Malware Variants Research Articles

Analysis of Malware Detection Using Various Machine Learning Approach

The number one goal of this research is to decorate existing methodologies for malware detection via developing a robust and scalable version that robotically identifies malware via the analysis of difficult styles inside both records and code, moving beyond traditional signature-primarily based methods. constructing on previous studies that have efficaciously implemented more than a few devices getting to know techniques, this technique will integrate each supervised and unsupervised studying algorithm. especially, category strategies consisting of choice bushes, random forests, and help vector machines, which have validated accuracies starting from 85% to 95%, could be utilized along superior deep getting to know frameworks, which includes neural networks, which have said accuracies exceeding 96% in positive contexts. by means of education these fashions on an in depth and various dataset that consists of both benign and malicious files, this study aims to improve the version's generalization abilities, consequently allowing it to efficiently perceive new, previously unknown malware variants. The overall performance of the proposed model can be rigorously evaluated against installed benchmarks and metrics, consisting of accuracy, precision, bear in mind, and the false tremendous fee, making sure its efficacy in actual-time malware detection eventualities. This multifaceted technique not best seeks to develop the sphere of cybersecurity but also builds on the foundational paintings of others, offering a greater adaptive and proactive way of malware identification that aligns with present day developments in gadget studying and cybersecurity studies

Ransomware Mitigation for Secure and Smart Cloud Manufacturing Using GeniLeaf Decision Tree with Load Balancing

Background: Cyber-attacks related to ransomware have increased significantly in cloud manufacturing industries over the last decade, causing considerable disruptions to organizations. This type of information may also include personal details, patent rights, bank account details, etc. This type of malware requires new and better mitigation methods. Objective: The primary objective of this study was to provide an algorithm to execute experiments using genetic algorithms for load balancing with decision trees and mitigate ransomware. Methods: Hybrid analysis and machine learning techniques were used in this study to identify ransomware. Since a wide range of samples impacted by ransomware share most of the characteristics, it may be possible to use this study to detect current and future malware variants in industries. Results: In patented industrial technology, ransomware mitigation plays a crucial role based on the analysis of various papers and patents-to-science references. In this study, a machine learning mitigation algorithm, GeniLeaf Decision Tree (GLDT), was applied to a featured dataset using a genetic algorithm with a decision tree Conclusion: Machine learning and load balancing are used to gain insight into ransomware behavior. By using the proposed approach to mitigate ransomware and spoofing patterns, a high level of accuracy is achieved. Using GeniLeaf Decision Trees to mitigate ransomware is a significant innovation.

Malware Detection and Classification using Generative Adversarial Network

The Generative Adversarial Networks (GANs) are playing a crucial role in deep-learning-based malware classification to overcome the dataset imbalance and unseen malware. The Generative AI is preferably used in many applications, such as improving image resolution and generating audio, video, and text. The cybercriminals are also using the Generative AI for generating the malware and deepfake videos to harm the targeted person or device. By generating the synthetic data, it makes the deep learning model more robust to detect such types of unseen and adversarial attacks. This work utilizes GANs for generating adversarial malware samples to train a classification and detection model, improving the model’s ability to identify sophisticated malware variants. The performance of the proposed Conditional Generative Adversarial Network (CGAN) model is evaluated on a multiclass malware grayscale image dataset and a binary class malware RGB image dataset. The performance of proposed model is compared with current state-of-the-art. Results indicate a significant improvement in classification accuracy and a reduction in training time and false positives, showcasing GAN’s potential in the dynamic cybersecurity landscape.

Deep learning-based improved transformer model on android malware detection and classification in internet of vehicles

With the growing popularity of autonomous vehicles (AVs), confirming their safety has become a significant concern. Vehicle manufacturers have combined the Android operating system into AVs to improve consumer comfort. However, the diversity and weaknesses of the Android operating system pose substantial safety risks to AVs, as these factors can expose them to threats, namely Android malware. The advanced behaviour of multi-data source fusion in autonomous driving models has mitigated recognition accuracy and effectualness for Android malware. To efficiently counter new malware variants, novel techniques distinct from conventional methods must be utilized. Machine learning (ML) techniques cannot detect every new and complex malware variant. The deep learning (DL) model is an efficient tool for detecting various malware variants. This manuscript proposes a Deep Learning-Based Improved Transformer Model on Android Malware Detection (DLBITM-AMD) technique for Internet vehicles (IoVs). The main aim of the presented DLBITM-AMD approach is to detect Android malware effectually and accurately. The DLBITM-AMD method performs a Z-score normalization process to convert the raw data into a standard form. Then, the DLBITM-AMD approach utilizes the binary grey wolf optimization (BGWO) model to select optimum feature subsets. An improved transformer is integrated with the RNN model and softmax to enhance classification for Android malware recognition. Finally, the snake optimizer algorithm (SOA) method is employed to select the optimum parameter for the classification method. An extensive experiment of the DLBITM-AMD method is accomplished on a benchmark dataset. The performance validation of the DLBITM-AMD technique portrayed a superior accuracy value of 99.26% over existing Android malware recognition models.

IMCMK-CNN: A lightweight convolutional neural network with Multi-scale Kernels for Image-based Malware Classification

Rapid and accurate identification of unknown malware and its variants is the premise and basis for the effective prevention of malicious attacks. However, with the explosive growth of malware variants, the efficiency of manual updating of the sample database is getting worse and worse. It is difficult for the traditional identification methods to effectively capture the sample feature information operated by the confusion method only based on the delayed database information. The research into the direction of malware detection is dedicated to surmounting the limitations of conventional detection methodologies, and delves deeply into the application of cutting-edge technologies such as data visualization, machine learning, and hybrid detection within the realm of malware detection. Through these investigations, our goal is to construct a detection system that is both more precise and efficient, capable of addressing the ever-evolving threats to cybersecurity. Pursuing research in this direction is not only vital for enhancing network security defenses and safeguarding user data, but it will also foster the advancement of related state-of-the-art technologies and further mitigate the economic and societal repercussions of malware attacks. In light of this issue, this paper proposes the Image-based Malware Classification with Multi-scale Kernels (IMCMK), a Convolutional Neural Network (CNN) architecture using multi-scale convolution kernels mixing action to improve malware variants detection capabilities. First, we propose the Multi-scale Kernels (MK) block combining deep large kernel convolution and standard small kernel convolution with shortcuts to improve the accuracy. Furthermore, we propose Multi-scale Kernel Fusion (MKF) to reduce the number of parameters that come with the large kernels. The improved Squeeze-and-Excitation (SE) block can obtain the correlation between different channels to further increase the model performance. Experimental results show that IMCMK outperforms the state-of-the-art methods in malware family classification accuracy, which has achieved 99.25 %.

Android Malware Detection Using Support Vector Regression for Dynamic Feature Analysis

Mobile devices face significant security challenges due to the increasing proliferation of Android malware. This study introduces an innovative approach to Android malware detection, combining Support Vector Regression (SVR) and dynamic feature analysis to address escalating mobile security challenges. Our research aimed to develop a more accurate and reliable malware detection system capable of identifying both known and novel malware variants. We implemented a comprehensive methodology encompassing dynamic feature extraction from Android applications, feature preprocessing and normalization, and the application of SVR with a Radial Basis Function (RBF) kernel for malware classification. Our results demonstrate the SVR-based model’s superior performance, achieving 95.74% accuracy, 94.76% precision, 98.06% recall, and a 96.38% F1-score, outperforming benchmark algorithms including SVM, Random Forest, and CNN. The model exhibited excellent discriminative ability with an Area Under the Curve (AUC) of 0.98 in ROC analysis. The proposed model’s capacity to capture complex, non-linear relationships in the feature space significantly enhanced its effectiveness in distinguishing between benign and malicious applications. This research provides a robust foundation for advancing Android malware detection systems, offering valuable insights for researchers and security practitioners in addressing evolving malware challenges.

PAFE: A lightweight visualization-based fast malware classification method

With the development of automated malware toolkits, cybersecurity faces evolving threats. Although visualization-based malware analysis has proven to be an effective method, existing approaches struggle with challenging malware samples due to alterations in the texture features of binary images during the visualization preprocessing stage, resulting in poor performance. Furthermore, to enhance classification accuracy, existing methods sacrifice prediction time by designing deeper neural network architectures. This paper proposes PAFE, a lightweight and visualization-based rapid malware classification method. It addresses the issue of texture feature variations in preprocessing through pixel-filling techniques and applies data augmentation to overcome the challenges of class imbalance in small sample datasets. PAFE combines multi-scale feature fusion and a channel attention mechanism, enhancing feature expression through modular design. Extensive experimental results demonstrate that PAFE outperforms the current state-of-the-art methods in both efficiency and effectiveness for malware variant classification, achieving an accuracy rate of 99.25 % with a prediction time of 10.04 ms.

GMADV: An android malware variant generation and classification adversarial training framework

Android malware uses anti-reverse analysis and APK shelling technology, which leads to the failure of the classification method based on decompiled features and the reduction of the classification accuracy based on single file features. Moreover, the lack of samples in some families of Android malware makes the classification model based on sample learning ineffective. To solve the above problems, this paper proposes a two-layer general framework for Android malware classification and adversarial training named GMADV, which enhances classifier performance through adversarial training. In the sample classification layer, based on the transformation method of the Markov model, it is proposed for the first time to convert the three files in the APK into RGB Markov images, and use VGG13 to automatically extract features and classification; In the variant amplification layer, the idea of "regression for generation" is firstly proposed, and GMM-GAN based on Gaussian process is designed to amplify the diversity of samples within the family. The experimental results show that RGB Markov images have better classification performance than grayscale images. On the three datasets, the classification effect after amplification has been improved to varying degrees, and all F1_Score reaches 95 %. Compared with other methods, GMADV has stronger family sample amplification ability and greater adversarial intensity.

A New Malware Classification Framework Based on Deep Learning Algorithms

Recent advancements in computer technology have precipitated a shift towards virtual environments, accelerated by the COVID-19 pandemic. Cybercriminals have capitalized on this trend, transitioning their activities to exploit vulnerabilities in cyberspace. Malicious software (malware) has emerged as a preferred tool for launching cyber-attacks, continually evolving with sophisticated obfuscation and packing techniques to evade detection. Traditional machine learning (ML) algorithms, once effective in identifying malware, are now struggling to keep pace with these advancements. In response, deep learning (DL) algorithms offer a promising solution, leveraging their ability to discern intricate patterns and correlations within data. This study proposes a novel hybrid deep-learning-based architecture, integrating two pre-trained network models to enhance classification accuracy. Through extensive evaluation on datasets including Malimg, Microsoft BIG 2015, and Malevis, the proposed method demonstrates significant improvements in accuracy, outperforming existing ML-based malware detection methods in the literature. Specifically, the proposed method achieves an impressive accuracy of 97.78% on the Malimg dataset, underscoring its effectiveness in combating sophisticated malware variants. Keywords — Malware, malware classification, malware detection, malware variants, deep neural networks, transfer learning, deep learning.

Evolving malware detection through instant dynamic graph inverse reinforcement learning

The rapid development and increasing evolution of malware necessitate novel defensive techniques with high accuracy and minimal false positives to safeguard information systems against potential threats. Unfortunately, current malware detection methods, primarily relying on deep learning to identify malicious fingerprints from extensive training sets, prove ineffective against few-shot and evolving malware variants. To address these challenges, this paper introduces MalIRL, which designs a model-free inverse reinforcement learning (IRL) mechanism to automatically capture the evolving attack intent of malware. Specifically, MalIRL explores six representative categories of malware actions and employs sliding windows to organically divide the massive malware execution event stream into multiple attack stages, achieving a reduced action space and state space. To model dynamic malicious environments, MalIRL proposes an instant dynamic heterogeneous graph representation learning technique. This technique learns state representations of different malware attack stages, enhancing detection accuracy and efficiency by incrementally capturing the newly added contextual semantics of diverse malware entities and relations. In experiments with three real-world malware datasets, MalIRL surpasses existing state-of-the-art methods, particularly in few-shot malware detection scenarios, MalIRL exhibits performance benefits of up to 18.9%.

A Lightweight CNN with LSTM Malware Detection Architecture for 5G and IoT Networks

Fifth-generation (5G) mobile networks are being deployed all over the world and researchers are concerned about the network's security against hacking. Researchers have focused heavily on this topic in recent years as new technologies attempt to integrate into numerous sectors of corporate and social organizations. Malicious software referred to as malware, is an unwanted application that attackers frequently use to execute online attacks. Advanced packing and obfuscation methods are being used by malware variants to continue their evolution. Due to several application features in 5G networks such as APIs, calls and SMS, it is difficult to detect and classify malware attacks. In a variety of research areas, deep learning (DL) techniques are effectively utilized to address malware-related solutions. Especially, convolutional neural networks (CNN) played a crucial role in the classification of malware detection in 5G networks and the Internet of Things (IoT). In this work, a lightweight CNN architecture with a sequential Long Short-Term Memory (LSTM) layer is developed for malware detection and classification trained on the Malimg dataset. The results prove that the proposed approach achieves 99.8% accuracy with an F1-score of 0.9925 for malware detection and outperforms state-of-the-art approaches in the literature. The classification performance is improved up to 12.8% and 14% in terms of accuracy and F1-score, respectively when compared with existing malware classification models.

A temporal analysis and evaluation of fuzzy hashing algorithms for Android malware analysis

Fuzzy hashing has been utilised in digital forensics and malware analysis for malware detection, malware variant classification, file clustering, document similarity detection, embedded object detection and fragment detection. Previous research considered the efficacy of fuzzy hashing at a point in time for malware classification and did not specifically address the problem of malware evolution. Android malware presents a significant cybersecurity threat, and since malware is constantly mutating, a temporal analysis of the effectiveness of fuzzy hashing techniques for Android malware detection and classification contributes to understanding the value of fuzzy hashes in the evolution of malware. Through experimental examination, this study sought to determine whether or not fuzzy hashes are always effective, how quickly malware is evolving, and how malware evolution affects fuzzy hashing. Comparisons are made between the performance of different fuzzy hashing algorithms and the distinction between hashes at the file and class levels. Experiments with known malware family and analysis with over 4500 APK files, including 100 benign samples collected from 2012 - 2022 were conducted using various fuzzy hashing algorithms, file-level and section-level similarity hashing, symbolic and raw opcode hashing, and optimisations for improving fuzzy hashing comparisons. The performance of the methods was evaluated using detection and false positive rates. The results show that fuzzy hashing algorithms remain a valuable technique that demonstrates robustness to malware evolution with 10-year detection rates of over 80%.

TL‐GNN: Android Malware Detection Using Transfer Learning

ABSTRACTMalware growth has accelerated due to the widespread use of Android applications. Android smartphone attacks have increased due to the widespread use of these devices. While deep learning models offer high efficiency and accuracy, training them on large and complex datasets is computationally expensive. Hence, a method that effectively detects new malware variants at a low computational cost is required. A transfer learning method to detect Android malware is proposed in this research. Because of transferring known features from a source model that has been trained to a target model, the transfer learning approach reduces the need for new training data and minimizes the need for huge amounts of computational power. We performed many experiments on 1.2 million Android application samples for performance evaluation. In addition, we evaluated how well our framework performed in comparison with traditional deep learning and standard machine learning models. In comparison with state‐of‐the‐art Android malware detection methods, the proposed framework offers improved classification accuracy of 98.87%, a precision of 99.55%, recall of 97.30%, F1‐measure of 99.42%, and a quicker detection rate of 5.14 ms using the transfer learning strategy.

Generative Adversarial Networks for Malware Detection in Cloud Computing Environments

In recent years, the proliferation of sophisticated malware threats has necessitated the development of advanced detection techniques to safeguard computer systems and networks. Generative Adversarial Networks (GANs), a class of deep learning models comprising a generator and a discriminator trained in an adversarial manner, have emerged as a promising tool for improving malware detection capabilities. Traditional signature-based malware detection struggles to keep pace with the ever-evolving threat landscape in cloud computing environments. This paper proposes a novel approach utilizing Generative Adversarial Networks (GANs) for enhanced malware detection. The GAN architecture generates realistic malware samples, refining the discriminator's ability to differentiate between legitimate and malicious software. This fosters a model adept at identifying zero-day attacks and unseen malware variants. Evaluation in a cloud environment assesses detection accuracy, efficiency, and generalizability. Findings underscore GANs' potential to enhance cloud-based malware detection, securing the future of cloud computing.

Classification of Malware Images Using Fine-Tunned ViT

Malware detection and classification have become critical tasks in ensuring the security and integrity of computer systems and networks. Traditional methods of malware analysis often rely on signature-based approaches, which struggle to cope with the ever-evolving landscape of malware variants. In recent years, deep learning techniques have shown promising results in automating the process of malware classification. This paper presents a novel approach to malware image classification using the Vision Transformer (ViT) architecture. In this work, we adapt the ViT model to the domain of malware analysis by representing malware images as input tokens to the ViT architecture. To evaluate the effectiveness of the proposed approach, we used a comprehensive dataset comprising 14,226 malware samples across 26 families. We compare the performance of our ViT-based classifier with traditional machine learning methods and other deep learning architectures. Our experimental results showcase the potential of the ViT in handling malware images, achieving a classification accuracy of 98.80%. The presented approach establishes a strong foundation for further research in utilizing state-of-the-art deep learning architectures for enhanced malware analysis and detection techniques.

MeMalDet: A memory analysis-based malware detection framework using deep autoencoders and stacked ensemble under temporal evaluations

Malware attacks continue to evolve, making detection challenging for traditional static and dynamic analysis techniques. On the other hand, memory analysis provides valuable behavioral insights, but prior research lacks temporal evaluations which are critical for robust detection of new malware variants over time. This paper presents MeMalDet, a novel memory analysis-based malware detection technique using deep autoencoders and stacked ensemble learning. We introduce an improved dataset with temporal attributes enabling more realistic evaluations of memory-based malware detection techniques under concept drift (temporal data split). MeMalDet extracts optimal features from memory dumps using deep autoencoders in an unsupervised manner, avoiding manual feature engineering. A stacked ensemble of supervised classifiers then performs highly accurate malware detection. Extensive experiments on our improved large-scale public dataset demonstrate MeMalDet’s ability to maintain high performance when detecting obfuscated malware under temporal splits. We achieve up to 98.82% accuracy and 98.72% F1-score in detecting previously unseen advanced obfuscated malware, significantly improving upon state-of-the-art memory analysis-based malware detection techniques. The improved dataset enables temporally robust evaluations, which is a novel contribution. MeMalDet combines the benefits of representation learning and supervised machine learning ensemble classification for effective malware detection over time using memory analysis. This research provides a new capability for identifying evasive modern malware and combating evolving real-world threats.

Improving Windows Malware Detection Using the Random Forest Algorithm and Multi-View Analysis

Cybercriminals motivated by malign purpose and financial gain are rapidly developing new variants of sophisticated malware using automated tools, and most of these malware target Windows operating systems. This serious threat demands efficient techniques to analyze and detect zero-day, polymorphic and metamorphic malware. This paper introduces two frameworks for Windows malware detection using random forest algorithms. The first scheme uses features obtained from static and dynamic analysis for training, and the second scheme uses features obtained from static, dynamic, malware image analysis, location-sensitive hashing and file format inspections. We carried out an extensive experiment on two feature sets, and the proposed schemes are evaluated using seven standard evaluation metrics. The experiment results demonstrate that the second scheme recognizes unseen malware better than the first scheme and three state-of-the-art works. The findings show that the second scheme’s multi-view feature set contributes to its 99.58% accuracy and lowers false positive rate of 0.54%.

Improving Automated Labeling for ATT&CK Tactics in Malware Threat Reports

Once novel malware is detected, threat reports are written by security companies that discover it. The reports often vary in the terminology describing the behavior of the malware making comparisons of reports of the same malware from different companies difficult. To aid in the automated discovery of novel malware, it was recently proposed that novel malware could be detected by identifying behaviors. This assumes that a core set of behaviors are present in most, if not all, malware variants. However, there is a lack of malware datasets that are labeled with behaviors. Motivated by a need to label malware with a common set of behaviors, this work examines automating the process of labeling malware with behaviors identified in malware threat reports despite the variability of terminology. To do so, we examine several techniques from the natural language processing (NLP) domain. We find that most state-of-the-art word embedding NLP methods require large amounts of data and are trained on generic corpora of text data—missing the nuances related to information security. To address this, we use simple feature selection techniques. We find that simple feature selection techniques generally outperform word embedding methods and achieve an increase of 6% in the F .5 -score over prior work when used to predict MITRE ATT&CK tactics in threat reports. Our work indicates that feature selection, which has commonly been overlooked by sophisticated methods in NLP tasks, is beneficial for information security related tasks, where more sophisticated NLP methodologies are not able to pick out relevant information security terms.

Employing Incremental Learning for the Detection of Multiclass New Malware Variants

Background/Objectives: The study aims to achieve two main objectives. The first is to reliably identify and categorize malware variations to maintain the security of computer systems. Malware poses a continuous threat to digital information and system integrity, hence the need for effective detection tools. The second objective is to propose a new incremental learning method. This method is designed to adapt over time, continually incorporating new data, which is crucial for identifying and managing multiclass malware variants. Methods: This study utilised an incremental learning technique as the basis of the approach, a type of machine learning whereby a system retains previous knowledge and builds upon the information from the newly acquired data. Particularly, this method is suitable for tackling mutating character of malware dangers. The researchers used various sets of actual world malwares for evaluating the applicability of these ideas which serves as an accurate test environment. Findings: The findings of the research are significant. We utilizing 6 different datasets, which included 158,101 benign and malicious instances, the method demonstrated a high attack detection accuracy of 99.34%. Moreover, the study was successful in identifying a new category of malware variants and distinguishing between 15 different attack categories. These results underscore the effectiveness of the proposed incremental learning method in a real-world scenario. Novelty: This research is unique because of the novel use of a tailored incremental learning technique for dealing with dynamic threat environment of malwares. However, with a new threat they cannot be so well adapted using traditional machine learning methods. On the other hand, the technique put forward in this paper facilitates continuous learning that can be modified to match different types of malicious software as they develop. The ability to evolve and adapt is an important addition to current cybersecurity practices that include malware identification and classification. Keywords: Cybersecurity, Malware Detection, Incremental learning

Detection of Malicious Threats Exploiting Clock-Gating Hardware Using Machine Learning

Embedded system technologies are increasingly being incorporated into manufacturing, smart grid, industrial control systems, and transportation systems. However, the vast majority of today’s embedded platforms lack the support of built-in security features which makes such systems highly vulnerable to a wide range of cyber-attacks. Specifically, they are vulnerable to malware injection code that targets the power distribution system of an ARM Cortex-M-based microcontroller chipset (ARM, Cambridge, UK). Through hardware exploitation of the clock-gating distribution system, an attacker is capable of disabling/activating various subsystems on the chip, compromising the reliability of the system during normal operation. This paper proposes the development of an Intrusion Detection System (IDS) capable of detecting clock-gating malware deployed on ARM Cortex-M-based embedded systems. To enhance the robustness and effectiveness of our approach, we fully implemented, tested, and compared six IDSs, each employing different methodologies. These include IDSs based on K-Nearest Classifier, Random Forest, Logistic Regression, Decision Tree, Naive Bayes, and Stochastic Gradient Descent. Each of these IDSs was designed to identify and categorize various variants of clock-gating malware deployed on the system. We have analyzed the performance of these IDSs in terms of detection accuracy against various types of clock-gating malware injection code. Power consumption data collected from the chipset during normal operation and malware code injection attacks were used for models’ training and validation. Our simulation results showed that the proposed IDSs, particularly those based on K-Nearest Classifier and Logistic Regression, were capable of achieving high detection rates, with some reaching a detection rate of 0.99. These results underscore the effectiveness of our IDSs in protecting ARM Cortex-M-based embedded systems against clock-gating malware.