Malware Targeting Research Articles

APT Malware Targeting Critical Infrastructure: Challenges in Securing Energy and Transportation Sectors

Advanced Persistent Threats (APTs) represent a significant and growing risk to critical infrastructure sectors, particularly energy and transportation. These sophisticated cyberattacks are characterized by prolonged duration, stealth, and complexity, often orchestrated by well-resourced adversaries such as nation-states or organized cybercriminal groups. This research paper examines the challenges faced in securing critical infrastructure against APT malware attacks, focusing on the energy and transportation sectors. Through an analysis of the tactics, techniques, and procedures (TTPs) employed by APT actors, the paper highlights the vulnerabilities inherent in legacy systems, the increasing interconnectedness of operational technology (OT) and information technology (IT) networks, and the shortcomings in existing security frameworks. The methodology includes a comprehensive literature review, data analysis of documented APT incidents, and a case study of a significant APT attack on the energy sector. The findings underscore the need for a multi-layered security approach, enhanced threat intelligence sharing, and the implementation of robust cybersecurity policies tailored to critical infrastructure. The paper concludes with recommendations for policymakers and industry stakeholders to strengthen defenses against APT malware threats.

Ransomware Over Modern Web Browsers: A Novel Strain and a New Defense Mechanism

Ransomware is an increasingly prevalent form of malware targeting end-users, governments, and businesses. As it has evolved, adversaries added new capabilities to their arsenal. We propose a next-generation browser-based ransomware, RøB , which performs its malicious actions via web technologies, File System Access API (FSA) and WebAssembly (Wasm). RøB uses this API through the victims’ browsers; hence, it does not require the victims to download and install malicious binaries. We performed extensive evaluations with 3 different OSs, 23 file formats, 29 distinct directories, 5 cloud providers, and 4 antivirus solutions. Our evaluations show that RøB can encrypt various types of files in the local and cloud-integrated directories, external storage devices, and network-shared folders of victims. Our experiments also reveal that popular cloud solutions, Box Individual and Apple iCloud can be severely affected by RøB . Moreover, we conducted tests with commercial antivirus software such as AVG, Avast, Kaspersky, Malware Bytes that perform sensitive directory and suspicious behavior monitoring against ransomware. We verified that RøB can evade these antivirus software and encrypt victim files. Moreover, existing ransomware detection solutions in the literature also cannot be a remedy against RøB due to its distinct features. Therefore, in this paper, we also propose RøBguard , a new detection system for RøB -like attacks. RøBguard monitors the web applications that use the FSA API via function hooking and uses a machine learning classifier to detect RøB -like attacks. We implemented a proof of concept version of RøBguard and our evaluation results show that RøBguard can detect RøB -like browser-based ransomware attacks effectively. We also provide future research directions that should be addressed in this domain.

Performance Evaluation of Deep Learning Techniques in The Detection of IOT Malware

Internet of Things (IoT) equipment is rapidly being used in a variety of businesses and for a variety of reasons (for example, sensing and collecting data from the environment in both public and military settings). Because of their expanding involvement in a wide range of applications and their rising computational and processing capabilities, they are a viable attack target for malware tailored to infect specific IoT devices. This study investigates the potential of detecting IoT malware using different deep learning techniques: the classic feedforward neural network (FNN), convolutional neural networks (CNN), long short-term memory (LSTM), and recurrent neural networks (RNN). The proposed method analyses the execution operation codes of IOT app sequences using modern NLP (natural language processing) methods. The current work utilized an IoT application dataset with 500 malware (collected from the IOTPOT dataset) and 500 goodware samples to train the proposed algorithms. The trained model is tested against 2971 fresh IoT malware and goodware samples. The samples were input into deep learning models, and performance metrics were obtained. The results demonstrate that the RNN model had the best accuracy (99.19%) in detecting fresh malware samples. On the other hand, the results were compared by the time required for training; the CNN model shows that it could achieve high accuracy (98.05%) with less training time. A comparison with various deep learning classifiers demonstrates that the RNN and CNN techniques produce the best results.

ZeroD-fender: A Resource-aware IoT Malware Detection Engine via Fine-grained Side-channel Analysis

In early 2023, cyberattacks experienced a significant rise due to unknown (zero-day) malware targeting Internet of Things (IoT) devices. To tackle the challenge of zero-day detection within a highly resource-constrained IoT environment, we propose a novel design that utilizes fine-grained power side-channel analysis with deep learning techniques. Our approach introduces an innovative concept called multiscale feature extraction to identify the most representative malware features across diverse architectures, thereby enhancing deep learning based detection performance against zero-day malware. Specifically, we employ a fine-grained power side-channel analysis of more than 120,000 honeypot-collected malware files across a hierarchy of commands , functions , and modules to identify the unique zero-day malware behaviors. With these identified features to train our model, ZeroD-fender’s performance in detecting zero-day malware has significantly improved. In pursuit of on-device detection, we present a resource-aware online inference customization framework. This framework features our lightweight network, ThingNetV2, which uses specialized 1-D depthwise separable convolution paired with h-swish activation, leading to significant resource savings. By applying the fine-grained power analysis, ZeroD-fender demonstrates a detection rate of 95.88% across various architecture zero-day malware, achieving detection speeds ranging between 16.083 ms and 23.961 ms , depending on the specific scenario.

Improving Robustness in IoT Malware Detection through Execution Order Analysis

The rapid expansion of the Internet of Things (IoT) has significantly increased the prevalence of malware targeting IoT devices. Although machine learning models offer promising solutions for automatic malware detection, they are increasingly vulnerable to adversarial attacks. These attacks exploit the model’s feedback loop to iteratively refine malware, producing adversarial samples that evade detection. As such, enhancing the robustness of these models is of paramount importance. Our research introduces a novel approach to bolster malware detection by retaining additional semantic information within the execution order analysis of malware programs. The method significantly improves the resilience of detection models against adversarial samples and implements two adversarial attack methods to rigorously test our model’s robustness by generating authentic adversarial examples for validation. We highlight the critical impact of preserving semantic integrity in malware detection and present a solution to counteract the growing threat of adversarial attacks in IoT environments.

CSMC: A Secure and Efficient Visualized Malware Classification Method Inspired by Compressed Sensing.

With the rapid development of the Internet of Things (IoT), the sophistication and intelligence of sensors are continually evolving, playing increasingly important roles in smart homes, industrial automation, and remote healthcare. However, these intelligent sensors face many security threats, particularly from malware attacks. Identifying and classifying malware is crucial for preventing such attacks. As the number of sensors and their applications grow, malware targeting sensors proliferates. Processing massive malware samples is challenging due to limited bandwidth and resources in IoT environments. Therefore, compressing malware samples before transmission and classification can improve efficiency. Additionally, sharing malware samples between classification participants poses security risks, necessitating methods that prevent sample exploitation. Moreover, the complex network environments also necessitate robust classification methods. To address these challenges, this paper proposes CSMC (Compressed Sensing Malware Classification), an efficient malware classification method based on compressed sensing. This method compresses malware samples before sharing and classification, thus facilitating more effective sharing and processing. By introducing deep learning, the method can extract malware family features during compression, which classical methods cannot achieve. Furthermore, the irreversibility of the method enhances security by preventing classification participants from exploiting malware samples. Experimental results demonstrate that for malware targeting Windows and Android operating systems, CSMC outperforms many existing methods based on compressed sensing and machine or deep learning. Additionally, experiments on sample reconstruction and noise demonstrate CSMC's capabilities in terms of security and robustness.

Exploring Shifting Patterns in Recent IoT Malware

The rise of malware targeting interconnected infrastructures has surged in recent years, driven largely by the widespread presence of vulnerable legacy IoT devices and inadequately secured networks. Despite the strong interest attackers have in targeting this infrastructure, a significant gap remains in understanding how the landscape has recently evolved. Addressing this knowledge gap is essential to thwarting the proliferation of massive botnets, thereby safeguarding end-users and preventing disruptions in critical infrastructures. This work offers a contemporary analysis of Linux-based malware, specifically tailored to IoT malware operating in 2021-2023. Using automated techniques involving both static and dynamic analysis, we classify malware into related threats. By scrutinizing the most recent dataset of Linux-based malware and comparing it to previous studies, we unveil distinctive insights into emerging trends, offering an unparalleled understanding of the evolving landscape. Although Mirai and Gafgyt remain the most prominent families and present a large number of variants, our results show that (i) there is an increase in the sophistication of malware, (ii) malware authors are adding new exploits to their arsenal, and (iii) malware families that originally attacked Windows systems have been adapted to attack Linux-based devices.

A novel method of detecting malware on Android mobile devices with explainable artificial intelligence

The increasing prevalence of malware targeting android mobile devices has raised significant concerns regarding user privacy and security. In response, effective methods for malware classification and detection are crucial to protect users from malicious applications. This paper presents an approach that leverages deep learning techniques and explainable artificial intelligence (XAI) for android mobile malware classification and detection. Convolutional neural networks (CNNs) are deep learning model that has shown impressive performance in several application areas, including image and text classification. In the context of android mobile malware, CNNs have shown promising results in capturing intricate patterns and features inherent in malware samples. By training these models on large datasets of benign and malicious applications, accurate classification can be achieved. To enhance transparency and interpretability, XAI techniques are integrated into the classification process. These techniques provide insights into the decision-making process of the deep learning models, enabling the identification of critical features and characteristics that contribute to the classification results. This research, by combining deep learning and XAI methods, presents a fresh strategy for identifying and categorizing Android malware. This research paper will focus on a fascinating CNN-based malware categorization technique.

Improving Windows Malware Detection Using the Random Forest Algorithm and Multi-View Analysis

Cybercriminals motivated by malign purpose and financial gain are rapidly developing new variants of sophisticated malware using automated tools, and most of these malware target Windows operating systems. This serious threat demands efficient techniques to analyze and detect zero-day, polymorphic and metamorphic malware. This paper introduces two frameworks for Windows malware detection using random forest algorithms. The first scheme uses features obtained from static and dynamic analysis for training, and the second scheme uses features obtained from static, dynamic, malware image analysis, location-sensitive hashing and file format inspections. We carried out an extensive experiment on two feature sets, and the proposed schemes are evaluated using seven standard evaluation metrics. The experiment results demonstrate that the second scheme recognizes unseen malware better than the first scheme and three state-of-the-art works. The findings show that the second scheme’s multi-view feature set contributes to its 99.58% accuracy and lowers false positive rate of 0.54%.

GHGDroid: Global heterogeneous graph-based android malware detection

As the most popular mobile platform, Android has become the major attack target of malware, and thus there is an urgent need to effectively thwart them. Recently, the graph-based technique has been a promising solution for malware detection, which highly depends on graph structures to capture behaviors separating the malware from the benign apps. However, existing graph-based malware detection approaches still suffer from high computation cost in constructing or updating a graph for APK under detection, high false negative and false positive. To cope with these issues, we propose a novel global heterogeneous graph-based Android malware detection approach, named GHGDroid. A global heterogeneous graph (GHG) with a good updatability is first built on large-scale Android applications to characterize complex relationships among APKs and sensitive APIs. And then, using the GHG, a multi-layer graph convolutional network based embedding method is proposed to learn APK embeddings for well capturing behaviors that can separate malware from benign. Finally, using APK embeddings as well their labels, a malware classifier is trained. Experiments on real-world Android applications show that GHGDroid achieves 99.17 % F1-score, which outperforms the state-of-the-art approaches. Moreover, GHGDroid spends about 8 s on detecting an APK, which shows that it has a good potential as a practical tool for the Android malware detection task.

HertDroid: Android Malware Detection Method with Influential Node Filter and Heterogeneous Graph Transformer

The explosive growth of malware targeting Android devices has resulted in the demand for the acquisition and integration of comprehensive information to enable effective, robust, and user-friendly malware detection. In response to this challenge, this paper introduces HertDroid, an innovative Android malware detection method that leverages the hidden contextual information within application entities. Specifically, we formulate a heterogeneous graph encapsulating rich semantics of entities and their interactions to model the behavior of Android applications. To alleviate computational burdens, a filter is implemented to identify nodes containing crucial information. The Transformer architecture is then deployed for efficient information aggregation across diverse entities. In our experiments, HertDroid demonstrates superior performance by achieving the highest F1 scores when compared to baseline methods on a dataset comprising 10,361 benign and 11,043 malicious apps. Notably, HertDroid excels in maintaining a lightweight profile, and its performance is achieved without the necessity of manual meta-path configuration.

DL-AMDet: Deep learning-based malware detector for android

The Android operating system, with its market share leadership and open-source nature in smartphones, has become the primary target of malware. However, detecting malicious Android processes has become a significant challenge because of the complexity of size, length, and associations of various important and distinctive elements of Android applications, such as API calls and system calls. In this paper DL-AMDet, a deep learning architecture is proposed to detect Android malware applications based on its static and dynamic features. DL-AMDet consists of two main detection models the first one uses CNN-BiLSTM deep learning method for detecting malware using static analysis. The other model utilizes deep Autoencoders as an anomaly detection model to identify the malware based on dynamic analysis. The performance of the DL-AMDet architecture is evaluated using two different datasets. The results show that DL-AMDet achieves a competitive malware detection accuracy of 99.935 % for static and dynamic analysis models combined. Additionally, the results emphasize the significance of CNN-BiLSTM and Deep Autoencoders models used in DL-AMDet to outperform the existing state-of-the-art techniques.

A Survey of Malware Analysis Using Community Detection Algorithms

In recent years, we have witnessed an overwhelming and fast proliferation of different types of malware targeting organizations and individuals, which considerably increased the time required to detect malware. The malware developers make this issue worse by spreading many variants of the same malware [ 13 ]. To deal with this issue, graph theory techniques, and particularly community detection algorithms, can be leveraged to achieve bulk detection of malware families and variants to identify malicious communities instead of focusing on the detection of an individual instance of malware, which could significantly reduce the detection time. In this article, we review the state-of-the-art malware analysis solutions that employ community detection algorithms and provide a taxonomy that classifies the solutions with respect to five facets: analysis task, community detection approach, target platform, analysis type, and source of features. We present the solutions with respect to the analysis task, which covers malware detection, malware classification, cyber-threat infrastructure detection, and feature selection. The findings of this survey indicate that there is still room for contributions to further improve the state of the art and address research gaps. Finally, we discuss the advantages and the limitations of the solutions, identify open issues, and provide future research directions.

Intelligent Anomaly Detection System through Malware Image Augmentation in IIoT Environment Based on Digital Twin

Due to the recent rapid development of the ICT (Information and Communications Technology) field, the industrial sector is also experiencing rapid informatization. As a result, malware targeting information leakage and financial gain are increasingly found within IIoT (the Industrial Internet of Things). Moreover, the number of malware variants is rapidly increasing. Therefore, there is a pressing need for a safe and preemptive malware detection method capable of responding to these rapid changes. The existing malware detection method relies on specific byte sequence inclusion in a binary file. However, this method faces challenges in impacting the system or detecting variant malware. In this paper, we propose a data augmentation method based on an adversarial generative neural network to maintain a secure system and acquire necessary learning data. Specifically, we introduce a digital twin environment to safeguard systems and data. The proposed system creates fixed-size images from malware binaries in the virtual environment of the digital twin. Additionally, it generates new malware through an adversarial generative neural network. The image information produced in this manner is then employed for malware detection through deep learning. As a result, the detection performance, in preparation for the emergence of new malware, demonstrated high accuracy, exceeding 97%.

An adaptive semi-supervised deep learning-based framework for the detection of Android malware

Positive developments in smartphone usage have led to an increase in malicious attacks, particularly targeting Android mobile devices. Android has been a primary target for malware exploiting security vulnerabilities due to the presence of critical applications, such as banking applications. Several machine learning-based models for mobile malware detection have been developed recently, but significant research is needed to achieve optimal efficiency and performance. The proliferation of Android devices and the increasing threat of mobile malware have made it imperative to develop effective methods for detecting malicious apps. This study proposes a robust hybrid deep learning-based approach for detecting and predicting Android malware that integrates Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM). It also presents a creative machine learning-based strategy for dealing with unbalanced datasets, which can mislead the training algorithm during classification. The proposed strategy helps to improve method performance and mitigate over- and under-fitting concerns. The proposed model effectively detects Android malware. It extracts both temporal and spatial features from the dataset. A well-known Drebin dataset was used to train and evaluate the efficacy of all creative frameworks regarding the accuracy, sensitivity, MAE, RMSE, and AUC. The empirical finding proclaims the projected hybrid ConvLSTM model achieved remarkable performance with an accuracy of 0.99, a sensitivity of 0.99, and an AUC of 0.99. The proposed model outperforms standard machine learning-based algorithms in detecting malicious apps and provides a promising framework for real-time Android malware detection.

E-Brightpass: A Secure way to access social networks on smartphones

Social network providers offer a variety of entertainment services in exchange for end users’ personal information, such as their identity. The majority of users access social networking sites via their smartphones, which they utilize in conjunction with a traditional authenticator like a password. On the other hand, aggregators, which pull content from multiple social networks, are often used to get into smartphone apps that may involve mobile ticketing, identification, and access control. They are a potential target for malware and spyware injections due to their powerful position. Malware is capable of circumventing authentication mechanisms in order to get access to social networking services, which may result in stealing the personal information of users. To deflect any type of attack from malicious software, BrightPass [22], a malware-resistant method based on screen brightness, was introduced. Conversely, we have demonstrated that the BrightPass user’s personally identifiable information, such as PIN numbers, may be recovered by evaluating the variations between the recorded input from many authentication sessions. We have then offered various enhanced BrightPass versions to address the observed vulnerability. Our enhanced BrightPass versions are both simple and secure to use when it comes to accessing social networks via mobiles.

Mobile Botnet Detection: A Machine Learning Approach using SVM

Abstract: Android is now the most widespread mobile operating system worldwide. Over the years the volume of malware targeting Android has continued to grow. This is because it is easier and more profitable for malware authors to target an operating sys-tem that is open-source, more prevalent, and does not restrict the installation of appsfrom any possible source. Hence, in this paper we present a deep learning approach that leverages Support Vector Machine (SVM) forAndroid botnet detection. The SVM model employs 342 static features to classify new or previously unseen apps as either ‘botnet’ or ‘normal

An Android Malware Detection Approach to Enhance Node Feature Differences in a Function Call Graph Based on GCNs

The smartphone has become an indispensable tool in our daily lives, and the Android operating system is widely installed on our smartphones. This makes Android smartphones a prime target for malware. In order to address threats posed by malware, many researchers have proposed different malware detection approaches, including using a function call graph (FCG). Although an FCG can capture the complete call–callee semantic relationship of a function, it will be represented as a huge graph structure. The presence of many nonsensical nodes affects the detection efficiency. At the same time, the characteristics of the graph neural networks (GNNs) make the important node features in the FCG tend toward similar nonsensical node features during the propagation process. In our work, we propose an Android malware detection approach to enhance node feature differences in an FCG. Firstly, we propose an API-based node feature by which we can visually analyze the behavioral properties of different functions in the app and determine whether their behavior is benign or malicious. Then, we extract the FCG and the features of each function from the decompiled APK file. Next, we calculate the API coefficient inspired by the idea of the TF–IDF algorithm and extract the sensitive function called subgraph (S-FCSG) based on API coefficient ranking. Finally, before feeding the S-FCSG and node features into the GCN model, we add the self-loop for each node of the S-FCSG. A 1-D convolutional neural network and fully connected layers are used for further feature extraction and classification, respectively. The experimental result shows that our approach enhances the node feature differences in an FCG, and the detection accuracy is greater than that of models using other features, suggesting that malware detection based on a graph structure and GNNs has a lot of space for future study.

Investigating TrustZone: A Comprehensive Analysis

The advent of the Internet and portable devices, including smartphones and watches, has brought unprecedented opportunities for embedded application systems developments. Along with these developments, there is an increasing need for embedded devices to handle important services, such as the ability to pay bills or manage bank accounts remotely via mobile phones. Such applications and developments have also highlighted the issues of cyberattacks and computing network security--these developments have made mobile phones a potential target for malware, trojans, and viruses, so it is critical to design a set of security technologies for embedded devices. In fact, security has become an essential requirement in the process of embedded system design. Thus, ARM has proposed system-level security solutions based on TrustZone technology. TrustZone technology is tightly integrated with Cortex™-A processors and extends the system through the AMBA® AXI bus and specific TrustZone system IP blocks to protect peripherals such as secure memory, encryption blocks, keyboards, and screens from software attacks. It divides the system into TEE (Trusted Execution Environment) and REE (Rich Execution Environment) by hardware and provides intrinsic software security services and interfaces. More precisely, it has built system security by combining hardware and software. It is worth noting that it does not influence performance, power consumption, and area as much as possible. Owing to such characteristics, the technology has gained the wide attention of researchers worldwide. There is lack of systematic documentation of the technology. Therefore, this paper documents the significant progress achieved in the field. In particular, this article mainly analyses the primary mechanism implementation, and how to build the Trusted Execution Environment in different environments. Then, this paper discusses the related research works in the academic field and business applications of the technology. Furthermore, the advantages and weaknesses of the TrustZone technology as well as the proposed possible solutions aiming at the deficiency are outlined. Finally, a comparison of TrustZone technology with another mainstream commercial SGX, and future directions are presented.

Mobile Botnet Detection

Abstract: Android, being the most widespread mobile operating systems is in- creasingly becoming a target for malware. Malicious apps designed to turn mobile devices into bots that may form part of a larger botnet have become quite common, thus posing a serious threat. This calls -for more effective methods to detect botnets on the Android plat- form. Hence, in this paper, we present a deep learning approach for Android botnet detection based on Support vector machine (SVM). Our proposed botnet detection system is implemented as a svm- based model that is trained on 342 static app features to distinguish between botnet apps and normal apps.