The proliferation of Internet of Things(IoT)devices has established edge computing as a critical paradigm for real-time data analysis and low-latency processing.Nevertheless,the distributed nature of edge computing pr...The proliferation of Internet of Things(IoT)devices has established edge computing as a critical paradigm for real-time data analysis and low-latency processing.Nevertheless,the distributed nature of edge computing presents substantial security challenges,rendering it a prominent target for sophisticated malware attacks.Existing signature-based and behavior-based detection methods are ineffective against the swiftly evolving nature of malware threats and are constrained by the availability of resources.This paper suggests the Genetic Encoding for Novel Optimization of Malware Evaluation(GENOME)framework,a novel solution that is intended to improve the performance of malware detection and classification in peripheral computing environments.GENOME optimizes data storage and computa-tional efficiency by converting malware artifacts into compact,structured sequences through a Deoxyribonucleic Acid(DNA)encoding mechanism.The framework employs two DNA encoding algorithms,standard and compressed,which substantially reduce data size while preserving high detection accuracy.The Edge-IIoTset dataset was used to conduct experiments that showed that GENOME was able to achieve high classification performance using models such as Random Forest and Logistic Regression,resulting in a reduction of data size by up to 42%.Further evaluations with the CIC-IoT-23 dataset and Deep Learning models confirmed GENOME’s scalability and adaptability across diverse datasets and algorithms.The potential of GENOME to address critical challenges,such as the rapid mutation of malware,real-time processing demands,and resource limitations,is emphasized in this study.GENOME offers comprehensive protection for peripheral computing environments by offering a security solution that is both efficient and scalable.展开更多
The rapid and increasing growth in the volume and number of cyber threats from malware is not a real danger;the real threat lies in the obfuscation of these cyberattacks,as they constantly change their behavior,making...The rapid and increasing growth in the volume and number of cyber threats from malware is not a real danger;the real threat lies in the obfuscation of these cyberattacks,as they constantly change their behavior,making detection more difficult.Numerous researchers and developers have devoted considerable attention to this topic;however,the research field has not yet been fully saturated with high-quality studies that address these problems.For this reason,this paper presents a novel multi-objective Markov-enhanced adaptive whale optimization(MOMEAWO)cybersecurity model to improve the classification of binary and multi-class malware threats through the proposed MOMEAWO approach.The proposed MOMEAWO cybersecurity model aims to provide an innovative solution for analyzing,detecting,and classifying the behavior of obfuscated malware within their respective families.The proposed model includes three classification types:Binary classification and multi-class classification(e.g.,four families and 16 malware families).To evaluate the performance of this model,we used a recently published dataset called the Canadian Institute for Cybersecurity Malware Memory Analysis(CIC-MalMem-2022)that contains balanced data.The results show near-perfect accuracy in binary classification and high accuracy in multi-class classification compared with related work using the same dataset.展开更多
With the proliferation of Android malware,the issue of traceability in malware analysis has emerged as a significant problem that requires exploration.By establishing links between newly discovered,unreported malware ...With the proliferation of Android malware,the issue of traceability in malware analysis has emerged as a significant problem that requires exploration.By establishing links between newly discovered,unreported malware and prior knowledge from existing malware data pools,security analysts can gain a better understanding of the evolution process of malware and its underlying reasons.However,in real-world scenarios,analyzing the traceability of malware can be complex and time-consuming due to the large volume of existing malware data,requiring extensive manual analysis.Furthermore,the results obtained from such analysis often lack explanation.Therefore,there is a pressing need to develop a comprehensive automated malware tracking system that can provide detailed insights into the tracking and evolution process of malware and offer strong explanatory capabilities.In this paper,we propose a knowledge graph-based approach that uses partial API call graphs comprising semantic and behavioral features to reveal the traceability relations among malware and provide explainable results for these relations.Our approach is implemented on a dataset of over 20,000 malware samples labeled with family information,spanning a time period of 10 years.To address the challenges associated with the complexity of analysis,we leverage prior knowledge from existing malware research and a branch pruning method on call graphs to reduce computational complexity and enhance the precision of explanations when determining traceability relations.展开更多
In recent years,cyber threats have escalated across diverse sectors,with cybercrime syndicates increasingly exploiting system vulnerabilities.Traditional passive defense mechanisms have proven insufficient,particularl...In recent years,cyber threats have escalated across diverse sectors,with cybercrime syndicates increasingly exploiting system vulnerabilities.Traditional passive defense mechanisms have proven insufficient,particularly as Linux platforms—historically overlooked in favor of Windows—have emerged as frequent targets.According to Trend Micro,there has been a substantial increase in Linux-targeted malware,with ransomware attacks on Linux surpassing those on macOS.This alarming trend underscores the need for detection strategies specifically designed for Linux environments.To address this challenge,this study proposes a comprehensive malware detection framework tailored for Linux systems,integrating dynamic behavioral analysis with the semantic reasoning capabilities of large language models(LLMs).Malware samples are executed within sandbox environments to extract behavioral features such as system calls and command-line executions.These features are then systematically mapped to the MITRE ATT&CK framework,incorporating its defined data sources,data components,and Tactics,Techniques,and Procedures(TTPs).Two mapping constructs—Conceptual Definition Mapping and TTP Technical Keyword Mapping—are developed from official MITRE documentation.These resources are utilized to fine-tune an LLM,enabling it to semantically interpret complex behavioral patterns and infer associated attack techniques,including those employed by previously unknown malware variants.The resulting detection pipeline effectively bridges raw behavioral data with structured threat intelligence.Experimental evaluations confirm the efficacy of the proposed system,with the fine-tuned Gemma 2B model demonstrating significantly enhanced accuracy in associating behavioral features with ATT&CK-defined techniques.This study contributes a fully integrated Linux-specific detection framework,a novel approach for transforming unstructured behavioral data into actionable intelligence,improved interpretability of malicious behavior,and a scalable training process for future applications of LLMs in cybersecurity.展开更多
Safeguarding against malware requires precise machine-learning algorithms to classify harmful apps.The Drebin dataset of 15,036 samples and 215 features yielded significant and reliable results for two hybrid models,C...Safeguarding against malware requires precise machine-learning algorithms to classify harmful apps.The Drebin dataset of 15,036 samples and 215 features yielded significant and reliable results for two hybrid models,CNN+XGBoost and KNN+XGBoost.To address the class imbalance issue,SMOTE(Synthetic Minority Oversampling Technique)was used to preprocess the dataset,creating synthetic samples of the minority class(malware)to balance the training set.XGBoost was then used to choose the most essential features for separating malware from benign programs.The models were trained and tested using 6-fold cross-validation,measuring accuracy,precision,recall,F1 score,and ROC AUC.The results are highly dependable,showing that CNN+XGBoost consistently outperforms KNN+XGBoost with an average accuracy of 98.76%compared to 97.89%.The CNN-based malware classification model,with its higher precision,recall,and F1 scores,is a secure choice.CNN+XGBoost,with its fewer all-fold misclassifications in confusion matrices,further solidifies this security.The calibration curve research,confirming the accuracy and cybersecurity applicability of the models’probability projections,adds to the sense of reliability.This study unequivocally demonstrates that CNN+XGBoost is a reliable and effective malware detection system,underlining the importance of feature selection and hybrid models.展开更多
Malware continues to pose a significant threat to cybersecurity,with new advanced infections that go beyond traditional detection.Limitations in existing systems include high false-positive rates,slow system response ...Malware continues to pose a significant threat to cybersecurity,with new advanced infections that go beyond traditional detection.Limitations in existing systems include high false-positive rates,slow system response times,and inability to respond quickly to new malware forms.To overcome these challenges,this paper proposes OMD-RAS:Implementing Malware Detection in an Optimized Way through Real-Time and Adaptive Security as an extensive approach,hoping to get good results towards better malware threat detection and remediation.The significant steps in the model are data collection followed by comprehensive preprocessing consisting of feature engineering and normalization.Static analysis,along with dynamic analysis,is done to capture the whole spectrum of malware behavior for the feature extraction process.The extracted processed features are given with a continuous learning mechanism to the Extreme Learning Machine model of real-time detection.This OMD-RAS trains quickly and has great accuracy,providing elite,advanced real-time detection capabilities.This approach uses continuous learning to adapt to new threats—ensuring the effectiveness of detection even as strategies used by malware may change over time.The experimental results showed that OMD-RAS performs better than the traditional approaches.For instance,the OMD-RAS model has been able to achieve an accuracy of 96.23%and massively reduce the rate of false positives across all datasets while eliciting a consistently high rate of precision and recall.The model’s adaptive learning reflected enhancements on other performance measures-for example,Matthews Correlation Coefficients and Log Loss.展开更多
Over the past few years,Malware attacks have become more and more widespread,posing threats to digital assets throughout the world.Although numerous methods have been developed to detect malicious attacks,these malwar...Over the past few years,Malware attacks have become more and more widespread,posing threats to digital assets throughout the world.Although numerous methods have been developed to detect malicious attacks,these malware detection techniques need to be more efficient in detecting new and progressively sophisticated variants of malware.Therefore,the development of more advanced and accurate techniques is necessary for malware detection.This paper introduces a comprehensive Dual-Channel Attention Deep Bidirectional Long Short-Term Memory(DCADBiLSTM)model for malware detection and riskmitigation.The Dual Channel Attention(DCA)mechanism improves themodel’s capability to concentrate on the features that aremost appropriate in the input data,which reduces the false favourable rates.The Bidirectional Long,Short-Term Memory framework helps capture crucial interdependence from past and future circumstances,which is essential for enhancing the model’s understanding of malware behaviour.As soon as malware is detected,the risk mitigation phase is implemented,which evaluates the severity of each threat and helps mitigate threats earlier.The outcomes of the method demonstrate better accuracy of 98.96%,which outperforms traditional models.It indicates the method detects and mitigates several kinds of malware threats,thereby providing a proactive defence mechanism against the emerging challenges in cybersecurity.展开更多
In the current digital era,new technologies are becoming an essential part of our lives.Consequently,the number ofmalicious software ormalware attacks is rapidly growing.There is no doubt,themajority ofmalware attacks...In the current digital era,new technologies are becoming an essential part of our lives.Consequently,the number ofmalicious software ormalware attacks is rapidly growing.There is no doubt,themajority ofmalware attacks can be detected by most antivirus programs.However,such types of antivirus programs are one step behind malicious software.Due to these dilemmas,deep learning become popular in the detection and classification of malicious data.Therefore,researchers have significantly focused on finding solutions for malware attacks by analyzing malicious samples with the help of different techniques and models.In this research,we presented a lightweight attention-based novel deep Convolutional Neural Network(DNN-CNN)model for binary and multi-class malware classification,including benign,trojan horse,ransomware,and spyware.We applied the Principal Component Analysis(PCA)technique for feature extraction for binary classification.We used the Synthetic Minority Oversampling Technique(SMOTE)to handle the imbalanced data during multi-class classification.Our proposed attention-based malware detectionmodel is trained on the benchmarkmalware memory dataset named CIC-MalMem-2022.Theresults indicate that our model obtained high accuracy for binary and multi-class classification,99.5% and 97.9%,respectively.展开更多
The proliferation of malware and the emergence of adversarial samples pose severe threats to global cybersecurity,demanding robust detection mechanisms.Traditional malware detection methods suffer from limited feature...The proliferation of malware and the emergence of adversarial samples pose severe threats to global cybersecurity,demanding robust detection mechanisms.Traditional malware detection methods suffer from limited feature extraction capabilities,while existing Vision Transformer(ViT)-based approaches face high computational complexity due to global self-attention,hindering their efficiency in handling large-scale image data.To address these issues,this paper proposes a novel hybrid enhanced Vision Transformer architecture,HERL-ViT,tailored for malware detection.The detection framework involves five phases:malware image visualization,image segmentation with patch embedding,regional-local attention-based feature extraction,enhanced feature transformation,and classification.Methodologically,HERL-ViT integrates a multi-level pyramid structure to capture multi-scale features,a regionalto-local attention mechanism to reduce computational complexity,an Optimized Position Encoding Generator for dynamic relative position encoding,and enhanced MLP and downsampling modules to balance performance and efficiency.Key contributions include:(1)A unified framework integrating visualization,adversarial training,and hybrid attention for malware detection;(2)Regional-local attention to achieve both global awareness and local detail capture with lower complexity;(3)Optimized PEG to enhance spatial perception and reduce overfitting;(4)Lightweight network design(5.8M parameters)ensuring high efficiency.Experimental results show HERL-ViT achieves 99.2%accuracy(Loss=0.066)on malware classification and 98.9%accuracy(Loss=0.081)on adversarial samples,demonstrating superior performance and robustness compared to state-of-the-art methods.展开更多
The rapid evolution of malware presents a critical cybersecurity challenge,rendering traditional signature-based detection methods ineffective against novel variants.This growing threat affects individuals,organizatio...The rapid evolution of malware presents a critical cybersecurity challenge,rendering traditional signature-based detection methods ineffective against novel variants.This growing threat affects individuals,organizations,and governments,highlighting the urgent need for robust malware detection mechanisms.Conventional machine learning-based approaches rely on static and dynamicmalware analysis and often struggle to detect previously unseen threats due to their dependency on predefined signatures.Although machine learning algorithms(MLAs)offer promising detection capabilities,their reliance on extensive feature engineering limits real-time applicability.Deep learning techniques mitigate this issue by automating feature extraction but may introduce computational overhead,affecting deployment efficiency.This research evaluates classical MLAs and deep learningmodels to enhance malware detection performance across diverse datasets.The proposed approach integrates a novel text and imagebased detection framework,employing an optimized Support Vector Machine(SVM)for textual data analysis and EfficientNet-B0 for image-based malware classification.Experimental analysis,conducted across multiple train-test splits over varying timescales,demonstrates 99.97%accuracy on textual datasets using SVM and 96.7%accuracy on image-based datasets with EfficientNet-B0,significantly improving zero-day malware detection.Furthermore,a comparative analysis with existing competitive techniques,such as Random Forest,XGBoost,and CNN-based(Convolutional Neural Network)classifiers,highlights the superior performance of the proposed model in terms of accuracy,efficiency,and robustness.展开更多
The growing complexity of cyber threats requires innovative machine learning techniques,and image-based malware classification opens up new possibilities.Meanwhile,existing research has largely overlooked the impact o...The growing complexity of cyber threats requires innovative machine learning techniques,and image-based malware classification opens up new possibilities.Meanwhile,existing research has largely overlooked the impact of noise and obfuscation techniques commonly employed by malware authors to evade detection,and there is a critical gap in using noise simulation as a means of replicating real-world malware obfuscation techniques and adopting denoising framework to counteract these challenges.This study introduces an image denoising technique based on a U-Net combined with a GAN framework to address noise interference and obfuscation challenges in image-based malware analysis.The proposed methodology addresses existing classification limitations by introducing noise addition,which simulates obfuscated malware,and denoising strategies to restore robust image representations.To evaluate the approach,we used multiple CNN-based classifiers to assess noise resistance across architectures and datasets,measuring significant performance variation.Our denoising technique demonstrates remarkable performance improvements across two multi-class public datasets,MALIMG and BIG-15.For example,the MALIMG classification accuracy improved from 23.73%to 88.84%with denoising applied after Gaussian noise injection,demonstrating robustness.This approach contributes to improving malware detection by offering a robust framework for noise-resilient classification in noisy conditions.展开更多
The growing threat of malware,particularly in the Portable Executable(PE)format,demands more effective methods for detection and classification.Machine learning-based approaches exhibit their potential but often negle...The growing threat of malware,particularly in the Portable Executable(PE)format,demands more effective methods for detection and classification.Machine learning-based approaches exhibit their potential but often neglect semantic segmentation of malware files that can improve classification performance.This research applies deep learning to malware detection,using Convolutional Neural Network(CNN)architectures adapted to work with semantically extracted data to classify malware into malware families.Starting from the Malconv model,this study introduces modifications to adapt it to multi-classification tasks and improve its performance.It proposes a new innovative method that focuses on byte extraction from Portable Executable(PE)malware files based on their semantic location,resulting in higher accuracy in malware classification than traditional methods using full-byte sequences.This novel approach evaluates the importance of each semantic segment to improve classification accuracy.The results revealed that the header segment of PE files provides the most valuable information for malware identification,outperforming the other sections,and achieving an average classification accuracy of 99.54%.The above reaffirms the effectiveness of the semantic segmentation approach and highlights the critical role header data plays in improving malware detection and classification accuracy.展开更多
Detecting cyber attacks in networks connected to the Internet of Things(IoT)is of utmost importance because of the growing vulnerabilities in the smart environment.Conventional models,such as Naive Bayes and support v...Detecting cyber attacks in networks connected to the Internet of Things(IoT)is of utmost importance because of the growing vulnerabilities in the smart environment.Conventional models,such as Naive Bayes and support vector machine(SVM),as well as ensemble methods,such as Gradient Boosting and eXtreme gradient boosting(XGBoost),are often plagued by high computational costs,which makes it challenging for them to perform real-time detection.In this regard,we suggested an attack detection approach that integrates Visual Geometry Group 16(VGG16),Artificial Rabbits Optimizer(ARO),and Random Forest Model to increase detection accuracy and operational efficiency in Internet of Things(IoT)networks.In the suggested model,the extraction of features from malware pictures was accomplished with the help of VGG16.The prediction process is carried out by the random forest model using the extracted features from the VGG16.Additionally,ARO is used to improve the hyper-parameters of the random forest model of the random forest.With an accuracy of 96.36%,the suggested model outperforms the standard models in terms of accuracy,F1-score,precision,and recall.The comparative research highlights our strategy’s success,which improves performance while maintaining a lower computational cost.This method is ideal for real-time applications,but it is effective.展开更多
The analysis of Android malware shows that this threat is constantly increasing and is a real threat to mobile devices since traditional approaches,such as signature-based detection,are no longer effective due to the ...The analysis of Android malware shows that this threat is constantly increasing and is a real threat to mobile devices since traditional approaches,such as signature-based detection,are no longer effective due to the continuously advancing level of sophistication.To resolve this problem,efficient and flexible malware detection tools are needed.This work examines the possibility of employing deep CNNs to detect Android malware by transforming network traffic into image data representations.Moreover,the dataset used in this study is the CIC-AndMal2017,which contains 20,000 instances of network traffic across five distinct malware categories:a.Trojan,b.Adware,c.Ransomware,d.Spyware,e.Worm.These network traffic features are then converted to image formats for deep learning,which is applied in a CNN framework,including the VGG16 pre-trained model.In addition,our approach yielded high performance,yielding an accuracy of 0.92,accuracy of 99.1%,precision of 98.2%,recall of 99.5%,and F1 score of 98.7%.Subsequent improvements to the classification model through changes within the VGG19 framework improved the classification rate to 99.25%.Through the results obtained,it is clear that CNNs are a very effective way to classify Android malware,providing greater accuracy than conventional techniques.The success of this approach also shows the applicability of deep learning in mobile security along with the direction for the future advancement of the real-time detection system and other deeper learning techniques to counter the increasing number of threats emerging in the future.展开更多
In today’s digital world,the Internet of Things(IoT)plays an important role in both local and global economies due to its widespread adoption in different applications.This technology has the potential to offer sever...In today’s digital world,the Internet of Things(IoT)plays an important role in both local and global economies due to its widespread adoption in different applications.This technology has the potential to offer several advantages over conventional technologies in the near future.However,the potential growth of this technology also attracts attention from hackers,which introduces new challenges for the research community that range from hardware and software security to user privacy and authentication.Therefore,we focus on a particular security concern that is associated with malware detection.The literature presents many countermeasures,but inconsistent results on identical datasets and algorithms raise concerns about model biases,training quality,and complexity.This highlights the need for an adaptive,real-time learning framework that can effectively mitigate malware threats in IoT applications.To address these challenges,(i)we propose an intelligent framework based on Two-step Deep Reinforcement Learning(TwStDRL)that is capable of learning and adapting in real-time to counter malware threats in IoT applications.This framework uses exploration and exploitation phenomena during both the training and testing phases by storing results in a replay memory.The stored knowledge allows the model to effectively navigate the environment and maximize cumulative rewards.(ii)To demonstrate the superiority of the TwStDRL framework,we implement and evaluate several machine learning algorithms for comparative analysis that include Support Vector Machines(SVM),Multi-Layer Perceptron,Random Forests,and k-means Clustering.The selection of these algorithms is driven by the inconsistent results reported in the literature,which create doubt about their robustness and reliability in real-world IoT deployments.(iii)Finally,we provide a comprehensive evaluation to justify why the TwStDRL framework outperforms them in mitigating security threats.During analysis,we noted that our proposed TwStDRL scheme achieves an average performance of 99.45%across accuracy,precision,recall,and F1-score,which is an absolute improvement of roughly 3%over the existing malware-detection models.展开更多
There has been an increase in attacks on mobile devices,such as smartphones and tablets,due to their growing popularity.Mobile malware is one of the most dangerous threats,causing both security breaches and financial ...There has been an increase in attacks on mobile devices,such as smartphones and tablets,due to their growing popularity.Mobile malware is one of the most dangerous threats,causing both security breaches and financial losses.Mobile malware is likely to continue to evolve and proliferate to carry out a variety of cybercrimes on mobile devices.Mobile malware specifically targets Android operating system as it has grown in popularity.The rapid proliferation of Android malware apps poses a significant security risk to users,making static and manual analysis of malicious files difficult.Therefore,efficient identification and classification of Androidmalicious files is crucial.Several ConvolutionalNeuralNetwork(CNN)basedmethods have been proposed in this regard;however,there is still room for performance improvement.In this work,we propose a transfer learning and stacking approach to efficiently detect the Android malware files by utilizing two wellknown machine learning models,ResNet-50 and Support Vector Machine(SVM).The proposed model is trained on the DREBIN dataset by transforming malicious APK files into grayscale images.Our model yields higher performance measures than state-of-the-art works on the DREBIN dataset,where the reported measures are accuracy,recall,precision,and F1 measures of 97.8%,95.8%,95.7%,and 95.7%,respectively.展开更多
In a computer environment,an operating system is prone to malware,and even the Linux operating system is not an exception.In recent years,malware has evolved,and attackers have become more qualified compared to a few ...In a computer environment,an operating system is prone to malware,and even the Linux operating system is not an exception.In recent years,malware has evolved,and attackers have become more qualified compared to a few years ago.Furthermore,Linux-based systems have become more attractive to cybercriminals because of the increasing use of the Linux operating system in web servers and Internet of Things(IoT)devices.Windows is the most employed OS,so most of the research efforts have been focused on its malware protection rather than on other operating systems.As a result,hundreds of research articles,documents,and methodologies dedicated to malware analysis have been reported.However,there has not been much literature concerning Linux security and protection from malware.To address all these new challenges,it is necessary to develop a methodology that can standardize the required steps to perform the malware analysis in depth.A systematic analysis process makes the difference between good and ordinary malware analyses.Additionally,a deep malware comprehension can yield a faster and much more efficient malware eradication.In order to address all mentioned challenges,this article proposed a methodology for malware analysis in the Linux operating system,which is a traditionally overlooked field compared to the other operating systems.The proposed methodology is tested by a specific Linux malware,and the obtained test results have high effectiveness in malware detection.展开更多
In computer security,the number of malware threats is increasing and causing damage to systems for individuals or organizations,necessitating a new detection technique capable of detecting a new variant of malware mor...In computer security,the number of malware threats is increasing and causing damage to systems for individuals or organizations,necessitating a new detection technique capable of detecting a new variant of malware more efficiently than traditional anti-malware methods.Traditional antimalware software cannot detect new malware variants,and conventional techniques such as static analysis,dynamic analysis,and hybrid analysis are time-consuming and rely on domain experts.Visualization-based malware detection has recently gained popularity due to its accuracy,independence from domain experts,and faster detection time.Visualization-based malware detection uses the image representation of the malware binary and applies image processing techniques to the image.This paper aims to provide readers with a comprehensive understanding of malware detection and focuses on visualization-based malware detection.展开更多
The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static a...The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static analysis or behavior analysis.However,recent studies have shown that both analyses are vulnerable to modern malware files that use several techniques to avoid analysis and detection.Therefore,extracted features could be meaningless and a distraction for malware analysts.However,the volatile memory can expose useful information about malware behaviors and characteristics.In addition,memory analysis is capable of detecting unconventional malware,such as in-memory and fileless malware.However,memory features have not been fully utilized yet.Therefore,this work aims to present a new malware detection and classification approach that extracts memory-based features from memory images using memory forensic techniques.The extracted features can expose the malware’s real behaviors,such as interacting with the operating system,DLL and process injection,communicating with command and control site,and requesting higher privileges to perform specific tasks.We also applied feature engineering and converted the features to binary vectors before training and testing the classifiers.The experiments show that the proposed approach has a high classification accuracy rate of 98.5%and a false positive rate as low as 1.24%using the SVM classifier.The efficiency of the approach has been evaluated by comparing it with other related works.Also,a new memory-based dataset consisting of 2502 malware files and 966 benign samples forming 8898 features and belonging to six memory types has been created and published online for research purposes.展开更多
In an era marked by escalating cybersecurity threats,our study addresses the challenge of malware variant detection,a significant concern for amultitude of sectors including petroleum and mining organizations.This pap...In an era marked by escalating cybersecurity threats,our study addresses the challenge of malware variant detection,a significant concern for amultitude of sectors including petroleum and mining organizations.This paper presents an innovative Application Programmable Interface(API)-based hybrid model designed to enhance the detection performance of malware variants.This model integrates eXtreme Gradient Boosting(XGBoost)and an Artificial Neural Network(ANN)classifier,offering a potent response to the sophisticated evasion and obfuscation techniques frequently deployed by malware authors.The model’s design capitalizes on the benefits of both static and dynamic analysis to extract API-based features,providing a holistic and comprehensive view of malware behavior.From these features,we construct two XGBoost predictors,each of which contributes a valuable perspective on the malicious activities under scrutiny.The outputs of these predictors,interpreted as malicious scores,are then fed into an ANN-based classifier,which processes this data to derive a final decision.The strength of the proposed model lies in its capacity to leverage behavioral and signature-based features,and most importantly,in its ability to extract and analyze the hidden relations between these two types of features.The efficacy of our proposed APIbased hybrid model is evident in its performance metrics.It outperformed other models in our tests,achieving an impressive accuracy of 95%and an F-measure of 93%.This significantly improved the detection performance of malware variants,underscoring the value and potential of our approach in the challenging field of cybersecurity.展开更多
基金supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)(Project Nos.RS-2024-00438551,30%,2022-11220701,30%,2021-0-01816,30%)the National Research Foundation of Korea(NRF)grant funded by the Korean Government(Project No.RS2023-00208460,10%).
文摘The proliferation of Internet of Things(IoT)devices has established edge computing as a critical paradigm for real-time data analysis and low-latency processing.Nevertheless,the distributed nature of edge computing presents substantial security challenges,rendering it a prominent target for sophisticated malware attacks.Existing signature-based and behavior-based detection methods are ineffective against the swiftly evolving nature of malware threats and are constrained by the availability of resources.This paper suggests the Genetic Encoding for Novel Optimization of Malware Evaluation(GENOME)framework,a novel solution that is intended to improve the performance of malware detection and classification in peripheral computing environments.GENOME optimizes data storage and computa-tional efficiency by converting malware artifacts into compact,structured sequences through a Deoxyribonucleic Acid(DNA)encoding mechanism.The framework employs two DNA encoding algorithms,standard and compressed,which substantially reduce data size while preserving high detection accuracy.The Edge-IIoTset dataset was used to conduct experiments that showed that GENOME was able to achieve high classification performance using models such as Random Forest and Logistic Regression,resulting in a reduction of data size by up to 42%.Further evaluations with the CIC-IoT-23 dataset and Deep Learning models confirmed GENOME’s scalability and adaptability across diverse datasets and algorithms.The potential of GENOME to address critical challenges,such as the rapid mutation of malware,real-time processing demands,and resource limitations,is emphasized in this study.GENOME offers comprehensive protection for peripheral computing environments by offering a security solution that is both efficient and scalable.
文摘The rapid and increasing growth in the volume and number of cyber threats from malware is not a real danger;the real threat lies in the obfuscation of these cyberattacks,as they constantly change their behavior,making detection more difficult.Numerous researchers and developers have devoted considerable attention to this topic;however,the research field has not yet been fully saturated with high-quality studies that address these problems.For this reason,this paper presents a novel multi-objective Markov-enhanced adaptive whale optimization(MOMEAWO)cybersecurity model to improve the classification of binary and multi-class malware threats through the proposed MOMEAWO approach.The proposed MOMEAWO cybersecurity model aims to provide an innovative solution for analyzing,detecting,and classifying the behavior of obfuscated malware within their respective families.The proposed model includes three classification types:Binary classification and multi-class classification(e.g.,four families and 16 malware families).To evaluate the performance of this model,we used a recently published dataset called the Canadian Institute for Cybersecurity Malware Memory Analysis(CIC-MalMem-2022)that contains balanced data.The results show near-perfect accuracy in binary classification and high accuracy in multi-class classification compared with related work using the same dataset.
文摘With the proliferation of Android malware,the issue of traceability in malware analysis has emerged as a significant problem that requires exploration.By establishing links between newly discovered,unreported malware and prior knowledge from existing malware data pools,security analysts can gain a better understanding of the evolution process of malware and its underlying reasons.However,in real-world scenarios,analyzing the traceability of malware can be complex and time-consuming due to the large volume of existing malware data,requiring extensive manual analysis.Furthermore,the results obtained from such analysis often lack explanation.Therefore,there is a pressing need to develop a comprehensive automated malware tracking system that can provide detailed insights into the tracking and evolution process of malware and offer strong explanatory capabilities.In this paper,we propose a knowledge graph-based approach that uses partial API call graphs comprising semantic and behavioral features to reveal the traceability relations among malware and provide explainable results for these relations.Our approach is implemented on a dataset of over 20,000 malware samples labeled with family information,spanning a time period of 10 years.To address the challenges associated with the complexity of analysis,we leverage prior knowledge from existing malware research and a branch pruning method on call graphs to reduce computational complexity and enhance the precision of explanations when determining traceability relations.
基金supported by the National Science and Technology Council under grant number 113-2221-E-027-126-MY3.
文摘In recent years,cyber threats have escalated across diverse sectors,with cybercrime syndicates increasingly exploiting system vulnerabilities.Traditional passive defense mechanisms have proven insufficient,particularly as Linux platforms—historically overlooked in favor of Windows—have emerged as frequent targets.According to Trend Micro,there has been a substantial increase in Linux-targeted malware,with ransomware attacks on Linux surpassing those on macOS.This alarming trend underscores the need for detection strategies specifically designed for Linux environments.To address this challenge,this study proposes a comprehensive malware detection framework tailored for Linux systems,integrating dynamic behavioral analysis with the semantic reasoning capabilities of large language models(LLMs).Malware samples are executed within sandbox environments to extract behavioral features such as system calls and command-line executions.These features are then systematically mapped to the MITRE ATT&CK framework,incorporating its defined data sources,data components,and Tactics,Techniques,and Procedures(TTPs).Two mapping constructs—Conceptual Definition Mapping and TTP Technical Keyword Mapping—are developed from official MITRE documentation.These resources are utilized to fine-tune an LLM,enabling it to semantically interpret complex behavioral patterns and infer associated attack techniques,including those employed by previously unknown malware variants.The resulting detection pipeline effectively bridges raw behavioral data with structured threat intelligence.Experimental evaluations confirm the efficacy of the proposed system,with the fine-tuned Gemma 2B model demonstrating significantly enhanced accuracy in associating behavioral features with ATT&CK-defined techniques.This study contributes a fully integrated Linux-specific detection framework,a novel approach for transforming unstructured behavioral data into actionable intelligence,improved interpretability of malicious behavior,and a scalable training process for future applications of LLMs in cybersecurity.
文摘Safeguarding against malware requires precise machine-learning algorithms to classify harmful apps.The Drebin dataset of 15,036 samples and 215 features yielded significant and reliable results for two hybrid models,CNN+XGBoost and KNN+XGBoost.To address the class imbalance issue,SMOTE(Synthetic Minority Oversampling Technique)was used to preprocess the dataset,creating synthetic samples of the minority class(malware)to balance the training set.XGBoost was then used to choose the most essential features for separating malware from benign programs.The models were trained and tested using 6-fold cross-validation,measuring accuracy,precision,recall,F1 score,and ROC AUC.The results are highly dependable,showing that CNN+XGBoost consistently outperforms KNN+XGBoost with an average accuracy of 98.76%compared to 97.89%.The CNN-based malware classification model,with its higher precision,recall,and F1 scores,is a secure choice.CNN+XGBoost,with its fewer all-fold misclassifications in confusion matrices,further solidifies this security.The calibration curve research,confirming the accuracy and cybersecurity applicability of the models’probability projections,adds to the sense of reliability.This study unequivocally demonstrates that CNN+XGBoost is a reliable and effective malware detection system,underlining the importance of feature selection and hybrid models.
基金supported by a grant from the Center of Excellence in Information Assurance(CoEIA),King Saud University(KSU).
文摘Malware continues to pose a significant threat to cybersecurity,with new advanced infections that go beyond traditional detection.Limitations in existing systems include high false-positive rates,slow system response times,and inability to respond quickly to new malware forms.To overcome these challenges,this paper proposes OMD-RAS:Implementing Malware Detection in an Optimized Way through Real-Time and Adaptive Security as an extensive approach,hoping to get good results towards better malware threat detection and remediation.The significant steps in the model are data collection followed by comprehensive preprocessing consisting of feature engineering and normalization.Static analysis,along with dynamic analysis,is done to capture the whole spectrum of malware behavior for the feature extraction process.The extracted processed features are given with a continuous learning mechanism to the Extreme Learning Machine model of real-time detection.This OMD-RAS trains quickly and has great accuracy,providing elite,advanced real-time detection capabilities.This approach uses continuous learning to adapt to new threats—ensuring the effectiveness of detection even as strategies used by malware may change over time.The experimental results showed that OMD-RAS performs better than the traditional approaches.For instance,the OMD-RAS model has been able to achieve an accuracy of 96.23%and massively reduce the rate of false positives across all datasets while eliciting a consistently high rate of precision and recall.The model’s adaptive learning reflected enhancements on other performance measures-for example,Matthews Correlation Coefficients and Log Loss.
基金funded by the Deanship of Scientific Research(DSR)at King Abdulaziz University,Jeddah,under grant No.(IPP:421-611-2025).
文摘Over the past few years,Malware attacks have become more and more widespread,posing threats to digital assets throughout the world.Although numerous methods have been developed to detect malicious attacks,these malware detection techniques need to be more efficient in detecting new and progressively sophisticated variants of malware.Therefore,the development of more advanced and accurate techniques is necessary for malware detection.This paper introduces a comprehensive Dual-Channel Attention Deep Bidirectional Long Short-Term Memory(DCADBiLSTM)model for malware detection and riskmitigation.The Dual Channel Attention(DCA)mechanism improves themodel’s capability to concentrate on the features that aremost appropriate in the input data,which reduces the false favourable rates.The Bidirectional Long,Short-Term Memory framework helps capture crucial interdependence from past and future circumstances,which is essential for enhancing the model’s understanding of malware behaviour.As soon as malware is detected,the risk mitigation phase is implemented,which evaluates the severity of each threat and helps mitigate threats earlier.The outcomes of the method demonstrate better accuracy of 98.96%,which outperforms traditional models.It indicates the method detects and mitigates several kinds of malware threats,thereby providing a proactive defence mechanism against the emerging challenges in cybersecurity.
基金funded by Naif Arab University for Security Sciences under grant No.NAUSS-23-R11.
文摘In the current digital era,new technologies are becoming an essential part of our lives.Consequently,the number ofmalicious software ormalware attacks is rapidly growing.There is no doubt,themajority ofmalware attacks can be detected by most antivirus programs.However,such types of antivirus programs are one step behind malicious software.Due to these dilemmas,deep learning become popular in the detection and classification of malicious data.Therefore,researchers have significantly focused on finding solutions for malware attacks by analyzing malicious samples with the help of different techniques and models.In this research,we presented a lightweight attention-based novel deep Convolutional Neural Network(DNN-CNN)model for binary and multi-class malware classification,including benign,trojan horse,ransomware,and spyware.We applied the Principal Component Analysis(PCA)technique for feature extraction for binary classification.We used the Synthetic Minority Oversampling Technique(SMOTE)to handle the imbalanced data during multi-class classification.Our proposed attention-based malware detectionmodel is trained on the benchmarkmalware memory dataset named CIC-MalMem-2022.Theresults indicate that our model obtained high accuracy for binary and multi-class classification,99.5% and 97.9%,respectively.
基金funded by the Special Project of Langfang Key Research and Development under Grant No.2023011005Bthe Technology Innovation Platform Construction Project of North China Institute of Aerospace Engineering under Grant No.CXPT-2023-02.
文摘The proliferation of malware and the emergence of adversarial samples pose severe threats to global cybersecurity,demanding robust detection mechanisms.Traditional malware detection methods suffer from limited feature extraction capabilities,while existing Vision Transformer(ViT)-based approaches face high computational complexity due to global self-attention,hindering their efficiency in handling large-scale image data.To address these issues,this paper proposes a novel hybrid enhanced Vision Transformer architecture,HERL-ViT,tailored for malware detection.The detection framework involves five phases:malware image visualization,image segmentation with patch embedding,regional-local attention-based feature extraction,enhanced feature transformation,and classification.Methodologically,HERL-ViT integrates a multi-level pyramid structure to capture multi-scale features,a regionalto-local attention mechanism to reduce computational complexity,an Optimized Position Encoding Generator for dynamic relative position encoding,and enhanced MLP and downsampling modules to balance performance and efficiency.Key contributions include:(1)A unified framework integrating visualization,adversarial training,and hybrid attention for malware detection;(2)Regional-local attention to achieve both global awareness and local detail capture with lower complexity;(3)Optimized PEG to enhance spatial perception and reduce overfitting;(4)Lightweight network design(5.8M parameters)ensuring high efficiency.Experimental results show HERL-ViT achieves 99.2%accuracy(Loss=0.066)on malware classification and 98.9%accuracy(Loss=0.081)on adversarial samples,demonstrating superior performance and robustness compared to state-of-the-art methods.
基金supported and funded by the Deanship of Scientific Research at Imam Mohammad Ibn Saud Islamic University(IMSIU)(grant number IMSIU-DDRSP2504).
文摘The rapid evolution of malware presents a critical cybersecurity challenge,rendering traditional signature-based detection methods ineffective against novel variants.This growing threat affects individuals,organizations,and governments,highlighting the urgent need for robust malware detection mechanisms.Conventional machine learning-based approaches rely on static and dynamicmalware analysis and often struggle to detect previously unseen threats due to their dependency on predefined signatures.Although machine learning algorithms(MLAs)offer promising detection capabilities,their reliance on extensive feature engineering limits real-time applicability.Deep learning techniques mitigate this issue by automating feature extraction but may introduce computational overhead,affecting deployment efficiency.This research evaluates classical MLAs and deep learningmodels to enhance malware detection performance across diverse datasets.The proposed approach integrates a novel text and imagebased detection framework,employing an optimized Support Vector Machine(SVM)for textual data analysis and EfficientNet-B0 for image-based malware classification.Experimental analysis,conducted across multiple train-test splits over varying timescales,demonstrates 99.97%accuracy on textual datasets using SVM and 96.7%accuracy on image-based datasets with EfficientNet-B0,significantly improving zero-day malware detection.Furthermore,a comparative analysis with existing competitive techniques,such as Random Forest,XGBoost,and CNN-based(Convolutional Neural Network)classifiers,highlights the superior performance of the proposed model in terms of accuracy,efficiency,and robustness.
文摘The growing complexity of cyber threats requires innovative machine learning techniques,and image-based malware classification opens up new possibilities.Meanwhile,existing research has largely overlooked the impact of noise and obfuscation techniques commonly employed by malware authors to evade detection,and there is a critical gap in using noise simulation as a means of replicating real-world malware obfuscation techniques and adopting denoising framework to counteract these challenges.This study introduces an image denoising technique based on a U-Net combined with a GAN framework to address noise interference and obfuscation challenges in image-based malware analysis.The proposed methodology addresses existing classification limitations by introducing noise addition,which simulates obfuscated malware,and denoising strategies to restore robust image representations.To evaluate the approach,we used multiple CNN-based classifiers to assess noise resistance across architectures and datasets,measuring significant performance variation.Our denoising technique demonstrates remarkable performance improvements across two multi-class public datasets,MALIMG and BIG-15.For example,the MALIMG classification accuracy improved from 23.73%to 88.84%with denoising applied after Gaussian noise injection,demonstrating robustness.This approach contributes to improving malware detection by offering a robust framework for noise-resilient classification in noisy conditions.
文摘The growing threat of malware,particularly in the Portable Executable(PE)format,demands more effective methods for detection and classification.Machine learning-based approaches exhibit their potential but often neglect semantic segmentation of malware files that can improve classification performance.This research applies deep learning to malware detection,using Convolutional Neural Network(CNN)architectures adapted to work with semantically extracted data to classify malware into malware families.Starting from the Malconv model,this study introduces modifications to adapt it to multi-classification tasks and improve its performance.It proposes a new innovative method that focuses on byte extraction from Portable Executable(PE)malware files based on their semantic location,resulting in higher accuracy in malware classification than traditional methods using full-byte sequences.This novel approach evaluates the importance of each semantic segment to improve classification accuracy.The results revealed that the header segment of PE files provides the most valuable information for malware identification,outperforming the other sections,and achieving an average classification accuracy of 99.54%.The above reaffirms the effectiveness of the semantic segmentation approach and highlights the critical role header data plays in improving malware detection and classification accuracy.
基金funded by Institutional Fund Projects under grant no.(IFPDP-261-22)。
文摘Detecting cyber attacks in networks connected to the Internet of Things(IoT)is of utmost importance because of the growing vulnerabilities in the smart environment.Conventional models,such as Naive Bayes and support vector machine(SVM),as well as ensemble methods,such as Gradient Boosting and eXtreme gradient boosting(XGBoost),are often plagued by high computational costs,which makes it challenging for them to perform real-time detection.In this regard,we suggested an attack detection approach that integrates Visual Geometry Group 16(VGG16),Artificial Rabbits Optimizer(ARO),and Random Forest Model to increase detection accuracy and operational efficiency in Internet of Things(IoT)networks.In the suggested model,the extraction of features from malware pictures was accomplished with the help of VGG16.The prediction process is carried out by the random forest model using the extracted features from the VGG16.Additionally,ARO is used to improve the hyper-parameters of the random forest model of the random forest.With an accuracy of 96.36%,the suggested model outperforms the standard models in terms of accuracy,F1-score,precision,and recall.The comparative research highlights our strategy’s success,which improves performance while maintaining a lower computational cost.This method is ideal for real-time applications,but it is effective.
基金funded by the Deanship of Scientific Research at Princess Nourah bint Abdulrahman University,through the Research Funding Program,Grant No.(FRP-1443-15).
文摘The analysis of Android malware shows that this threat is constantly increasing and is a real threat to mobile devices since traditional approaches,such as signature-based detection,are no longer effective due to the continuously advancing level of sophistication.To resolve this problem,efficient and flexible malware detection tools are needed.This work examines the possibility of employing deep CNNs to detect Android malware by transforming network traffic into image data representations.Moreover,the dataset used in this study is the CIC-AndMal2017,which contains 20,000 instances of network traffic across five distinct malware categories:a.Trojan,b.Adware,c.Ransomware,d.Spyware,e.Worm.These network traffic features are then converted to image formats for deep learning,which is applied in a CNN framework,including the VGG16 pre-trained model.In addition,our approach yielded high performance,yielding an accuracy of 0.92,accuracy of 99.1%,precision of 98.2%,recall of 99.5%,and F1 score of 98.7%.Subsequent improvements to the classification model through changes within the VGG19 framework improved the classification rate to 99.25%.Through the results obtained,it is clear that CNNs are a very effective way to classify Android malware,providing greater accuracy than conventional techniques.The success of this approach also shows the applicability of deep learning in mobile security along with the direction for the future advancement of the real-time detection system and other deeper learning techniques to counter the increasing number of threats emerging in the future.
基金supported by Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2025R104)Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia。
文摘In today’s digital world,the Internet of Things(IoT)plays an important role in both local and global economies due to its widespread adoption in different applications.This technology has the potential to offer several advantages over conventional technologies in the near future.However,the potential growth of this technology also attracts attention from hackers,which introduces new challenges for the research community that range from hardware and software security to user privacy and authentication.Therefore,we focus on a particular security concern that is associated with malware detection.The literature presents many countermeasures,but inconsistent results on identical datasets and algorithms raise concerns about model biases,training quality,and complexity.This highlights the need for an adaptive,real-time learning framework that can effectively mitigate malware threats in IoT applications.To address these challenges,(i)we propose an intelligent framework based on Two-step Deep Reinforcement Learning(TwStDRL)that is capable of learning and adapting in real-time to counter malware threats in IoT applications.This framework uses exploration and exploitation phenomena during both the training and testing phases by storing results in a replay memory.The stored knowledge allows the model to effectively navigate the environment and maximize cumulative rewards.(ii)To demonstrate the superiority of the TwStDRL framework,we implement and evaluate several machine learning algorithms for comparative analysis that include Support Vector Machines(SVM),Multi-Layer Perceptron,Random Forests,and k-means Clustering.The selection of these algorithms is driven by the inconsistent results reported in the literature,which create doubt about their robustness and reliability in real-world IoT deployments.(iii)Finally,we provide a comprehensive evaluation to justify why the TwStDRL framework outperforms them in mitigating security threats.During analysis,we noted that our proposed TwStDRL scheme achieves an average performance of 99.45%across accuracy,precision,recall,and F1-score,which is an absolute improvement of roughly 3%over the existing malware-detection models.
文摘There has been an increase in attacks on mobile devices,such as smartphones and tablets,due to their growing popularity.Mobile malware is one of the most dangerous threats,causing both security breaches and financial losses.Mobile malware is likely to continue to evolve and proliferate to carry out a variety of cybercrimes on mobile devices.Mobile malware specifically targets Android operating system as it has grown in popularity.The rapid proliferation of Android malware apps poses a significant security risk to users,making static and manual analysis of malicious files difficult.Therefore,efficient identification and classification of Androidmalicious files is crucial.Several ConvolutionalNeuralNetwork(CNN)basedmethods have been proposed in this regard;however,there is still room for performance improvement.In this work,we propose a transfer learning and stacking approach to efficiently detect the Android malware files by utilizing two wellknown machine learning models,ResNet-50 and Support Vector Machine(SVM).The proposed model is trained on the DREBIN dataset by transforming malicious APK files into grayscale images.Our model yields higher performance measures than state-of-the-art works on the DREBIN dataset,where the reported measures are accuracy,recall,precision,and F1 measures of 97.8%,95.8%,95.7%,and 95.7%,respectively.
文摘In a computer environment,an operating system is prone to malware,and even the Linux operating system is not an exception.In recent years,malware has evolved,and attackers have become more qualified compared to a few years ago.Furthermore,Linux-based systems have become more attractive to cybercriminals because of the increasing use of the Linux operating system in web servers and Internet of Things(IoT)devices.Windows is the most employed OS,so most of the research efforts have been focused on its malware protection rather than on other operating systems.As a result,hundreds of research articles,documents,and methodologies dedicated to malware analysis have been reported.However,there has not been much literature concerning Linux security and protection from malware.To address all these new challenges,it is necessary to develop a methodology that can standardize the required steps to perform the malware analysis in depth.A systematic analysis process makes the difference between good and ordinary malware analyses.Additionally,a deep malware comprehension can yield a faster and much more efficient malware eradication.In order to address all mentioned challenges,this article proposed a methodology for malware analysis in the Linux operating system,which is a traditionally overlooked field compared to the other operating systems.The proposed methodology is tested by a specific Linux malware,and the obtained test results have high effectiveness in malware detection.
文摘In computer security,the number of malware threats is increasing and causing damage to systems for individuals or organizations,necessitating a new detection technique capable of detecting a new variant of malware more efficiently than traditional anti-malware methods.Traditional antimalware software cannot detect new malware variants,and conventional techniques such as static analysis,dynamic analysis,and hybrid analysis are time-consuming and rely on domain experts.Visualization-based malware detection has recently gained popularity due to its accuracy,independence from domain experts,and faster detection time.Visualization-based malware detection uses the image representation of the malware binary and applies image processing techniques to the image.This paper aims to provide readers with a comprehensive understanding of malware detection and focuses on visualization-based malware detection.
基金supported in part by Universiti Kebangsaan Malaysia(UKM)under Grant GUP-2019-062 and Grant GP-2019-K005539in part by the Ministry of Education Malaysia under Grant FRGS/1/2018/ICT04/UKM/02/3.
文摘The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static analysis or behavior analysis.However,recent studies have shown that both analyses are vulnerable to modern malware files that use several techniques to avoid analysis and detection.Therefore,extracted features could be meaningless and a distraction for malware analysts.However,the volatile memory can expose useful information about malware behaviors and characteristics.In addition,memory analysis is capable of detecting unconventional malware,such as in-memory and fileless malware.However,memory features have not been fully utilized yet.Therefore,this work aims to present a new malware detection and classification approach that extracts memory-based features from memory images using memory forensic techniques.The extracted features can expose the malware’s real behaviors,such as interacting with the operating system,DLL and process injection,communicating with command and control site,and requesting higher privileges to perform specific tasks.We also applied feature engineering and converted the features to binary vectors before training and testing the classifiers.The experiments show that the proposed approach has a high classification accuracy rate of 98.5%and a false positive rate as low as 1.24%using the SVM classifier.The efficiency of the approach has been evaluated by comparing it with other related works.Also,a new memory-based dataset consisting of 2502 malware files and 966 benign samples forming 8898 features and belonging to six memory types has been created and published online for research purposes.
基金supported by the Deanship of Scientific Research at Northern Border University for funding work through Research Group No.(RG-NBU-2022-1724).
文摘In an era marked by escalating cybersecurity threats,our study addresses the challenge of malware variant detection,a significant concern for amultitude of sectors including petroleum and mining organizations.This paper presents an innovative Application Programmable Interface(API)-based hybrid model designed to enhance the detection performance of malware variants.This model integrates eXtreme Gradient Boosting(XGBoost)and an Artificial Neural Network(ANN)classifier,offering a potent response to the sophisticated evasion and obfuscation techniques frequently deployed by malware authors.The model’s design capitalizes on the benefits of both static and dynamic analysis to extract API-based features,providing a holistic and comprehensive view of malware behavior.From these features,we construct two XGBoost predictors,each of which contributes a valuable perspective on the malicious activities under scrutiny.The outputs of these predictors,interpreted as malicious scores,are then fed into an ANN-based classifier,which processes this data to derive a final decision.The strength of the proposed model lies in its capacity to leverage behavioral and signature-based features,and most importantly,in its ability to extract and analyze the hidden relations between these two types of features.The efficacy of our proposed APIbased hybrid model is evident in its performance metrics.It outperformed other models in our tests,achieving an impressive accuracy of 95%and an F-measure of 93%.This significantly improved the detection performance of malware variants,underscoring the value and potential of our approach in the challenging field of cybersecurity.
