Malware Infection Research Articles

The Use of Statistic Complexity for Security and Performance Analysis in Autonomic Component Ensembles

The paper proposes a new technique for detecting malware threats in autonomic component ensembles. The technique is based on the statistic complexity metrics, which relate objects to random variables and (unlike other complexity measures considering objects as individual symbol strings) are ensemble based. This transforms the classic problem of assessing the complexity of an object into the realm of statistics. The proposed technique requires implementation of the process X (which generates ‘healthy’ flows containing no malware threats) and objects generated by the actual (possible infected) process Y. The component flows files are used as objects of the processes X and Y. The result of the proposed procedure gives us the distribution of probabilities of malware infection among autonomic components. The possibility to use the results obtained to perform quantitative probabilistic verification and analysis of ASEs using the probabilistic model checking tool PRISM is demonstrated.

Cybersecurity and Simondon's Concretization Theory: Making Software More Like a Living Organism

The cybersecurity crisis has destabilized the field of informatics and called many of its foundational beliefs into question. This paper argues that Gilbert Simondon’s theory of the origin and development of technical objects helps us identify faulty theoretical assumptions within computer science and cybersecurity. In particular, Simondon’s view is that the process of the ‘individuation’ of technical objects can have similarities with the development of living beings – a view that stands in stark contrast with hylomorphic and reductionist views of technical objects currently common in computer science. We argue that those common hylomorphic approaches to software development lead to excessive modularity in software applications, which in turn results in less secure systems. To investigate a new ontological basis of software security, we look to Simondon’s ontology to reconsider what makes a piece of software vulnerable in the first place, and we focus on two concepts in his general theory of ontogenesis – ‘individuation’ and ‘associated milieu’. By examining a case study of a malware infection attack, we show that the event of a cyberattack unleashes a ‘co-concretization’ process of software applications and their associated milieu, namely, their operating system. Both the application and the operating system evolve from an abstract form to a more concrete form by re-inventing their own interiors and re-orienting their relationship to each other. We argue that software development will be more secure if it takes inspiration from the development of living beings and refocuses on the dynamic reciprocal relationship between software applications and their technical and social environment.

Modeling time delay, external noise and multiple malware infections in wireless sensor networks

The essentiality of wireless sensor networks (WSNs) in military and health applications cannot be overemphasized, and this has made these tiny sensors soft targets for malware attacks. However, with the ubiquity of single-group infection models, few researchers have studied the effects of many concurrent infection types on WSNs. Therefore, we proposed the differential Susceptible–Exposed (virus)–Exposed (worm)–Infectious (virus)–Infectious (worm)–Recovered–Susceptible with Vaccination (SE1E2I1I2RV) epidemic model in order to study the dynamics of malicious-code dissemination in WSNs. Using the multi-group model, which represents multiple infections due to worms and viruses, first, delay analyses were performed and, through the Routh-Hurwitz criteria, sufficient conditions for stability were established. Secondly, the SE1E2I1I2RV model was extended to incorporate external noise, thereby changing the deterministic nature of the original model and allowing stochastic analyses for random factors such as temperature, physical obstructions, etc. The role that delay plays in the model is shown when it surpasses the critical value, thus the system loses stability and allows the occurrence of a Hopf bifurcation. Finally, numerical simulations were performed using Matlab in order to account for theoretical analyses.

A Knowledge Transfer-based Semi-Supervised Federated Learning for IoT Malware Detection

As the demand for Internet of Things (IoT) technologies continues to grow, IoT devices have been viable targets for malware infections. Although deep learning-based malware detection has achieved great success, the detection models are usually trained based on the collected user records, thereby leading to significant privacy risks. One promising solution is to leverage federated learning (FL) to enable distributed on-device training without centralizing the private user records. However, it is non-trivial for IoT users to label these records, where the quality and the trustworthiness of data labeling are hard to guarantee. To address the above issues, this paper develops a semi-supervised federated IoT malware detection framework based on knowledge transfer technologies, named by FedMalDE. Specifically, FedMalDE explores the underlying correlation between labeled and unlabeled records to infer labels towards unlabeled samples by the knowledge transfer mechanism. Moreover, a specially designed subgraph aggregated capsule network (SACN) is used to efficiently capture varied malicious behaviors. The extensive experiments conducted on real-world data demonstrate the effectiveness of FedMalDE in detecting IoT malware and its sufficient privacy and robustness guarantee.

Analysis of Mobile Malware: A Systematic Review of Evolution and Infection Strategies

The open-source and popularity of Android attracts hackers and has multiplied security concerns targeting devices. As such, malware attacks on Android are one of the security challenges facing society. This paper presents an analysis of mobile malware evolution between 2000-2020. The paper presents mobile malware types and in-depth infection strategies malware deploys to infect mobile devices. Accordingly, factors that restricted the fast spread of early malware and those that enhance the fast propagation of recent malware are identified. Moreover, the paper discusses and classifies mobile malware based on privilege escalation and attack goals. Based on the reviewed survey papers, our research presents recommendations in the form of measures to cope with emerging security threats posed by malware and thus decrease threats and malware infection rates. Finally, we identify the need for a critical analysis of mobile malware frameworks to identify their weaknesses and strengths to develop a more robust, accurate, and scalable tool from an Android detection standpoint. The survey results facilitate the understanding of mobile malware evolution and the infection trend. They also help mobile malware analysts to understand the current evasion techniques mobile malware deploys.

Encryption-agnostic classifiers of traffic originators and their application to anomaly detection

This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.

Modeling Correlation between Android Permissions Based on Threat and Protection Level Using Exploratory Factor Plane Analysis

The evolution of mobile technology has increased correspondingly with the number of attacks on mobile devices. Malware attack on mobile devices is one of the top security challenges the mobile community faces daily. While malware classification and detection tools are being developed to fight malware infection, hackers keep deploying different infection strategies, including permissions usage. Among mobile platforms, Android is the most targeted by malware because of its open OS and popularity. Permissions is one of the major security techniques used by Android and other mobile platforms to control device resources and enhance access control. In this study, we used the t-Distribution stochastic neighbor embedding (t-SNE) and Self-Organizing Map techniques to produce a visualization method using exploratory factor plane analysis to visualize permissions correlation in Android applications. Two categories of datasets were used for this study: the benign and malicious datasets. Dataset was obtained from Contagio, VirusShare, VirusTotal, and Androzoo repositories. A total of 12,267 malicious and 10,837 benign applications with different categories were used. We demonstrate that our method can identify the correlation between permissions and classify Android applications based on their protection and threat level. Our results show that every permission has a threat level. This signifies those permissions with the same protection level have the same threat level.

Machine-Learning-Based Android Malware Family Classification Using Built-In and Custom Permissions

Malware family classification is grouping malware samples that have the same or similar characteristics into the same family. It plays a crucial role in understanding notable malicious patterns and recovering from malware infections. Although many machine learning approaches have been devised for this problem, there are still several open questions including, “Which features, classifiers, and evaluation metrics are better for malware familial classification”? In this paper, we propose a machine learning approach to Android malware family classification using built-in and custom permissions. Each Android app must declare proper permissions to access restricted resources or to perform restricted actions. Permission declaration is an efficient and obfuscation-resilient feature for malware analysis. We developed a malware family classification technique using permissions and conducted extensive experiments with several classifiers on a well-known dataset, DREBIN. We then evaluated the classifiers in terms of four metrics: macrolevel F1-score, accuracy, balanced accuracy (BAC), and the Matthews correlation coefficient (MCC). BAC and the MCC are known to be appropriate for evaluating imbalanced data classification. Our experimental results showed that: (i) custom permissions had a positive impact on classification performance; (ii) even when the same classifier and the same feature information were used, there was a difference up to 3.67% between accuracy and BAC; (iii) LightGBM and AdaBoost performed better than other classifiers we considered.

SOFT COMPUTING: EXPERIMENTATION OF MULTI-CLASSIFIER-BASED CYBERATTACK DETECTION SYSTEM

The World Wide Web is used by hackers to send malicious attack in form of phishing, e-mail spoofing and malware infection to people.

Malware Infections in the U.S. during the COVID-19 Pandemic: An Empirical Study

The COVID-19 pandemic has changed the world in many ways, especially in the landscape of cyber threats. The pandemic has pro-vided cybercriminals with more opportunities to commit crimes due to more people engaging in online activities, along with the increased use of computers for school, work, and social events. The current study seeks to explore cybercrime trends, in particular malware infections, during the COVID-19 pandemic. Thus, this study examines the relationship between the number of malware in-fections, COVID-19 positive cases, closed non-essential businesses, and closed K-12 public schools in the United States. Data utilized in this study derives from (1) Kaspersky Cyberthreat Real-Time Map, (2) Centers for Disease Control and Prevention (CDC), and (3) COVID-19 US State Policy Database over the course of six months from January of 2020 to June of 2020. The findings of this study reveal that there are associations between the number of malware infections, COVID-19 positive cases, and closed non-essential busi-nesses. However, interestingly, there is no link between the number of malware infections and closed K-12 public schools. Policy impli-cations and the limitations of this study are also discussed.

Malware Infections in the U.S. during the COVID-19 Pandemic: An Empirical Study

Malware Infections in the U.S. during the COVID-19 Pandemic: An Empirical Study

HTTP-Based APT Malware Infection Detection Using URL Correlation Analysis

APT malware exploits HTTP to establish communication with a C & C server to hide their malicious activities. Thus, HTTP-based APT malware infection can be discovered by analyzing HTTP traffic. Recent methods have been dependent on the extraction of statistical features from HTTP traffic, which is suitable for machine learning. However, the features they extract from the limited HTTP-based APT malware traffic dataset are too simple to detect APT malware with strong randomness insufficiently. In this paper, we propose an innovative approach which could uncover APT malware traffic related to data exfiltration and other suspect APT activities by analyzing the header fields of HTTP traffic. We use the Referer field in the HTTP header to construct a web request graph. Then, we optimize the web request graph by combining URL similarity and redirect reconstruction. We also use a normal uncorrelated request filter to filter the remaining unrelated legitimate requests. We have evaluated the proposed method using 1.48 GB normal HTTP flow from clickminer and 280 MB APT malware HTTP flow from Stratosphere Lab, Contagiodump, and pcapanalysis. The experimental results have shown that the URL-correlation-based APT malware traffic detection method can correctly detect 96.08% APT malware traffic, and its recall rate is 98.87%. We have also conducted experiments to compare our approach against Jiang’s method, MalHunter, and BotDet, and the experimental results have confirmed that our detection approach has a better performance, the accuracy of which reached 96.08% and the F1 value increased by more than 5%.

Co-similar malware infection patterns as a predictor of future risk.

The internet is flooded with malicious content that can come in various forms and lead to information theft and monetary losses. From the ISP to the browser itself, many security systems act to defend the user from such content. However, most systems have at least one of three major limitations: 1) they are not personalized and do not account for the differences between users, 2) their defense mechanism is reactive and unable to predict upcoming attacks, and 3) they extensively track and use the user’s activity, thereby invading her privacy in the process. We developed a methodological framework to predict future exposure to malicious content. Our framework accounts for three factors–the user’s previous exposure history, her co-similarity to other users based on their previous exposures in a conceptual network, and how the network evolves. Utilizing over 20,000 users’ browsing data, our approach succeeds in achieving accurate results on the infection-prone portion of the population, surpassing common methods, and doing so with as little as 1/1000 of the personal information it requires.

A system dynamics, epidemiological approach for high-level cyber-resilience to zero-day vulnerabilities

ABSTRACT Cyber-attacks are serious threats to operations in most industries, enabled by a growing dependence on Information Technology (IT). To minimise disruptive effects on operations, organisations with complex system derive value both from preventing cyber-attacks and from responding promptly and coherently when cyber-attacks happen, capacity is known as cyber-resilience. Frameworks have been presented in literature to promote cyber-resilient response, yet little is known about the structures that result in a cyber-resilient behaviour. This paper explores an approach to modelling the structure of a system that is subject to an infection an eventual recovery from zero-day malware cyber-attacks, based on mechanisms derived from epidemiology. By analysing the relationship between the system vulnerabilities and the incidence of malware infections in a population of systems, this paper derives structural recommendations for resilience response, and policy requirements based on the claim that cyber-threats are a public-cyber-health issue instead of merely a competitive factor.

Training Neural Networks by Enhance Grasshopper Optimization Algorithm for Spam Detection System

A significant negative impact of spam e-mail is not limited only to the serious waste of resources, time, and efforts, but also increases communications overload and cybercrime. Perhaps the most damaging aspect of spam email is that it has become such a major tool for attacks of cross-site scripting, malware infection, phishing, and cross-site request forgery, etc. Due to the nature of the adaptive unsolicited spam, it has been weakening the effect of the previous discovery techniques. This article proposes a new Spam Detection System (SDS) framework, by using a series of six different variants of enhanced Grasshopper Optimization Algorithm (EGOAs), which are investigated and combined with a Multilayer Perceptron (MLP) for the purpose of advanced spam email detection. In this context, the combination of MLP and EGOAs produces Neural Network (NN) models, referred to (EGOAMLPs). The main idea of this research is to use EGOAs to train the MLP to classify the emails as spam and non-spam. These models are applied to SpamBase, SpamAssassin, and UK-2011 Webspam benchmark datasets. In this way, the effectiveness of our models on detecting diverse forms of spam email is evidenced. The results showed that the proposed MLP model trained by EGOAs achieves a higher performance compared to other optimization methods in terms of accuracy, detection rate, and false alarm rate.

Corrigendum to “Nodes Availability Analysis of NB‐IoT Based Heterogeneous Wireless Sensor Networks under Malware Infection”

Corrigendum to “Nodes Availability Analysis of NB‐IoT Based Heterogeneous Wireless Sensor Networks under Malware Infection”

Detecting Malware Infection on Infrastructure Hosted in Iaas Cloud using Cloud Visibility and Forensics

Cloud computing has been adopted very rapidly by organizations with different businesses and sizes, the use of cloud services is rising at an unparalleled rate these days especially IaaS services as cloud providers offer more powerful resources with flexible offerings and models. This rapid adoption opens new surface attacks to the organizations that attackers abuse with their malware to take advantage of these powerful resources and the valuable data that exist on them. Therefore for organizations to well defend against malware attacks they need to have full visibility not only on their data centers but also on their resources hosted on the cloud and don't take their security for granted. This paper discusses and aims to provide the best approaches to achieve continuous monitoring of malware attacks on the cloud along with their phases (before, during, and after) and the limitations of today's available techniques suggesting needed developments. Logging and forensics techniques have always been the cornerstone of achieving continuous monitoring and detection of malware attacks on-premises, this paper defines the best methods to bring loggings and forensics to the cloud and integrate them with on-premises visibility, thus achieving the full monitoring over the whole security posture of the organization assets whether they are on-premises or on the cloud.

Specifics of the organization and planning of the investigation of crimes committed with the malware

The number of cases of malicious computer programs in Russia has increased significantly over the past few years. The authors set out to establish the features of the organization and planning of the investigation of crimes of this type and to analyze the investigative activities in order to find ways to further improve the fight against computer crime. The purpose of the study is to determine the most promising areas of organizing and planning the investigation of crimes involving malware. The results of the study are expressed as follows: 1. At the stage of checking a crime report, where there is a high probability of malicious computer programs being used by the perpetrators, the investigator immediately establishes full control over the victim's computer equipment and access to his electronic accounts. The selection of explanations from the applicant, the examination of computer equipment and the appointment of a forensic computer-technical examination in order to establish the fact of infection with malware. 2. The focus of the investigator's actions is based on the promotion and verification of versions about the existence of a crime, the time of its commission, the establishment of harm to the applicant, the classification of malicious computer programs, the mechanism of infection of the victim's software and the methods of harming him. All this information is defined as the circumstances to be established for the initiation of a criminal case. 3. The tactical risks of organizing the investigation are the inability of the expert to classify the program as malicious in the presence of harm, as well as the use of a set of measures to anonymize the perpetrators of their actions, and even the unreliability of the information about the incident reported by the applicant himself. 4. The method of malware infection and the resulting traces depend on the model of interaction with the victim chosen by the criminals. Here you can find both the distribution of the program under the guise of a service, service, complementing other and expanding the capabilities of the computer, and the notification of the victim that the use of the program is illegal, but will bring him benefits from its use. In such cases, the investigator has to deal with organized, secret groups of criminals.

A System Dynamics, Epidemiological Approach for High-Level Cyber-Resilience to Zero-Day Vulnerabilities

Cyber-attacks are serious threats to operations in most industries, enabled by a growing dependence on Information Technology (IT). To minimize disruptive effects on operations, organizations with complex system derive value both from preventing cyber-attacks and from responding promptly and coherently when cyber-attacks happen, capacity is known as cyber-resilience. Frameworks have been presented in literature to promote cyber-resilient response, yet little is known about the structures that result in a cyber-resilient behavior. This paper explores an approach to modeling the structure of a system that is subject to an infection an eventual recovery from zero-day malware cyber-attacks, based on mechanisms derived from epidemiology. By analyzing the relationship between the system vulnerabilities and the incidence of malware infections in a population of systems, this paper derives structural recommendations for resilience response, and policy requirements based on the claim that cyber-threats are a public-cyber-health issue instead of merely a competitive factor.

To clean or not to clean: Malware removal strategies for servers under load

We consider how to best schedule reparative downtime for a customer-facing online service that is vulnerable to cyber attacks such as malware infections. These infections can cause performance degradation (i.e., a slower service rate) and facilitate data theft, both of which have monetary repercussions. Infections may go undetected and can only be removed by time-consuming cleanup procedures, which require temporarily taking the service offline. From a security-oriented perspective, cleanups should be undertaken as frequently as possible. From a performance-oriented perspective, frequent cleanups are desirable because they maintain faster service, but they are simultaneously undesirable because they lead to more frequent downtimes and subsequent loss of revenue. We ask when and how often cleanups should happen.In order to analyze various downtime scheduling policies, we combine queueing-theoretic techniques with a revenue model to capture the problem’s tradeoffs. Unlike classical repair problems, this problem necessitates the analysis of a quasi-birth-death Markov chain, tracking the number of customer requests in the system and the (possibly unknown) infection state. We adapt a recent analytic technique, Clearing Analysis on Phases (CAP), to determine the exact steady-state distribution of the underlying Markov chain, which we then use to compute revenue rates and make recommendations. Prior work on downtime scheduling under cyber attacks relies on heuristic approaches, with our work being the first to address this problem analytically.