4% for malware classification, 92.5% for malware category classification, and 90% for malware family classification. On the Dynamic layer, DeepAMD achieves the highest accuracy of 80.3% for malware category classification and 59% for malware family classification in comparison with the state-of-the-art techniques.

The Classification and Detection of Malware Using Soft Relevance Evaluation

In recent years, researchers have made a great success on the automatic classification and detection of malware utilizing machine learning methods. However, most machine learning based approaches over rely on the training samples such that a new malware family not belonging to the training set cannot be identified. To address such issue, we propose a soft relevance value ( <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">s</i> -value), a new evaluating way of feature soft relevance that uses the mixed distance criterion to assess classified results. Specifically, we leverage the mixed distance criterion from pattern recognition to distinguish testing samples as a new family which is not labeled in training set. Finally, we evaluate how <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">s</i> -value can be used to distinguish and classify a new malware family with the malware datasets from the Research Prediction Competition of Microsoft Malware Classification Challenge and Windows (Kaggle). The experimental results show that, the train-ing time is approximately 12 hours, while the prediction time is only ∼0.5 second. Comparing against the Kaggle winner, our time costs for training and pprediction only occupy 16.7% and 3.8% of the winner.s time costs, respectively. The accuracy of classifying malware reaches 99.8%. Such results indicates that our proposed <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">s</i> -value achieves a balance in accuracy, training and prediction time, and outperforms the state-of-the-art machine learning based malware detection approaches. Besides, our method is able to identify new malware families that are not included in the training set.

A detection method for android application security based on TF-IDF and machine learning.

Android is the most widely used mobile operating system (OS). A large number of third-party Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to improvements of malware itself and Android system, it is difficult to design a detection method that can efficiently and effectively detect malicious apps for a long time. Meanwhile, adopting more features will increase the complexity of the model and the computational cost of the system. Permissions play a vital role in the security of the Android apps. Term Frequency—Inverse Document Frequency (TF-IDF) is used to assess the importance of a word for a file set in a corpus. The static analysis method does not need to run the app. It can efficiently and accurately extract the permissions from an app. Based on this cognition and perspective, in this paper, a new static detection method based on TF-IDF and Machine Learning is proposed. The system permissions are extracted in Android application package’s (Apk’s) manifest file. TF-IDF algorithm is used to calculate the permission value (PV) of each permission and the sensitivity value of apk (SVOA) of each app. The SVOA and the number of the used permissions are learned and tested by machine learning. 6070 benign apps and 9419 malware are used to evaluate the proposed approach. The experiment results show that only use dangerous permissions or the number of used permissions can’t accurately distinguish whether an app is malicious or benign. For malware detection, the proposed approach achieve up to 99.5% accuracy and the learning and training time only needs 0.05s. For malware families detection, the accuracy is 99.6%. The results indicate that the method for unknown/new sample’s detection accuracy is 92.71%. Compared against other state-of-the-art approaches, the proposed approach is more effective by detecting malware and malware families.

DecaDroid Classification and Characterization of Malicious Behaviour in Android Applications

Widespread use of Android-based applications on the smartphones has resulted in significant growth of security attack incidents. Malware-based attacks are the most common attacks on Android-based smartphones. To forestall malware from attacking the users, a much better understanding of Android malware and its behaviour is required. In this article, an approach to classify and characterise the malicious behaviour of Android applications using static features, data flow analysis, and machine learning techniques has been proposed. Static features like hardware components, permissions, Android components and inter-component communication along with unique source-sink pairs obtained from data flow analysis have been used to extract the features of the Android applications. Based on the features extracted, the malicious behaviour of the applications has been classified to their respective malware family. The proposed approach has given 95.19% accuracy rate and F1 measure of 92.19302 with the largest number of malware families classified as compared to previous work.

Birds of a Feature: Intrafamily Clustering for Version Identification of Packed Malware

It is challenging for malware lineage inference to identify versions of collected malware by ensuring high accuracy in clustering. In this article, we tackle this problem and present a novel mechanism using behavioral features for version identification of (un)packed malware. Our basic idea involves focusing on intrafamily clustering. We extract the so-called family feature sets, i.e., hybrid features specific to each family. Our intuition is that family feature sets may achieve higher accuracy in clustering than common feature sets, and unpacked malware found in or relevant to such a cluster can result in the lineage inference of family members using traditional inference methods. We conduct experiments with two datasets, 8928 malware samples from VXHeavens and 3293 samples by manual analysis, composed of packed malware in a large portion. The results demonstrate that we can accurately classify samples into malware families based on the hybrid features we choose. In addition, we can also effectively extract family feature sets from 37 feature categories using forward stepwise selection. For intrafamily clustering, we employed the agglomerative clustering algorithm and observed that using family feature sets is significantly more accurate than using common feature sets, which facilitates higher accuracy lineage inference of packed malware.

Model checking and machine learning techniques for HummingBad mobile malware detection and mitigation

Android currently represents the most widespread operating system focused on mobile devices. It is not surprising that the majority of malware is created to perpetrate attacks targeting mobile devices equipped with this operating systems. In the mobile malware landscape, there exists a plethora of malware families exhibiting different malicious behaviors. One of the recent threat in this landscape is represented by the HummingBad malware, able to perpetrate multiple attacks for obtain root credentials and to silently install applications on the infected device. From these considerations, in this paper we discuss two different methodologies aimed to detect malicious samples targeting Android environment. In detail the first approach is based on machine learning technique, while the second one is a model checking based approach. Moreover, the model checking approach is able to localize the malicious behaviour of the application under analysis code, in terms of package, class and method. We evaluate the effectiveness of both the designed methods on real-world samples belonging to the HummingBad malware family, one of the most recent and aggressive behaviour embed into malicious Android applications.

Enhanced Android Malware Detection and Family Classification, using Conversation-level Network Traffic Features

Signature-based malware detection algorithms are facing challenges to cope with the massive number of threats in the Android environment. In this paper, conversation-level network traffic features are extracted and used in a supervised-based model. This model was used to enhance the process of Android malware detection, categorization, and family classification. The model employs the ensemble learning technique in order to select the most useful features among the extracted features. A real-world dataset called CICAndMal2017 was used in this paper. The results show that Extra-trees classifier had achieved the highest weighted accuracy percentage among the other classifiers by 87.75%, 79.97%, and 66.71%for malware detection, malware categorization, and malware family classification respectively. A comparison with another study that uses the same dataset was made. This study has achieved a significant enhancement in malware family classification and malware categorization. For malware family classification, the enhancement was 39.71% for precision and 41.09% for recall. The rate of enhancement for the Android malware categorization was 30.2% and 31.14‬% for precision and recall, respectively

LimonDroid: a system coupling three signature-based schemes for profiling Android malware

Android remains an interesting target to attackers due to its openness. A contribution in the literature consists of providing similarity measurement such as fuzzy hashing to fight against code obfuscation techniques. Research works in this approach suffer from limited signature database. This work combines fuzzy hashing with YARA rules and VirusTotal signature-based schemes, to improve and consistency of the signature database. It is proposed LimonDroid, an Android system, which mimics Limon, a Desktop security tool that includes such schemes. LimonDroid has been tested with 341 malicious and 300 benign applications on a database of 12925 fuzzy-hashed malware signatures, 62 YARA malware families’ patterns and VirusTotal engine. Our approach gives a true-positive rate of 97.36%, a true negative rate of 98.33% and an accuracy of 97.82%. A comparison with similarity-based solutions reveals that LimonDroid is more efficient for users. The objective is not to propose a detection approach better than those in the literature. Instead, we aim at establishing a robust signature database able to identify malicious trends in Android apps.

Deep learning based Sequential model for malware analysis using Windows exe API Calls.

Malware development has seen diversity in terms of architecture and features. This advancement in the competencies of malware poses a severe threat and opens new research dimensions in malware detection. This study is focused on metamorphic malware, which is the most advanced member of the malware family. It is quite impossible for anti-virus applications using traditional signature-based methods to detect metamorphic malware, which makes it difficult to classify this type of malware accordingly. Recent research literature about malware detection and classification discusses this issue related to malware behavior. The main goal of this paper is to develop a classification method according to malware types by taking into consideration the behavior of malware. We started this research by developing a new dataset containing API calls made on the windows operating system, which represents the behavior of malicious software. The types of malicious malware included in the dataset are Adware, Backdoor, Downloader, Dropper, spyware, Trojan, Virus, and Worm. The classification method used in this study is LSTM (Long Short-Term Memory), which is a widely used classification method in sequential data. The results obtained by the classifier demonstrate accuracy up to 95% with 0.83 $F_1$-score, which is quite satisfactory. We also run our experiments with binary and multi-class malware datasets to show the classification performance of the LSTM model. Another significant contribution of this research paper is the development of a new dataset for Windows operating systems based on API calls. To the best of our knowledge, there is no such dataset available before our research. The availability of our dataset on GitHub facilitates the research community in the domain of malware detection to benefit and make a further contribution to this domain.

Scalable and robust unsupervised android malware fingerprinting using community-based network partitioning

The daily amount of Android malicious applications (apps) targeting the app repositories is increasing, and their number is overwhelming the process of fingerprinting. To address this issue, we propose an enhanced Cypider framework, a set of techniques and tools aiming to perform a systematic detection of mobile malware by building a scalable and obfuscation resilient similarity network infrastructure of malicious apps. Our approach is based on our proposed concept, namely malicious community, in which we consider malicious instances that share common features are the most likely part of the same malware family. Using this concept, we presumably assume that multiple similar Android apps with different authors are most likely to be malicious. Specifically, Cypider leverages this assumption for the detection of variants of known malware families and zero-day malicious apps. Cypider applies community detection algorithms on the similarity network, which extracts sub-graphs considered as suspicious and possibly malicious communities. Furthermore, we propose a novel fingerprinting technique, namely community fingerprint, based on a one-class machine learning model for each malicious community. Besides, we proposed an enhanced Cypider framework, which requires less memory, ≈ x650%, and less time to build the similarity network, ≈ x700, compared to the original version, without affecting the fingerprinting performance of the framework. We introduce a systematic approach to locate the best threshold on different feature content vectors, which simplifies the overall detection process. Cypider shows excellent results by detecting 60%−80% coverage of the malware dataset in one detection iteration with higher precision 85%−99% in the detected malicious communities. On the other hand, the community fingerprints are promising as we achieved 86%, 93%, and 94% in the detection of the malware family, general malware, and benign apps respectively.