Signature-based Detection Methods Research Articles

A comprehensive investigation into robust malware detection with explainable AI

In today’s digital world, malware poses a serious threat to security and privacy by stealing sensitive data and disrupting computer systems. Traditional signature-based detection methods have become inefficient and time-consuming. However, data-driven AI techniques, particularly machine learning (ML) and deep learning (DL), have shown effectiveness in detecting malware by analyzing behavioral characteristics. Despite their promising performance, the black-box nature of these models requires improved explainability to facilitate their adoption in real-world applications. This can complicate the ability of cybersecurity experts to evaluate the model’s reliability. In this work, Explainable Artificial Intelligence (XAI) is employed to comprehend and evaluate the decisions made by machine learning models in the detection of malware on Android devices. To evaluate malware detection, experiments were conducted using CICMalDroid dataset by applying ML models like Logistic Regression and several tree algorithms. An overall 94% F1-score was achieved, and interpretable explanations for model decisions were provided, highlighting more critical features that contributed to accurate classifications. It was found that employing XAI techniques can provide valuable insights for malware analysis researchers, enhancing their understanding of the operations of the ML model, rather than solely focusing on improving accuracy.

Intrusion Detection System

Our project introduces an Integrated Intrusion Detection System (IDS) designed to bolster network and system security through a multi-faceted approach. This comprehensive IDS seamlessly combined Machine Learning, Anomaly Detection, File Scanning, and DDoS Prevention mechanisms to offer robust defense against diverse cyber threats. At the heart of the system lies the Machine Learning component, which continuously adapts to the evolving threat landscape. By analyzing network traffic and system behavior, it identifies both known and emerging threats in real-time, reducing reliance on traditional signature-based detection methods and allowing organizations to proactively stay ahead of cybercriminals. Anomaly Detection constantly monitors network and system activity, comparing it against established baselines. Any deviations from these baselines trigger alerts, facilitating swift responses to unusual activities that may indicate security breaches. File Scanning is another vital component ensuring data integrity and preventing malware infiltration or data exfiltration. It conducts thorough file analysis, checking for suspicious code, behavior, or unauthorized access, and offers continuous monitoring to detect anomalies in real-time. Additionally, our IDS includes Distributed Denial of Service (DDoS) Prevention mechanisms. By detecting and mitigating DDoS attacks, the system ensures the continuous availability of network resources and services even under intense traffic loads. This integrated approach to intrusion detection and prevention leverages Machine Learning, Honeypots, Anomaly Detection, File Scanning, and DDoS Prevention, empowering organizations to safeguard critical assets, maintain data integrity, and ensure network security in today's dynamic and perilous digital landscape. Our IDS solution serves as a valuable addition to the cybersecurity toolkit for organizations seeking comprehensive security against a wide range of threats.

SQL Injection Detection using Machine Learning: A Review

SQL injection attacks are critical security vulnerability exploitation in web applications, posing risks to data, if successfully executed, allowing attackers to gain unauthorised access to sensitive data. Due to the absence of a standardised structure, traditional signature-based detection methods face challenges in effectively detecting SQL injection attacks. To overcome this challenge, machine learning (ML) algorithms have emerged as a promising approach for detecting SQL injection attacks. This paper presents a comprehensive literature review on the utilisation of ML techniques for SQL injection detection. The review covers various aspects, including dataset collection, feature extraction, training, and testing, with different ML algorithms. The studies included in the review demonstrate high levels of accuracy in detecting attacks and reducing false positives.

Harnessing GPT-2 for Feature Extraction in Malware Detection: A Novel Approach to Cybersecurity

Abstract In the rapidly advancing digital age, the surge in malware complexity presents a formidable challenge to cybersecurity efforts, rendering traditional signature-based detection methods increasingly obsolete. These methods struggle to keep pace with the swift evolution of malware, particularly with the emergence of polymorphic and metamorphic variants designed to bypass conventional detection. This study introduces a groundbreaking approach to malware detection by utilizing GPT-2, a cutting-edge language model developed by OpenAI, specifically for the purpose of feature extraction. By applying GPT-2’s deep learning capabilities to the EMBER and Drebin datasets, this research explores the model’s effectiveness in identifying malware through the intricate patterns present in binary data. Contrary to its original design for natural language processing, GPT-2’s application in this context demonstrates a significant potential for enhancing malware detection strategies. The model’s proficiency in extracting complex features from binary sequences marks a notable advancement over traditional methods, providing a more adaptive and robust mechanism for identifying malicious software. However, the study also acknowledges the challenges associated with the interpretability of deep learning models and their susceptibility to adversarial attacks, underscoring the imperative for ongoing innovation in the field of cybersecurity. This exploration into the unconventional use of GPT-2 for feature extraction in malware detection not only showcases the model’s versatility beyond language tasks but also sets a new precedent for the application of unsupervised learning models in enhancing cybersecurity defenses.

Detection and Analysis of Android Ransomware Using the Support Vector Machines

Abstract: Ransomware is a malicious code designed to encrypt and lock personal data such as documents and photos, in order to create opportunity for extorting money from the victims. Android operating systems are particularly targeted due to their large market share. Previous studies have primarily relied on signature-based detection methods, which require sufficient data samples and labelled signatures. However, modern ransomware utilizes obfuscation techniques that make it challenging to analyse using static methods. This project proposes a hybrid analysis approach for Android ransomware, employing the SVM algorithm for detection. The novelty lies in the limited exploration of SVM algorithms for ransomware analysis. The dataset used in the study was obtained from CICA and Mal 2017. Static features, including permissions, intents, encoding methods, and API calls were used, along with dynamic features such as network activities and system calls. The SVM model achieved good performance, with 81% accuracy and 90% precision using static features, and 100% accuracy with dynamic features

IMCNN:Intelligent Malware Classification using Deep Convolution Neural Networks as Transfer learning and ensemble learning in honeypot enabled organizational network

Traditional malware detection systems based on signature-based detection methods cannot detect new and unseen malware. Moreover, conventional machine learning methods for malware detection have utilized features extracted through static program analysis or dynamic analysis, which requires code debugging and execution primarily through offline processing; hence not a scalable approach. This paper proposes a novel intelligent malware classification using a deep convolution neural network (IMCNN) in organizational networks enabled with Honeypots. Systematic customization of pre-trained convolutional neural networks(CNN) as a transfer learning and ensemble learning as a classification is presented to detect intelligent modern-day malware. Real-world malware samples are systematically labeled and visualized into grayscale images. Four cutting-edge deep CNN models - VGG16, VGG19, InceptionV3, and ResNet50, are trained on the ImageNet database (≥1 million) and fine-tuned as feature extractors along with a basic CNN model. Three strategies are designed for feature extraction and selection: Rectified linear unit (ReLU) fully connected layer embedded in a deep CNN model, principal component analysis (PCA), and singular value decomposition(SVD). Reduced sets of features are stacked and used to train k-nearest neighbor (k-NN), support vector machine (SVM), and random forest (RF) classifiers for predictions. Subsequently, the predictive probabilities of different machine-learned models are ensembled using a soft voting method for final classification. The proposed method is evaluated on MalImg datasets (9339 malware samples of 25 families) and real-world modern malware datasets (690 malware of 22 families). The experimental results reveal that despite using a reduced feature set, the IMCNN effectively detects malware with 99.36% test accuracy on unseen data for MalImg datasets and 92.11% for real-world malware. In addition, the proposed method is compared with several existing state-of-art malware detection models in terms of performance accuracy and found performing as the best. Experiments demonstrated that the proposed method is resilient to polymorphic code obfuscation used by the malware authors.

CNN-LSTM Hybrid Model for Enhanced Malware Analysis and Detection

The ever-evolving tactics employed by malware authors to avoid detection pose challenges to the conventional static analysis method, which entails examining the malware code. These challenges arise from the authors’ capacity to obfuscate their code. To address this matter and enhance the identification of malware, integrating dynamic detection and machine learning has emerged as a highly promising approach. This methodology has demonstrated efficacy in identifying malware specifically engineered to circumvent established detection techniques. Behavioural analysis is a crucial component in ensuring endpoints’ security, with the CNN-LSTM algorithm being particularly notable for its effectiveness in identifying Zero-Day malware. This type of malware poses a substantial obstacle to conventional signature-based approaches. This paper aims to assess the efficacy of the Convolutional Neural Network-Long Short-Term Memory (CNN-LSTM) model, emphasising its significance in tackling the continuously evolving realm of cybersecurity obstacles. The research highlights the significance of transitioning from traditional signature-based detection methods to behavioural analysis techniques. It suggests utilising deep learning approaches such as Long Short-Term Memory (LSTM) and Convolutional Neural Networks (CNN) to improve the ability to detect malware in an environment where threats constantly evolve. The malware detection system that has been developed encompasses a log parser analyser, API monitoring, and an extension checker module. The CNN-LSTM model demonstrates a commendable ability to accurately identify malicious behaviour, achieving a validation accuracy of 96%. This study demonstrates the efficacy of employing behavioural analysis and deep learning techniques to enhance cybersecurity, particularly in addressing sophisticated, evasive, and previously unknown malware risks.

HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters

Ransomware has been one of the most prevalent forms of malware over the previous decade, and it continues to be one of the most significant threats today. Recently, ransomware strategies such as double extortion and rapid encryption have encouraged attacker communities to consider ransomware as a business model. With the advent of Ransomware as a Service (RaaS) models, ransomware spread and operations continue to increase. Even though machine learning and signature-based detection methods for ransomware have been proposed, they often fail to achieve very accurate detection. Ransomware that evades detection moves to the execution phase after initial access and installation. Due to the catastrophic nature of a ransomware attack, it is crucial to detect in its early stages of execution. If there is a method to detect ransomware in its execution phase early enough, then one can kill the processes to stop the ransomware attack. However, early detection with dynamic API call analysis is not an ideal solution, as the contemporary ransomware variants use low-level system calls to circumvent the detection methods. In this work, we use hardware performance counters (HPC) as features to detect the ransomware within 3-4 seconds - which may be sufficient, at least in the case of ransomware that takes longer to complete its full execution.

Optimasi Algoritma Random Forest menggunakan Principal Component Analysis untuk Deteksi Malware

Malware is a type of software designed to harm various devices. As malware evolves and diversifies, traditional signature-based detection methods have become less effective against advanced types such as polymorphic, metamorphic, and oligomorphic malware. To address this challenge, machine learning-based malware detection has emerged as a promising solution. In this study, we evaluated the performance of several machine learning algorithms in detecting malware and applied Principal Component Analysis (PCA) to the best-performing algorithm to reduce the number of features and improve performance. Our results showed that the Random Forest algorithm outperformed Adaboost, Neural Network, Support Vector Machine, and k-Nearest Neighbor algorithms with an accuracy and recall rate of 98.3%. By applying PCA, we were able to further improve the performance of Random Forest to 98.7% for both accuracy and recall while reducing the number of features from 1084 to 32.

SSQLi: A Black-Box Adversarial Attack Method for SQL Injection Based on Reinforcement Learning

SQL injection is a highly detrimental web attack technique that can result in significant data leakage and compromise system integrity. To counteract the harm caused by such attacks, researchers have devoted much attention to the examination of SQL injection detection techniques, which have progressed from traditional signature-based detection methods to machine- and deep-learning-based detection models. These detection techniques have demonstrated promising results on existing datasets; however, most studies have overlooked the impact of adversarial attacks, particularly black-box adversarial attacks, on detection methods. This study addressed the shortcomings of current SQL injection detection techniques and proposed a reinforcement-learning-based black-box adversarial attack method. The proposal included an innovative vector transformation approach for the original SQL injection payload, a comprehensive attack-rule matrix, and a reinforcement-learning-based method for the adaptive generation of adversarial examples. Our approach was evaluated on existing web application firewalls (WAF) and detection models based on machine- and deep-learning methods, and the generated adversarial examples successfully bypassed the detection method at a rate of up to 97.39%. Furthermore, there was a substantial decrease in the detection accuracy of the model after multiple attacks had been carried out on the detection model via the adversarial examples.

A Malware Detection Approach Based on Deep Learning and Memory Forensics

As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.

Explainable Artificial Intelligence-Based IoT Device Malware Detection Mechanism Using Image Visualization and Fine-Tuned CNN-Based Transfer Learning Model.

Automated malware detection is a prominent issue in the world of network security because of the rising number and complexity of malware threats. It is time-consuming and resource intensive to manually analyze all malware files in an application using traditional malware detection methods. Polymorphism and code obfuscation were created by malware authors to bypass the standard signature-based detection methods used by antivirus vendors. Malware detection using deep learning (DL) approaches has recently been implemented in an effort to address this problem. This study compares the detection of IoT device malware using three current state-of-the-art CNN models that have been pretrained. Large-scale learning performance using GNB, SVM, DT, LR, K-NN, and ensemble classifiers with CNN models is also included in the results. In light of the findings, a pretrained Inception-v3 CNN-based transfer learned model with fine-tuned strategy is proposed to identify IoT device malware by utilizing color image malware display of android Dalvik Executable File (DEX). Inception-v3 retrieves the malware's most important features. After that, a global max-pooling layer is applied, and a SoftMax classifier is used to classify the features. Finally, gradient-weighted class activation mapping (Grad-CAM) along the t-distributed stochastic neighbor embedding (t-SNE) is used to understand the overall performance of the proposed method. The proposed method achieved an accuracy of 98.5% and 91%, respectively, in the binary and multiclass prediction of malware images from IoT devices, exceeding the comparison methods in different evaluation parameters.

A Novel Approach towards Windows Malware Detection System Using Deep Neural Networks

Now-a-day's malicious software is increasing in numbers and at present becomes more harmful for any digital equipment like mobile, tablet, and computers. Traditional techniques like static and dynamic analysis, signature-based detection methods are become absolute and not effective at all. The advanced techniques like code encryption and code packing techniques can be used to hide detection; polymorphic malware is a new class of malware that changes their code structure from time to time to avoid detection, so there is a need for an intelligent system which can efficiently analyze the features of a new, unknown executable file and classify it correctly. There have been learning-based malware detection systems proposed in the literature, but most of those proposed approaches present a high accuracy over a small dataset, whereas the performance is very poor over industry-standard datasets. Operating system like windows is always in prime malware target because of the sheer high number of users. This paper proposes a simple, deep learning-based detection approachthat classifies a specified executable into benign or harmful. It has been trained using EMBER, an industry-level Windows malware dataset and tests with an accuracy of 87.76%.

Directional Laplacian Centrality for Cyber Situational Awareness

Cyber operations is drowning in diverse, high-volume, multi-source data. To get a full picture of current operations and identify malicious events and actors, analysts must see through data generated by a mix of human activity and benign automated processes. Although many monitoring and alert systems exist, they typically use signature-based detection methods. We introduce a general method rooted in spectral graph theory to discover patterns and anomalies without a priori knowledge of signatures. We derive and propose a new graph-theoretic centrality measure based on the derivative of the graph Laplacian matrix in the direction of a vertex. To build intuition about our measure, we show how it identifies the most central vertices in standard network datasets and compare to other graph centrality measures. Finally, we focus our attention on studying its effectiveness in identifying important IP addresses in network flow data. Using both real and synthetic network flow data, we conduct several experiments to test our measure’s sensitivity to two types of injected attack profiles and show that vertices participating in injected attack profiles exhibit noticeable changes in our centrality measures, even when the injected anomalies are relatively small, and in the presence of simulated network dynamics.

Malware detection based on semi-supervised learning with malware visualization.

The traditional signature-based detection method requires detailed manual analysis to extract the signatures of malicious samples, and requires a large number of manual markers to maintain the signature library, which brings a great time and resource costs, and makes it difficult to adapt to the rapid generation and mutation of malware. Methods based on traditional machine learning often require a lot of time and resources in sample labeling, which results in a sufficient inventory of unlabeled samples but not directly usable. In view of these issues, this paper proposes an effective malware classification framework based on malware visualization and semi-supervised learning. This framework includes mainly three parts: malware visualization, feature extraction, and classification algorithm. Firstly, binary files are processed directly through visual methods, without assembly, decompression, and decryption; Then the global and local features of the gray image are extracted, and the visual image features extracted are fused on the whole by a special feature fusion method to eliminate the exclusion between different feature variables. Finally, an improved collaborative learning algorithm is proposed to continuously train and optimize the classifier by introducing features of inexpensive unlabeled samples. The proposed framework was evaluated over two extensively researched benchmark datasets, i.e., Malimg and Microsoft. The results show that compared with traditional machine learning algorithms, the improved collaborative learning algorithm can not only reduce the cost of sample labeling but also can continuously improve the model performance through the input of unlabeled samples, thereby achieving higher classification accuracy.

Diverse Methods for Signature based Intrusion Detection Schemes Adopted

Intrusion Detection Systems (IDS) is used as a tool to detect intrusions on IT networks, providing support in network monitoring to identify and avoid possible attacks. Most such approaches adopt Signature-based methods for detecting attacks which include matching the input event to predefined database signatures. Signature based intrusion detection acts as an adaptable device security safeguard technology. This paper discusses various Signature-based Intrusion Detection Systems and their advantages; given a set of signatures and basic patterns that estimate the relative importance of each intrusion detection system feature, system administrators may help identify cyber-attacks and threats to the network and Computer system. Eighty percent of incidents can be easily and promptly detected using signature-based detection methods if used as a precautionary phase for vulnerability detection and twenty percent rest by anomaly-based intrusion detection system that involves comparing definitions of normal activity or event behavior with observed events in identifying the significant deviations and deciding the traffic to flag.

Reliability Evaluation of a Server System Considering Signature Update

Cyber attack on the Internet has become a problem in recent years, and it has been becoming more sophisticated and complicated. As one of schemes to detect cyber attack, IDS has been widely used. IDS can detect cyber attack based on the signature which is the pattern of cyber attack and so on. There are signature-based and anomaly-based detection methods in terms of IDS. Signature detection compares activity and behavior to signatures of known attacks. Signatures need to be updated regularly to detect a new type of attacks. This paper considers extended stochastic models for a server system with signature update. The server has the function of IDS. In this model, we consider type II error where IDS judges the occurrence of cyber attack erroneously when it occurs. We assume that the check with signature update is performed at [Formula: see text]th check or every [Formula: see text] checks. We obtain the expected costs until cyber attack is detected and discuss the optimal policies which minimize them. Finally, numerical examples are given.

Optimizing Android Malware Detection Via Ensemble Learning

<p>Android operating system has become very popular, with the highest market share, amongst all other mobile operating systems due to its open source nature and users friendliness. This has brought about an uncontrolled rise in malicious applications targeting the Android platform. Emerging trends of Android malware are employing highly sophisticated detection and analysis avoidance techniques such that the traditional signature-based detection methods have become less potent in their ability to detect new and unknown malware. Alternative approaches, such as the Machine learning techniques have taken the lead for timely zero-day anomaly detections. The study aimed at developing an optimized Android malware detection model using ensemble learning technique. Random Forest, Support Vector Machine, and k-Nearest Neighbours were used to develop three distinct base models and their predictive results were further combined using Majority Vote combination function to produce an ensemble model. Reverse engineering procedure was employed to extract static features from large repository of malware samples and benign applications. WEKA 3.8.2 data mining suite was used to perform all the learning experiments. The results showed that Random Forest had a true positive rate of 97.9%, a false positive rate of 1.9% and was able to correctly classify instances with 98%, making it a strong base model. The ensemble model had a true positive rate of 98.1%, false positive rate of 1.8% and was able to correctly classify instances with 98.16%. The finding shows that, although the base learners had good detection results, the ensemble learner produced a better optimized detection model compared with the performances of those of the base learners.</p>

Malware Detection using ANN Malviz.AI

With an increase in the number of internet users, the number of cyber-attacks happening in organizations is increasing day by day. Most of the cyber-attacks involve the use of malicious software known as malware to steal personal information, gain unauthorized access to the computer systems and carry out malicious activities which can cause huge financial losses to the organizations. Viruses, worms, rootkits, adware or anything that performs malicious activities is classified as malware. Detecting malware is a major challenge faced by the anti-malware industry as the signature-based malware detection methods may not provide accurate detection of malware. In this paper, an artificial neural network approach for malware detection is presented to overcome the shortcomings of signature-based malware detection methods. The proposed method can be used as a base model for the malware detection process and can be further developed to enhance the functionality.

Capturing-the-Invisible (CTI): Behavior-Based Attacks Recognition in IoT-Oriented Industrial Control Systems

Industrial Control Systems monitor, automate, and operate complex infrastructure and processes that integrate into critical industrial sectors that affect our daily lives. With the advent of networking and automation, these systems have moved from being dedicated and independent to centralized corporate infrastructure. While this has facilitated the monitoring and overall management using traditional detection methods, Web Application Firewalls or Intrusion Detection Systems has exposed the networks subjecting them to Behavior-based cybersecurity attacks. Such attacks alter the control flow and processes and have the malicious ability to alter the functioning of these systems altogether. This research focuses on the use of process analytics to detect attacks in the industrial control infrastructure systems and compares the effectiveness of signature-based detection methods. The proposed work presents a pattern recognition algorithm aptly named as “Capturing-the-Invisible (CTI)” to find the hidden process in industrial control device logs and detect Behavior-based attacks being performed in real-time.