Malware Signatures Research Articles

A Mult-Task System for Detecting and Classifying Malware Signatures Using Random Forest Classifier

The rapid increase in the use of information technology has made cyber-attacks a major concern in the use of internet by users globally. These attacks are carried out in different forms, some are carried out as phishing, man in the middle, malicious applications and so on. In this study we will focus on malware attack. Malicious applications have been a major challenge in the use of applications on windows operating system. These malicious attacks are being carried out in different forms. Some of these attacks are trojan, ransom, keylogger etc. The need to detect and classifier these malicious attacks in windows operating system is an important task. So therefore, this paper presents a smart system for detecting and classifying eight categories of malware attack on windows operating system using random forest classifier. The system starts by collecting signatures of malware attack on windows from Virus Share, Virus Sign and Github respiratory. The collected malware signatures went through the following stages of preprocessing (First stage, Second Stage, and Third Stage). The first stage has to do with creating a pandas. Dataframe using the malware signatures. The second stage has to with data cleaning and the third stage has to do with data transformation. The result of the Random Forest Classifier shows a promising performance in terms of accuracy, precision, f1-score, and recall. The result shows that the Random Forest Classifier has an accuracy of about 100% for each of the matrix evaluation. Keywords- Malware signatures, Random Forest Classifier, Windows operating System, Matrix Evaluation

Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach

According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.

Enhancing the Detection of Metamorphic Malware using Deep Learning

Malware is the name for a malicious variants. Malware models conatins code generated by cyberattackers, plan to cause distrupt to data and systems or to gain unauthorized access to a network. Malware have been enormously increasing in now a days. Majority of malware utilize obfuscation methods for avoidance and abstruse motive, but they conserve the purpose and malicious behaviour of native Rey. Attackers uses metamorphic techniques to build viruses that change their internal construction all bug. Malware signatures and behaviour samples acquire static and dynamic analysis that are ineffectual in recognising undetermine malwares.In general,these metamorphic viruses are very hard to detect. In this paper, we suggest HMM as a novel solution for metamorphic detection.

Malware Detection using Deep Learning

Malicious software or malware continues to pose a major security concern in this digital age as computer users, corporations, and governments witness an exponential growth in malware attacks. Current malware detection solutions adopt Static and Dynamic analysis of malware signatures and behaviour patterns that are time consuming and ineffective in identifying unknown malwares. Recent malwares use polymorphic, metamorphic and other evasive techniques to change the malware behaviour’s quickly and to generate large number of malwares. Since new malwares are predominantly variants of existing malwares, machine learning algorithms are being employed recently to conduct an effective malware analysis. This requires extensive feature engineering, feature learning and feature representation. By using the advanced MLAs such as deep learning, the feature engineering phase can be completely avoided. Though some recent research studies exist in this direction, the performance of the algorithms is biased with the training data. There is a need to mitigate bias and evaluate these methods independently in order to arrive at new enhanced methods for effective zero-day malware detection. To fill the gap in literature, this work evaluates classical MLAs and deep learning architectures for malware detection, classification and categorization with both public and private datasets. The train and test splits of public and private datasets used in the experimental analysis are disjoint to each other’s and collected in different timescales. In addition, we propose a novel image processing technique with optimal parameters for MLAs and deep learning architectures. A comprehensive experimental evaluation of these methods indicate that deep learning architectures outperform classical MLAs. Overall, this work proposes an effective visual detection of malware using a scalable and hybrid deep learning framework for real-time deployments. The visualization and deep learning architectures for static, dynamic and image processing-based hybrid approach in a big data environment is a new enhanced method for effective zero-day malware detection.

Deep Learning Classification Methods Applied to Tabular Cybersecurity Benchmarks

This research recasts the network attack dataset from UNSW-NB15 as an intrusion detection problem in image space. Using one-hot-encodings, the resulting grayscale thumbnails provide a quarter-million examples for deep learning algorithms. Applying the MobileNetV2’s convolutional neural network architecture, the work demonstrates a 97% accuracy in distinguishing normal and attack traffic. Further class refinements to 9 individual attack families (exploits, worms, shellcodes) show an overall 54% accuracy. Using feature importance rank, a random forest solution on subsets shows the most important source-destination factors and the least important ones as mainly obscure protocols. It further extends the image classification problem to other cybersecurity benchmarks such as malware signatures extracted from binary headers, with an 80% overall accuracy to detect computer viruses as portable executable files (headers only). Both novel image datasets are available to the research community on Kaggle.

DEEP LEARNING CLASSIFICATION METHODS APPLIED TO TABULAR CYBERSECURITY BENCHMARKS

This research recasts the network attack dataset from UNSW-NB15 as an intrusion detection problem in image space. Using one-hot-encodings, the resulting grayscale thumbnails provide a quarter-million examples for deep learning algorithms. Applying the MobileNetV2’s convolutional neural network architecture, the work demonstrates a 97% accuracy in distinguishing normal and attack traffic. Further class refinements to 9 individual attack families (exploits, worms, shellcodes) show an overall 54% accuracy. Using feature importance rank, a random forest solution on subsets shows the most important source-destination factors and the least important ones as mainly obscure protocols. It further extends the image classification problem to other cybersecurity benchmarks such as malware signatures extracted from binary headers, with an 80% overall accuracy to detect computer viruses as portable executable files (headers only). Both novel image datasets are available to the research community on Kaggle.

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer.

Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants.

Learning metamorphic malware signatures from samples

Metamorphic malware are self-modifying programs which apply semantic preserving transformations to their own code in order to foil detection systems based on signature matching. Metamorphism impacts both software security and code protection technologies: it is used by malware writers to evade detection systems based on pattern matching and by software developers for preventing malicious host attacks through software diversification. In this paper, we consider the problem of automatically extracting metamorphic signatures from the analysis of metamorphic malware variants. We define a metamorphic signature as an abstract program representation that ideally captures all the possible code variants that might be generated during the execution of a metamorphic program. For this purpose, we developed MetaSign: a tool that takes as input a collection of metamorphic code variants and produces, as output, a set of transformation rules that could have been used to generate the considered metamorphic variants. MetaSign starts from a control flow graph representation of the input variants and agglomerates them into an automaton which approximates the considered code variants. The upper approximation process is based on the concept of widening automata, while the semantic preserving transformation rules, used by the metamorphic program, can be viewed as rewriting rules and modeled as grammar productions. In this setting, the grammar recognizes the language of code variants, while the production rules model the metamorphic transformations. In particular, we formalize the language of code variants in terms of pure context-free grammars, which are similar to context-free grammars with no terminal symbols. After the widening process, we create a positive set of samples from which we extract the productions of the grammar by applying a learning grammar technique. This allows us to learn the transformation rules used by the metamorphic engine to generate the considered code variants. We validate the results of MetaSign on some case studies.

Update from the Standards Vice President

<fig orientation="portrait" position="float" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <graphic orientation="portrait" position="float" xlink:href="devli-3046907.tif"/> </fig> We are Now Cloud-First was the opening phrase from my last <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Journal</i> piece. This is particularly important when considering workflows and security. The security industry has been changing its methodologies. Techniques such as firewalls, perimeter security, and malware signature detection are still vital and needed, but there is an increasing understanding that this is not enough. Newer methodologies such as Zero Trust seek to bring security to the front of the equipment, system, and facility design cycle.

LimonDroid: a system coupling three signature-based schemes for profiling Android malware

Android remains an interesting target to attackers due to its openness. A contribution in the literature consists of providing similarity measurement such as fuzzy hashing to fight against code obfuscation techniques. Research works in this approach suffer from limited signature database. This work combines fuzzy hashing with YARA rules and VirusTotal signature-based schemes, to improve and consistency of the signature database. It is proposed LimonDroid, an Android system, which mimics Limon, a Desktop security tool that includes such schemes. LimonDroid has been tested with 341 malicious and 300 benign applications on a database of 12925 fuzzy-hashed malware signatures, 62 YARA malware families’ patterns and VirusTotal engine. Our approach gives a true-positive rate of 97.36%, a true negative rate of 98.33% and an accuracy of 97.82%. A comparison with similarity-based solutions reveals that LimonDroid is more efficient for users. The objective is not to propose a detection approach better than those in the literature. Instead, we aim at establishing a robust signature database able to identify malicious trends in Android apps.

OpCode-Level Function Call Graph Based Android Malware Classification Using Deep Learning.

Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People’s lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of and , respectively. The time consumption of our proposed approach is less than the other two methods.

Robust Intelligent Malware Detection using Light GBM Algorithm

Attackers take advantage of every second that the anti- vendor delays identifying the attacking malware signature and to provide notifications. In addition, the longer the detection period delayed, the greater the damage to the host device. To put it another way, the lack of ability to detect attacks early complicates the problem and rises serious harm. Consequently, this research intends to develop a knowledgeable anti-malware system capable of immediately detecting and terminating malware actions, rather than waiting for anti-malware updates. The research concentrates in its scope on the detection of malware on the Internet of Things (IoT), based on Machine Learning (ML) techniques. A latest open source ML algorithm called the Light Gradient Boosting Algorithm (LightGBM) has been used to develop our instant host and network layer anti-malware approach without any human intervention. For examination reasons, the suggested approach serves the LightGBM machine learning algorithm to adopt datasets obtained from real IoT devices using the LightGBM machine learning algorithm. The results indicate a successful method to detecting and classifying high accuracy malware at both network and host levels based on the Holdout method of cross-validation. Additionally, this result is better than many prior related studies which used different algorithms of Machine Learning and Deep Learning. Though, an old study which used the same dataset was the best among the literature. However, it still slightly less than what this study achieved, besides the complexity which deep learning adds. Lastly, the results show the ability of the proposed approach to detect IoT botnet attacks fast, which is a vital feature to end botnet activity before spreading to any new network device.

Investigation of Dual-Flow Deep Learning Models LSTM-FCN and GRU-FCN Efficiency against Single-Flow CNN Models for the Host-Based Intrusion and Malware Detection Task on Univariate Times Series Data

Intrusion and malware detection tasks on a host level are a critical part of the overall information security infrastructure of a modern enterprise. While classical host-based intrusion detection systems (HIDS) and antivirus (AV) approaches are based on change monitoring of critical files and malware signatures, respectively, some recent research, utilizing relatively vanilla deep learning (DL) methods, has demonstrated promising anomaly-based detection results that already have practical applicability due low false positive rate (FPR). More complex DL methods typically provide better results in natural language processing and image recognition tasks. In this paper, we analyze applicability of more complex dual-flow DL methods, such as long short-term memory fully convolutional network (LSTM-FCN), gated recurrent unit (GRU)-FCN, and several others, for the task specified on the attack-caused Windows OS system calls traces dataset (AWSCTD) and compare it with vanilla single-flow convolutional neural network (CNN) models. The results obtained do not demonstrate any advantages of dual-flow models while processing univariate times series data and introducing unnecessary level of complexity, increasing training, and anomaly detection time, which is crucial in the intrusion containment process. On the other hand, the newly tested AWSCTD-CNN-static (S) single-flow model demonstrated three times better training and testing times, preserving the high detection accuracy.

Malware Detection by Risky Zone “Signature” Extraction from API Calls String Transformation using (AOSSR) Technique

Low accuracy of malware detection exists in malware detectors that are based on various malware representation architectures due to several problems as in case of API call graph construction and matching algorithms, where a major issue of building a precise call graph from the information collected about malware samples, also graph matching algorithms are having NP-Complete Problems and slow because of their computational complexity [1], [2]. Moreover, increasing the malware detection accuracy based on API call graphs by enhancing the graph matching and construction algorithms, experiences more computational time taken for matching process and in construction process as there are many graphs created which makes it so difficult to fetch or identify the malware (Elhadi et al., 2013) [3]. It has been further argued by (Li et al., 2018) that in case of malevolent activities, it is comparatively intricate to find whether the software will fall under the spell of malicious occurrences or not, since the duty to determine whether the conduct of a program is malicious is quite complex [4]. This research proposes enhancement of API String-based representation technique through the implementation of a malware detection framework that adopts String-based representation of the malware signature which is a compact representation of the malware risky zone where only the set of API calls representing the actual malware behaviour is accounted in the String using Absolute Order Signature String Representation technique (AOSSR) to represent the malware Strings resulting in a better performance of malware detection accuracy. The Methodology this research work follows mainly composed of three phases. The first phase deals with the conversion of the known malware samples from text format to string format. The second phase addresses the extractaction of the risky zone of an input file which is the file that needs to be checked, by the help of the file signatures already been presented in the database. The third phase addresses how to match two strings efficiency. The Application of the research is very clear as last experiment conducted on 515 malware samples demonstrates that the proposed malware detection architecture has 98% accuracy and 0 false positive rates. Comparing three families, using Analysis of Variance (ANOVA) test it is proven there is no significant difference (p&gt;0.05) in the detection rate of algorithm across the three families of malwares. The algorithms performance is consistent. The result also shows that the Receiver Operating Characteristics (ROC) curves display a better True Positives Rate (TPR) for the proposed architecture over the previous attempts, which reflect significant improvement of TPR.

Imaging and evaluating the memory access for malware

Malware analysis is a forensic process. After infection and the damage represented itself with the full scale, then the analysis of the attack, the structure of the executable and the aim of the malware can be discovered. These discoveries are converted into analysis reports and malware signatures and shared among antivirus databases and threat intelligence exchange platforms. This highly valuable information is then utilized in the detection mechanisms to prevent further dissemination and infections of malware. The types of analysis of the malware sample in this process can be grouped into two categories: static analysis and dynamic analysis. In static analysis, the executable file is reverted to the source code through disassemblers and reverse engineering software and analyzed whereas dynamic analysis includes running the sample in an isolated environment and analyzing its behavior. Both static and dynamic analysis have limitations such as packing, obfuscation, dead code insertion, sandbox detection, and anti-debugging techniques. Memory operations, on the other hand, are not possible to hide by these limitations and inevitable for any software since the inventions of the computational models. Therefore, in this research, memory operations and access patterns for the malicious acts are examined, and a contribution of a novel approach for extracting of memory access images is presented. In addition to extraction, methods of how these images can be used for detection and comparison is introduced through an image comparison technique.

Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments

This paper presents TrustSign, a novel, trusted automatic malware signature generation method based on high-level deep features transferred from a VGG-19 neural network model pretrained on the ImageNet dataset. While traditional automatic malware signature generation techniques rely on static or dynamic analysis of the malware’s executable, our method overcomes the limitations associated with these techniques by producing signatures based on the presence of the malicious process in the volatile memory. By leveraging the cloud’s virtualization technology, TrustSign analyzes the malicious process in a trusted manner, since the malware is unaware and cannot interfere with the inspection procedure. Additionally, by removing the dependency on the malware’s executable, our method is fully capable of signing fileless malware as well. TrustSign’s signature generation process does not require feature engineering or any additional model training, and it is done in a completely unsupervised manner, eliminating the need for a human expert. Because of this, our method has the advantage of dramatically reducing signature generation and distribution time. In fact, in this paper we rethink the typical use of deep convolutional neural networks and use the VGG-19 model as a topological feature extractor for a vastly different task from the one it was trained for. The results of our experimental evaluation demonstrate TrustSign’s ability to generate signatures impervious to the process state over time. By using the signatures generated by TrustSign as input for various supervised classifiers, we achieved up to 99.5% classification accuracy.

N/A and Signature Analysis for Malwares Detection and Removal

Objectives: This study aimed to design an application that effectively scans, detects, and removes malware based on their signatures and behaviours. Methods/Statistical analysis: The rapid growth in the number and types of malware poses high security risks despite the numerous antivirus softwares with Signature-Based Detection (SBD) method. The SBD method depends on the signatures or malware names that are available in the algorithm database. Findings: Malware is a type of malicious software that poses security threats to the targeted system, resulting in information loss, resource abuse, or system damage. The antivirus software is one of the most commonly used security tools to detect and remove malware. However, the malware defences should focus on the malware signatures since there is no universal way of recognising all malware. Therefore, this study suggested N/A detection technique as the dynamic method (behaviour-based detection method) that depends on the Windows Registry (system database). Both static and dynamic detection methods were assessed in this study. Based on the experimental outcomes, SBD method detected and removed most of malware (only known viruses). Application/Improvements: Meanwhile, the N/A detection method detected and removed all injected malware (known and unknown Trojan horse) within a relatively low running time. Keywords: Dynamic Method, Malicious Software, Malware Detection, Signature Analysis, Static Method

Machine-Learning based analysis and classification of Android malware signatures

Multi-scanner Antivirus (AV) systems are often used for detecting Android malware since the same piece of software can be checked against multiple different AV engines. However, in many cases the same software application is flagged as malware by few AV engines, and often the signatures provided contradict each other, showing a clear lack of consensus between different AV engines. This work analyzes more than 80 thousand Android applications flagged as malware by at least one AV engine, with a total of almost 260 thousand malware signatures. In the analysis, we identify 41 different malware families, we study their relationships and the relationships between the AV engines involved in such detections, showing that most malware cases belong to either Adware abuse or really dangerous Harmful applications, but some others are unspecified (or Unknown). With the help of Machine Learning and Graph Community Algorithms, we can further combine the different AV detections to classify such Unknown apps into either Adware or Harmful risks, reaching F1-score above 0.84.

Analysis and classification of context-based malware behavior

This paper presents an overview of the findings on trigger-based malware behavior elicitation, classification, modeling, and behavioral signature generation. Considering reactions to environmental conditions, we suggest a new classification of trigger-based malware behavior as evasive and elicited behaviors. Both these behaviors are concerned with the elaboration of environmental conditions. However, evasive behaviors are targeted at self-defense while elicited behaviors manifest malware opportunism for malicious acts. Therefore, appropriate models, representing such behaviors are expected to provide indications of the conditions conducting different sub-behaviors. To this aim, we propose a new behavioral model based on a conditioned graph structure. To elicit trigger-based behaviors, we offer a greedy approach to gradual collection and feeding of environmental conditions in successive runs of a malware sample. To this aim, we have supplied our analysis environment, Parsa sandbox, with a new component, VECG, to analyze and record relevant API calls. VECG uses these API calls for supplying different environmental conditions and resources, expected by a trigger-based malware while analyzing the malware behavior. We introduce a new algorithm, Htest, to select the most discriminative sub-graphs of conditioned behavioral models as the unique signature for the malware family. The resultant behavioral models, applied as malware signatures, are evaluated using 1700 malicious programs belonging to 16 families. The signatures are evaluated, once without and then under different environmental conditions. It is observed that our signatures could segregate malware family samples with an accuracy of 97.1% while the accuracy will drop to about 22.91% if the environmental conditions are neglected.

WebHound: a data-driven intrusion detection from real-world web access logs

Hackers usually discover and exploit vulnerabilities existing in the entry point before invading a corporate environment. The web server exploration and spams are two popular means used by hackers to gain access to the enterprise computer systems. In this paper, we focus on protecting a web server in dealing with such cybersecurity intrusion threat. During the discovery stage, a web vulnerability investigation scanner (e.g., SQLMap, NMap, and Kali) is used by hackers to learn the web server versions and other related vulnerabilities. Then, in the exploitation stage, hackers develop a customized intrusion method which exploits those previously learned vulnerabilities to launch a subsequent attack. Currently, the most popular defense approaches (e.g., IDS, WAF) detect web server intrusion events through domain expert rules and anomaly pattern matches. For example, ModSecurity is an open source WAF which only detects known malware signature by domain expert rules. Thus, those approaches are good to defend the first discovery stage intrusion. However, they are not effective to deal with the customized intrusion in the second exploitation stage since no rules or signatures are available for such kind of intrusion detection. In this paper, in order to resolve the above problem, we propose an unsupervised data-driven anomaly detection known as WebHound. It not only identifies hackers reconnaissance but also detects the customized intrusion means deployed by hackers by analyzing large-scale web access logs. Moreover, WebHoundalso provides intrusion evidence using storyline for recovering intrusion procedure. Among numerous experiments and case studies, we applied WebHoundto a special government case for the intrusion evidence investigation and at the same time, we compared our results with the work done by computer forensic experts. The results showed that WebHoundcould discover more intrusion evidence than human experts. We also compared WebHoundwith ModSecurity which is updated with the newest domain expert rules running in a virtualized corporate environment. The experimental results show that WebHoundhas a better accuracy rate than ModSecurity. In summary, WebHoundalleviates the heavy demand on expert knowledge and human efforts to detect cyber-attack on a web server, and it also enhances detection accuracy and recall rate. Moreover, WebHoundcould provide more evidence for forensic experts to trace the original entry points.