Статті в журналах з теми "Evasive malware"
Щоб переглянути інші типи публікацій з цієї теми, перейдіть за посиланням: Evasive malware.
Оформте джерело за APA, MLA, Chicago, Harvard та іншими стилями
Ознайомтеся з топ-50 статей у журналах для дослідження на тему "Evasive malware".
Біля кожної праці в переліку літератури доступна кнопка «Додати до бібліографії». Скористайтеся нею – і ми автоматично оформимо бібліографічне посилання на обрану працю в потрібному вам стилі цитування: APA, MLA, «Гарвард», «Чикаго», «Ванкувер» тощо.
Також ви можете завантажити повний текст наукової публікації у форматі «.pdf» та прочитати онлайн анотацію до роботи, якщо відповідні параметри наявні в метаданих.
Переглядайте статті в журналах для різних дисциплін та оформлюйте правильно вашу бібліографію.
1
Gruber, Jan, and Felix Freiling. "Fighting Evasive Malware." Datenschutz und Datensicherheit - DuD 46, no. 5 (May 2022): 284–90. http://dx.doi.org/10.1007/s11623-022-1604-9.
2
Egitmen, Alper, Irfan Bulut, R. Can Aygun, A. Bilge Gunduz, Omer Seyrekbasan, and A. Gokhan Yavuz. "Combat Mobile Evasive Malware via Skip-Gram-Based Malware Detection." Security and Communication Networks 2020 (April 20, 2020): 1–10. http://dx.doi.org/10.1155/2020/6726147.
Анотація:
Android malware detection is an important research topic in the security area. There are a variety of existing malware detection models based on static and dynamic malware analysis. However, most of these models are not very successful when it comes to evasive malware detection. In this study, we aimed to create a malware detection model based on a natural language model called skip-gram to detect evasive malware with the highest accuracy rate possible. In order to train and test our proposed model, we used an up-to-date malware dataset called Argus Android Malware Dataset (AMD) since the AMD contains various evasive malware families and detailed information about them. Meanwhile, for the benign samples, we used Comodo Android Benign Dataset. Our proposed model starts with extracting skip-gram-based features from instruction sequences of Android applications. Then it applies several machine learning algorithms to classify samples as benign or malware. We tested our proposed model with two different scenarios. In the first scenario, the random forest-based classifier performed with 95.64% detection accuracy on the entire dataset and 95% detection accuracy against evasive only samples. In the second scenario, we created a test dataset that contained zero-day malware samples only. For the training set, we did not use any sample that belongs to the malware families in the test set. The random forest-based model performed with 37.36% accuracy rate against zero-day malware. In addition, we compared our proposed model’s malware detection performance against several commercial antimalware applications using VirusTotal API. Our model outperformed 7 out of 10 antimalware applications and tied with one of them on the same test scenario.
3
Vidyarthi, Deepti, S. P. Choudhary, Subrata Rakshit, and C. R. S. Kumar. "Malware Detection by Static Checking and Dynamic Analysis of Executables." International Journal of Information Security and Privacy 11, no. 3 (July 2017): 29–41. http://dx.doi.org/10.4018/ijisp.2017070103.
Анотація:
The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for known malware. Static and dynamic analysis techniques focus upon different kinds of malware such as Evasive or Metamorphic malware. This paper proposes a comprehensive approach that combines static checking and dynamic analysis for malware detection. Static analysis is used to check the specific code characteristics. Dynamic analysis is used to analyze the runtime behavior of malware. The authors propose a framework for the automated analysis of an executable's behavior using text mining. Text mining of dynamic attributes identifies the important features for classifying the executable as benign and malware. The synergistic combination proposed in this paper allows detection of not only known variants of malware but even the obfuscated, packed and unknown malware variants and malware evasive to dynamic analysis.
4
Krishna, T. Shiva Rama. "Malware Detection using Deep Learning." International Journal for Research in Applied Science and Engineering Technology 9, no. VI (June 20, 2021): 1847–53. http://dx.doi.org/10.22214/ijraset.2021.35426.
Анотація:
Malicious software or malware continues to pose a major security concern in this digital age as computer users, corporations, and governments witness an exponential growth in malware attacks. Current malware detection solutions adopt Static and Dynamic analysis of malware signatures and behaviour patterns that are time consuming and ineffective in identifying unknown malwares. Recent malwares use polymorphic, metamorphic and other evasive techniques to change the malware behaviour’s quickly and to generate large number of malwares. Since new malwares are predominantly variants of existing malwares, machine learning algorithms are being employed recently to conduct an effective malware analysis. This requires extensive feature engineering, feature learning and feature representation. By using the advanced MLAs such as deep learning, the feature engineering phase can be completely avoided. Though some recent research studies exist in this direction, the performance of the algorithms is biased with the training data. There is a need to mitigate bias and evaluate these methods independently in order to arrive at new enhanced methods for effective zero-day malware detection. To fill the gap in literature, this work evaluates classical MLAs and deep learning architectures for malware detection, classification and categorization with both public and private datasets. The train and test splits of public and private datasets used in the experimental analysis are disjoint to each other’s and collected in different timescales. In addition, we propose a novel image processing technique with optimal parameters for MLAs and deep learning architectures. A comprehensive experimental evaluation of these methods indicate that deep learning architectures outperform classical MLAs. Overall, this work proposes an effective visual detection of malware using a scalable and hybrid deep learning framework for real-time deployments. The visualization and deep learning architectures for static, dynamic and image processing-based hybrid approach in a big data environment is a new enhanced method for effective zero-day malware detection.
5
D'Elia, Daniele Cono, Emilio Coppa, Federico Palmaro, and Lorenzo Cavallaro. "On the Dissection of Evasive Malware." IEEE Transactions on Information Forensics and Security 15 (2020): 2750–65. http://dx.doi.org/10.1109/tifs.2020.2976559.
6
Cara, Fabrizio, Michele Scalas, Giorgio Giacinto, and Davide Maiorca. "On the Feasibility of Adversarial Sample Creation Using the Android System API." Information 11, no. 9 (September 10, 2020): 433. http://dx.doi.org/10.3390/info11090433.
Анотація:
Due to its popularity, the Android operating system is a critical target for malware attacks. Multiple security efforts have been made on the design of malware detection systems to identify potentially harmful applications. In this sense, machine learning-based systems, leveraging both static and dynamic analysis, have been increasingly adopted to discriminate between legitimate and malicious samples due to their capability of identifying novel variants of malware samples. At the same time, attackers have been developing several techniques to evade such systems, such as the generation of evasive apps, i.e., carefully-perturbed samples that can be classified as legitimate by the classifiers. Previous work has shown the vulnerability of detection systems to evasion attacks, including those designed for Android malware detection. However, most works neglected to bring the evasive attacks onto the so-called problem space, i.e., by generating concrete Android adversarial samples, which requires preserving the app’s semantics and being realistic for human expert analysis. In this work, we aim to understand the feasibility of generating adversarial samples specifically through the injection of system API calls, which are typical discriminating characteristics for malware detectors. We perform our analysis on a state-of-the-art ransomware detector that employs the occurrence of system API calls as features of its machine learning algorithm. In particular, we discuss the constraints that are necessary to generate real samples, and we use techniques inherited from interpretability to assess the impact of specific API calls to evasion. We assess the vulnerability of such a detector against mimicry and random noise attacks. Finally, we propose a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. However, we point out the low suitability of mimicry attacks and the necessity to build more sophisticated evasion attacks.
7
Mills, Alan, and Phil Legg. "Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques." Journal of Cybersecurity and Privacy 1, no. 1 (November 20, 2020): 19–39. http://dx.doi.org/10.3390/jcp1010003.
Анотація:
Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.
8
Ilić, Slaviša, Milan Gnjatović, Brankica Popović, and Nemanja Maček. "A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes: An end-user perspective." Vojnotehnicki glasnik 70, no. 2 (2022): 372–92. http://dx.doi.org/10.5937/vojtehg70-36196.
Анотація:
Introduction/purpose: This paper reports on a pilot comparative analysis of the Cuckoo and Drakvuf sandboxes. These sandboxes are selected as the subjects of the analysis because of their popularity in the professional community and their complementary approaches to analyzing malware behavior. Methods: Both sandboxes were set up with basic configurations and confronted with the same set of malware samples. The evaluation was primarily conducted with respect to the question of to what extent a sandbox is helpful to the human analyst in malware analysis. Thus, only the information available in Web console reports was considered. Results: Drakvuf is expected to perform better when confronted with evasive malware and so-called "file-less" malware. Although still not mature in terms of integration, customization and tools, this sandbox is considered a second generation sandbox because of its agentless design. On the other hand, the Cuckoo sandbox creates a better overall experience: it is supported through good documentation and strong professional community, better integrated with various tools, support more virtualization, operating system and sample types, and generates more informative reports. Even with a smaller capacity to prevent evasive malware, its Python 2 agent script makes it more powerful than Drakvuf. Conclusion: To achieve the optimal open-source sandbox-based protection, it is recommended to apply both the Cuckoo and Drakvuf sandboxes. In circumstances of limited resources, applying the Cuckoo sandbox is preferable, especially if exposure to malware deploying evading techniques is not frequently expected.
9
Djufri, Faiz Iman, and Charles Lim. "Revealing and Sharing Malware Profile Using Malware Threat Intelligence Platform." ACMIT Proceedings 6, no. 1 (July 6, 2021): 72–82. http://dx.doi.org/10.33555/acmit.v6i1.100.
Анотація:
Cyber Security is an interchange between attackers and defenders, a non-static balancing force. The increasing trend of novel security threats and security incidents, which does not seem to be stopping, prompts the need to add another line of security defences. This is because the risk management and risk detection has become virtually impossible due to the limited access towards user data and the variations of modern threat taxonomies. The traditional strategy of self-discovery and signature detection which has a static nature is now obsolete in facing threats of the new generation with a dynamic nature; threats which are resilient, complex, and evasive. Therefore, this thesis discusses the use of MISP and The Triad Investigation approach to share the Indicator of Compromise on Cyber Intelligence Sharing Platform to be able to address the newt threats.
10
Kawakoya, Yuhei, Eitaro Shioji, Makoto Iwamura, and Jun Miyoshi. "API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis." Journal of Information Processing 27 (2019): 297–314. http://dx.doi.org/10.2197/ipsjjip.27.297.
11
Xiao, Kaiming, Cheng Zhu, Junjie Xie, Yun Zhou, Xianqiang Zhu, and Weiming Zhang. "Dynamic Defense against Stealth Malware Propagation in Cyber-Physical Systems: A Game-Theoretical Framework." Entropy 22, no. 8 (August 15, 2020): 894. http://dx.doi.org/10.3390/e22080894.
Анотація:
Stealth malware is a representative tool of advanced persistent threat (APT) attacks, which poses an increased threat to cyber-physical systems (CPS) today. Due to the use of stealthy and evasive techniques, stealth malwares usually render conventional heavy-weight countermeasures inapplicable. Light-weight countermeasures, on the other hand, can help retard the spread of stealth malwares, but the ensuing side effects might violate the primary safety requirement of CPS. Hence, defenders need to find a balance between the gain and loss of deploying light-weight countermeasures, which normally is a challenging task. To address this challenge, we model the persistent anti-malware process as a shortest-path tree interdiction (SPTI) Stackelberg game with both static version (SSPTI) and multi-stage dynamic version (DSPTI), and safety requirements of CPS are introduced as constraints in the defender’s decision model. The attacker aims to stealthily penetrate the CPS at the lowest cost (e.g., time, effort) by selecting optimal network links to spread, while the defender aims to retard the malware epidemic as much as possible. Both games are modeled as bi-level integer programs and proved to be NP-hard. We then develop a Benders decomposition algorithm to achieve the Stackelberg equilibrium of SSPTI, and design a Model Predictive Control strategy to solve DSPTI approximately by sequentially solving an 1+δ approximation of SSPTI. Extensive experiments have been conducted by comparing proposed algorithms and strategies with existing ones on both static and dynamic performance metrics. The evaluation results demonstrate the efficiency of proposed algorithms and strategies on both simulated and real-case-based CPS networks. Furthermore, the proposed dynamic defense framework shows its advantage of achieving a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS.
12
Hemalatha, Jeyaprakash, S. Abijah Roseline, Subbiah Geetha, Seifedine Kadry, and Robertas Damaševičius. "An Efficient DenseNet-Based Deep Learning Model for Malware Detection." Entropy 23, no. 3 (March 15, 2021): 344. http://dx.doi.org/10.3390/e23030344.
Анотація:
Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.
13
Bagui, Sikha, and Daniel Benson. "Android Adware Detection Using Machine Learning." International Journal of Cyber Research and Education 3, no. 2 (July 2021): 1–19. http://dx.doi.org/10.4018/ijcre.2021070101.
Анотація:
Adware, an advertising-supported software, becomes a type of malware when it automatically delivers unwanted advertisements to an infected device, steals user information, and opens other vulnerabilities that allow other malware and adware to be installed. With the rise of more and complex evasive malware, specifically adware, better methods of detecting adware are required. Though a lot of work has been done on malware detection in general, very little focus has been put on the adware family. The novelty of this paper lies in analyzing the individual adware families. To date, no work has been done on analyzing the individual adware families. In this paper, using the CICAndMal2017 dataset, feature selection is performed using information gain, and classification is performed using machine learning. The best attributes for classification of each of the individual adware families using network traffic samples are presented. The results present an average classification rate that is an improvement over previous works for classification of individual adware families.
14
Galloro, Nicola, Mario Polino, Michele Carminati, Andrea Continella, and Stefano Zanero. "A Systematical and longitudinal study of evasive behaviors in windows malware." Computers & Security 113 (February 2022): 102550. http://dx.doi.org/10.1016/j.cose.2021.102550.
15
Sivaraju, S. S. "An Insight into Deep Learning based Cryptojacking Detection Model." Journal of Trends in Computer Science and Smart Technology 4, no. 3 (September 21, 2022): 175–84. http://dx.doi.org/10.36548/jtcsst.2022.3.006.
Анотація:
To autonomously identify cyber threats is a non-trivial research topic. One area where this is most apparent is in the evolution of evasive cyber assaults, which are becoming better at masking their existence and obscuring their attack methods (for example, file-less malware). Particularly stealthy Advanced Persistent Threats may hide out in the system for a long time without being spotted. This study presents a novel method, dubbed CapJack, for identifying illicit bitcoin mining activity in a web browser by using cutting-edge CapsNet technology. Thus far, it is aware that deep learning framework CapsNet is pertained to the problem of detecting malware effectively using a heuristic based on system behaviour. Even more, in multitasking situations when several apps are all active at the same time, it is possible to identify fraudulent miners with greater efficiency.
16
Nunes, Matthew, Pete Burnap, Philipp Reinecke, and Kaelon Lloyd. "Bane or Boon: Measuring the effect of evasive malware on system call classifiers." Journal of Information Security and Applications 67 (June 2022): 103202. http://dx.doi.org/10.1016/j.jisa.2022.103202.
17
Sharma, Amit, Brij B. Gupta, Awadhesh Kumar Singh, and V. K. Saraswat. "Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense." Computers & Security 115 (April 2022): 102627. http://dx.doi.org/10.1016/j.cose.2022.102627.
18
Yerima, Suleiman Y., Mohammed K. Alzaylaee, Annette Shajan, and Vinod P. "Deep Learning Techniques for Android Botnet Detection." Electronics 10, no. 4 (February 23, 2021): 519. http://dx.doi.org/10.3390/electronics10040519.
Анотація:
Android is increasingly being targeted by malware since it has become the most popular mobile operating system worldwide. Evasive malware families, such as Chamois, designed to turn Android devices into bots that form part of a larger botnet are becoming prevalent. This calls for more effective methods for detection of Android botnets. Recently, deep learning has gained attention as a machine learning based approach to enhance Android botnet detection. However, studies that extensively investigate the efficacy of various deep learning models for Android botnet detection are currently lacking. Hence, in this paper we present a comparative study of deep learning techniques for Android botnet detection using 6802 Android applications consisting of 1929 botnet applications from the ISCX botnet dataset. We evaluate the performance of several deep learning techniques including: CNN, DNN, LSTM, GRU, CNN-LSTM, and CNN-GRU models using 342 static features derived from the applications. In our experiments, the deep learning models achieved state-of-the-art results based on the ISCX botnet dataset and also outperformed the classical machine learning classifiers.
19
Lee, Han Seong, and Hyung-Woo Lee. "Simulated Dynamic C&C Server Based Activated Evidence Aggregation of Evasive Server-Side Polymorphic Mobile Malware on Android." International journal of advanced smart convergence 6, no. 1 (March 31, 2017): 1–8. http://dx.doi.org/10.7236/ijasc.2017.6.1.1.
20
Ndichu, Samuel, Sylvester McOyowo, Henry Okoyo, and Cyrus Wekesa. "A Remote Access Security Model based on Vulnerability Management." International Journal of Information Technology and Computer Science 12, no. 5 (October 8, 2020): 38–51. http://dx.doi.org/10.5815/ijitcs.2020.05.03.
Анотація:
Information security threats exploit vulnerabilities in communication networks. Remote access vulnerabilities are evident from the point of communication initialization following the communication channel to data or resources being accessed. These threats differ depending on the type of device used to procure remote access. One kind of these remote access devices can be considered as safe as the organization probably issues it to provide for remote access. The other type is risky and unsafe, as they are beyond the organization’s control and monitoring. The myriad of devices is, however, a necessary evil, be it employees on public networks like cyber cafes, wireless networks, vendors support, or telecommuting. Virtual Private Network (VPN) securely connects a remote user or device to an internal or private network using the internet and other public networks. However, this conventional remote access security approach has several vulnerabilities, which can take advantage of encryption. The significant threats are malware, botnets, and Distributed Denial of Service (DDoS). Because of the nature of a VPN, encryption will prevent traditional security devices such as a firewall, Intrusion Detection System (IDS), and antivirus software from detecting compromised traffic. These vulnerabilities have been exploited over time by attackers using evasive techniques to avoid detection leading to costly security breaches and compromises. We highlight numerous shortcomings for several conventional approaches to remote access security. We then adopt network tiers to facilitate vulnerability management (VM) in remote access domains. We perform regular traffic simulation using Network Security Simulator (NeSSi2) to set bandwidth baseline and use this as a benchmark to investigate malware spreading capabilities and DDoS attacks by continuous flooding in remote access. Finally, we propose a novel approach to remote access security by passive learning of packet capture file features using machine learning and classification using a classifier model.
21
Marques, Rafael Salema, Gregory Epiphaniou, Haider Al-Khateeb, Carsten Maple, Mohammad Hammoudeh, Paulo André Lima De Castro, Ali Dehghantanha, and Kkwang Raymond Choo. "A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks." ACM Transactions on Internet Technology 21, no. 4 (July 16, 2021): 1–30. http://dx.doi.org/10.1145/3419103.
Анотація:
Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.
22
Elsersy, Wael F., Ali Feizollah, and Nor Badrul Anuar. "The rise of obfuscated Android malware and impacts on detection methods." PeerJ Computer Science 8 (March 9, 2022): e907. http://dx.doi.org/10.7717/peerj-cs.907.
Анотація:
The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers’ attention in the future.
23
Al-Marghilani, A. "Comprehensive Analysis of IoT Malware Evasion Techniques." Engineering, Technology & Applied Science Research 11, no. 4 (August 21, 2021): 7495–500. http://dx.doi.org/10.48084/etasr.4296.
Анотація:
Malware detection in Internet of Things (IoT) devices is a great challenge, as these devices lack certain characteristics such as homogeneity and security. Malware is malicious software that affects a system as it can steal sensitive information, slow its speed, cause frequent hangs, and disrupt operations. The most common malware types are adware, computer viruses, spyware, trojans, worms, rootkits, key loggers, botnets, and ransomware. Malware detection is critical for a system's security. Many security researchers have studied the IoT malware detection domain. Many studies proposed the static or dynamic analysis on IoT malware detection. This paper presents a survey of IoT malware evasion techniques, reviewing and discussing various researches. Malware uses a few common evasion techniques such as user interaction, environmental awareness, stegosploit, domain and IP identification, code obfuscation, code encryption, timing, and code compression. A comparative analysis was conducted pointing various advantages and disadvantages. This study provides guidelines on IoT malware evasion techniques.
24
Chen, Hongyi, Jinshu Su, Linbo Qiao, and Qin Xin. "Malware Collusion Attack against SVM: Issues and Countermeasures." Applied Sciences 8, no. 10 (September 21, 2018): 1718. http://dx.doi.org/10.3390/app8101718.
Анотація:
Android has become the most popular mobile platform, and a hot target for malware developers. At the same time, researchers have come up with numerous ways to deal with malware. Among them, machine learning based methods are quite effective in Android malware detection, the accuracy of which can be as high as 98%. Thus, malware developers have the incentives to develop more advanced malware to evade detection. This paper presents an adversary attack scenario (Collusion Attack) that will compromise current machine learning based malware detection methods, especially Support Vector Machines (SVM). The malware developers can perform this attack easily by splitting malicious payload into two or more apps. Meanwhile, attackers may hide their malicious behavior by using advanced techniques (Evasion Attack), such as obfuscation, etc. According to our simulation, 87.4% of apps can evade Linear SVM by Collusion Attack. When performing Collusion and Evasion Attack simultaneously, the evasion rate can reach 100% at a low cost. Thus, we proposed a method to deal with this issue. This approach, realized in a tool, called ColluDroid, can identify the collusion apps by analyzing the communication between apps. In addition, it can integrate secure learning methods (e.g., Sec-SVM) to fight against Evasion Attack. The evaluation results show that ColluDroid is effective in finding out the collusion apps and ColluDroid-Sec-SVM has the best performance in the presence of both Collusion and Evasion Attack.
25
Afianian, Amir, Salman Niksefat, Babak Sadeghiyan, and David Baptiste. "Malware Dynamic Analysis Evasion Techniques." ACM Computing Surveys 52, no. 6 (January 21, 2020): 1–28. http://dx.doi.org/10.1145/3365001.
26
Ashawa, Moses, and Sarah Morris. "Analysis of Mobile Malware: A Systematic Review of Evolution and Infection Strategies." Journal of Information Security and Cybercrimes Research 4, no. 2 (December 30, 2021): 103–31. http://dx.doi.org/10.26735/krvi8434.
Анотація:
The open-source and popularity of Android attracts hackers and has multiplied security concerns targeting devices. As such, malware attacks on Android are one of the security challenges facing society. This paper presents an analysis of mobile malware evolution between 2000-2020. The paper presents mobile malware types and in-depth infection strategies malware deploys to infect mobile devices. Accordingly, factors that restricted the fast spread of early malware and those that enhance the fast propagation of recent malware are identified. Moreover, the paper discusses and classifies mobile malware based on privilege escalation and attack goals. Based on the reviewed survey papers, our research presents recommendations in the form of measures to cope with emerging security threats posed by malware and thus decrease threats and malware infection rates. Finally, we identify the need for a critical analysis of mobile malware frameworks to identify their weaknesses and strengths to develop a more robust, accurate, and scalable tool from an Android detection standpoint. The survey results facilitate the understanding of mobile malware evolution and the infection trend. They also help mobile malware analysts to understand the current evasion techniques mobile malware deploys.
27
Fedák, Andrej, and Jozef Štulrajter. "Evasion of Antivirus with the Help of Packers." Science & Military 17, no. 1 (2022): 14–22. http://dx.doi.org/10.52651/sam.a.2022.1.14-22.
Анотація:
Nowadays, almost every malware file comes obfuscated and prepacked preferably with an unknown algorithm. Antivirus programs are taught to deal with these kinds of obstacles with the help of signature databases and heuristic engines. AV systems and their tools are professionally and carefully developed by experts; however, they are not flawless either. They tend to react to any threats that are identified by already-known malicious patterns and bad behaviours. Therefore, malware has to evolve and use new methods to pass these defences. In this paper, the internal components of AV programs and well-known packing techniques are briefly explained while in addition they are tested against each other. This work provides an initial insight into the complex subject of antivirus protection.
28
Dai, Yusheng, Hui Li, Yekui Qian, Yunling Guo, and Min Zheng. "Anticoncept Drift Method for Malware Detector Based on Generative Adversarial Network." Security and Communication Networks 2021 (January 19, 2021): 1–12. http://dx.doi.org/10.1155/2021/6644107.
Анотація:
The number of new malware has been increasing year by year, and the construction of the malware sample space is also changing with time. The existing research studies on malware detection mainly focus on how to improve detection performance and how to effectively detect the evasion malware and improve the detection performance of adversarial samples, while ignoring the concept drift of malware samples over time. The concept drift of the sample will lead to the aging of the detector model, thus resulting in the reduction of the detection accuracy. Concerning this problem, we proposed a malware sample generator based on auxiliary classifier GAN, according to the malware samples generated, to train the detection model. In this paper, the API call sequence is used as a feature to train the improved generative adversarial network, and the trained generator model is used to generate samples that simulate concept drift for the purpose of training detection models. Meanwhile, using the detection results of the detector as the training set again, the generator is used to generate samples, so as to repeatedly train the detection model and improve the anticoncept drift performance of the monitoring model. In this paper, real malware samples and generated samples are used to train the detector model, and malware samples are segmented in a linear time sequence as test sets to verify the effectiveness of the proposed method. The results reveal that the framework can maintain good detection accuracy and effectively mitigate the aging of the detector in a longer time dimension.
29
Thanh, Cong Truong, and Ivan Zelinka. "A Survey on Artificial Intelligence in Malware as Next-Generation Threats." MENDEL 25, no. 2 (December 20, 2019): 27–34. http://dx.doi.org/10.13164/mendel.2019.2.027.
Анотація:
Recent developments in Artificial intelligence (AI) have a vast transformative potential for both cybersecurity defenders and cybercriminals. Anti-malware solutions adopt intelligent techniques to detect and prevent threats to the digital space. In contrast, cybercriminals are aware of the new prospects too and will probably try to use it in their activities. This survey aims at providing an overview on the way artificial intelligence can be used to power a malicious program that is: intelligent evasion techniques, autonomous malware, AI against itself, and applying bio-inspired computation and swarm intelligence.
30
Aboaoja, Faitouri A., Anazida Zainal, Fuad A. Ghaleb, Bander Ali Saleh Al-rimy, Taiseer Abdalla Elfadil Eisa, and Asma Abbas Hassan Elnour. "Malware Detection Issues, Challenges, and Future Directions: A Survey." Applied Sciences 12, no. 17 (August 25, 2022): 8482. http://dx.doi.org/10.3390/app12178482.
Анотація:
The evolution of recent malicious software with the rising use of digital services has increased the probability of corrupting data, stealing information, or other cybercrimes by malware attacks. Therefore, malicious software must be detected before it impacts a large number of computers. Recently, many malware detection solutions have been proposed by researchers. However, many challenges limit these solutions to effectively detecting several types of malware, especially zero-day attacks due to obfuscation and evasion techniques, as well as the diversity of malicious behavior caused by the rapid rate of new malware and malware variants being produced every day. Several review papers have explored the issues and challenges of malware detection from various viewpoints. However, there is a lack of a deep review article that associates each analysis and detection approach with the data type. Such an association is imperative for the research community as it helps to determine the suitable mitigation approach. In addition, the current survey articles stopped at a generic detection approach taxonomy. Moreover, some review papers presented the feature extraction methods as static, dynamic, and hybrid based on the utilized analysis approach and neglected the feature representation methods taxonomy, which is considered essential in developing the malware detection model. This survey bridges the gap by providing a comprehensive state-of-the-art review of malware detection model research. This survey introduces a feature representation taxonomy in addition to the deeper taxonomy of malware analysis and detection approaches and links each approach with the most commonly used data types. The feature extraction method is introduced according to the techniques used instead of the analysis approach. The survey ends with a discussion of the challenges and future research directions.
31
Demetrio, Luca, Scott E. Coull, Battista Biggio, Giovanni Lagorio, Alessandro Armando, and Fabio Roli. "Adversarial EXEmples." ACM Transactions on Privacy and Security 24, no. 4 (November 30, 2021): 1–31. http://dx.doi.org/10.1145/3473039.
Анотація:
Recent work has shown that adversarial Windows malware samples—referred to as adversarial EXE mples in this article—can bypass machine learning-based detection relying on static code analysis by perturbing relatively few input bytes. To preserve malicious functionality, previous attacks either add bytes to existing non-functional areas of the file, potentially limiting their effectiveness, or require running computationally demanding validation steps to discard malware variants that do not correctly execute in sandbox environments. In this work, we overcome these limitations by developing a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks based on practical, functionality-preserving manipulations to the Windows Portable Executable file format. These attacks, named Full DOS , Extend , and Shift , inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section. Our experimental results show that these attacks outperform existing ones in both white-box and black-box scenarios, achieving a better tradeoff in terms of evasion rate and size of the injected payload, while also enabling evasion of models that have been shown to be robust to previous attacks. To facilitate reproducibility of our findings, we open source our framework and all the corresponding attack implementations as part of the secml-malware Python library. We conclude this work by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts directly into the learning process.
32
Mao, Zhengyang, Zhiyang Fang, Meijin Li, and Yang Fan. "EvadeRL: Evading PDF Malware Classifiers with Deep Reinforcement Learning." Security and Communication Networks 2022 (April 29, 2022): 1–14. http://dx.doi.org/10.1155/2022/7218800.
Анотація:
With the growing popularity of information digitization and the advancement of executable file detection technology, PDF has emerged as an important carrier of malicious documents. Despite the improved efficacy of machine learning-based classifiers in detecting PDF malware, adversaries have proposed a variety of countermeasures to evade detection, such as generating adversarial examples. In contrast to other peer works attempting to expose the vulnerability of learning-based detection models, this work addresses the deficiencies of existing research by pointing out that the stochastic manipulations they applied may be highly computationally demanding. This work proposed EvadeRL, a general framework for automatically generating adversarial examples based on double deep Q-Network. The details of EvadeRL are briefly described as follows. First, the EvadeRL agent chooses a series of actions to modify the given PDF files and uses the classification results, as well as observations returning from the environment, to calculate the approximate value of each action. Second, through the interaction of the agent and the environment, the experiences gained are stored to train the decision network. Finally, the agent can generate adversarial examples against the target detector by taking the optimal behaviors after training. This study also contributes to the sustainability of evasion attacks by online fine-tuning; to the best of our current knowledge, this is the first study in the field that focuses on evolving malware. The experiments reveal that EvadeRL obtains a high evasion rate against PDF malware detectors and outperforms other approaches in terms of execution cost, robustness against hardened detectors, and sustainability against evolving malware and detectors.
33
Alhaidari, Fahd, Nouran Abu Shaib, Maram Alsafi, Haneen Alharbi, Majd Alawami, Reem Aljindan, Atta-ur Rahman, and Rachid Zagrouba. "ZeVigilante: Detecting Zero-Day Malware Using Machine Learning and Sandboxing Analysis Techniques." Computational Intelligence and Neuroscience 2022 (May 9, 2022): 1–15. http://dx.doi.org/10.1155/2022/1615528.
Анотація:
For the enormous growth and the hysterical impact of undocumented malicious software, otherwise known as Zero-Day malware, specialized practices were joined to implement systems capable of detecting these kinds of software to avert possible disastrous consequences. Owing to the nature of developed Zero-Day malware, distinct evasion tactics are used to remain stealth. Hence, there is a need for advance investigations of the methods that can identify such kind of malware. Machine learning (ML) is among the promising techniques for such type of predictions, while the sandbox provides a safe environment for such experiments. After thorough literature review, carefully chosen ML techniques are proposed for the malware detection, under Cuckoo sandboxing (CS) environment. The proposed system is coined as Zero-Day Vigilante (ZeVigilante) to detect the malware considering both static and dynamic analyses. We used adequate datasets for both analyses incorporating sufficient samples in contrast to other studies. Consequently, the processed datasets are used to train and test several ML classifiers including Random Forest (RF), Neural Networks (NN), Decision Tree (DT), k-Nearest Neighbor (kNN), Naïve Bayes (NB), and Support Vector Machine (SVM). It is observed that RF achieved the best accuracy for both static and dynamic analyses, 98.21% and 98.92%, respectively.
34
Nawaz, Umair, Muhammad Aleem, and Jerry Chun-Wei Lin. "On the evaluation of android malware detectors against code-obfuscation techniques." PeerJ Computer Science 8 (June 21, 2022): e1002. http://dx.doi.org/10.7717/peerj-cs.1002.
Анотація:
The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach (i.e., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection (i.e., 100%) for inter-category obfuscations.
35
Li, Deqiang, and Qianmu Li. "Adversarial Deep Ensemble: Evasion Attacks and Defenses for Malware Detection." IEEE Transactions on Information Forensics and Security 15 (2020): 3886–900. http://dx.doi.org/10.1109/tifs.2020.3003571.
36
Wang, Fangwei, Yuanyuan Lu, Changguang Wang, and Qingru Li. "Binary Black-Box Adversarial Attacks with Evolutionary Learning against IoT Malware Detection." Wireless Communications and Mobile Computing 2021 (August 30, 2021): 1–9. http://dx.doi.org/10.1155/2021/8736946.
Анотація:
5G is about to open Pandora’s box of security threats to the Internet of Things (IoT). Key technologies, such as network function virtualization and edge computing introduced by the 5G network, bring new security threats and risks to the Internet infrastructure. Therefore, higher detection and defense against malware are required. Nowadays, deep learning (DL) is widely used in malware detection. Recently, research has demonstrated that adversarial attacks have posed a hazard to DL-based models. The key issue of enhancing the antiattack performance of malware detection systems that are used to detect adversarial attacks is to generate effective adversarial samples. However, numerous existing methods to generate adversarial samples are manual feature extraction or using white-box models, which makes it not applicable in the actual scenarios. This paper presents an effective binary manipulation-based attack framework, which generates adversarial samples with an evolutionary learning algorithm. The framework chooses some appropriate action sequences to modify malicious samples. Thus, the modified malware can successfully circumvent the detection system. The evolutionary algorithm can adaptively simplify the modification actions and make the adversarial sample more targeted. Our approach can efficiently generate adversarial samples without human intervention. The generated adversarial samples can effectively combat DL-based malware detection models while preserving the consistency of the executable and malicious behavior of the original malware samples. We apply the generated adversarial samples to attack the detection engines of VirusTotal. Experimental results illustrate that the adversarial samples generated by our method reach an evasion success rate of 47.8%, which outperforms other attack methods. By adding adversarial samples in the training process, the MalConv network is retrained. We show that the detection accuracy is improved by 10.3%.
37
Li, Deqiang, Qianmu Li, Yanfang (Fanny) Ye, and Shouhuai Xu. "Arms Race in Adversarial Malware Detection: A Survey." ACM Computing Surveys 55, no. 1 (January 31, 2023): 1–35. http://dx.doi.org/10.1145/3484491.
Анотація:
Malicious software (malware) is a major cyber threat that has to be tackled with Machine Learning (ML) techniques because millions of new malware examples are injected into cyberspace on a daily basis. However, ML is vulnerable to attacks known as adversarial examples. In this article, we survey and systematize the field of Adversarial Malware Detection (AMD) through the lens of a unified conceptual framework of assumptions, attacks, defenses, and security properties. This not only leads us to map attacks and defenses to partial order structures, but also allows us to clearly describe the attack-defense arms race in the AMD context. We draw a number of insights, including: knowing the defender’s feature set is critical to the success of transfer attacks; the effectiveness of practical evasion attacks largely depends on the attacker’s freedom in conducting manipulations in the problem space; knowing the attacker’s manipulation set is critical to the defender’s success; and the effectiveness of adversarial training depends on the defender’s capability in identifying the most powerful attack. We also discuss a number of future research directions.
38
Moussaileb, Routa, Nora Cuppens, Jean-Louis Lanet, and Hélène Le Bouder. "A Survey on Windows-based Ransomware Taxonomy and Detection Mechanisms." ACM Computing Surveys 54, no. 6 (July 2021): 1–36. http://dx.doi.org/10.1145/3453153.
Анотація:
Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.
39
Li, Qing, Chris Larsen, and Tim van der Horst. "IPv6: A Catalyst and Evasion Tool for Botnets and Malware Delivery Networks." Computer 46, no. 5 (May 2013): 76–82. http://dx.doi.org/10.1109/mc.2012.296.
40
Pham, Duy-Phuc, Duc-Ly Vu, and Fabio Massacci. "Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques." Journal of Computer Virology and Hacking Techniques 15, no. 4 (June 20, 2019): 249–57. http://dx.doi.org/10.1007/s11416-019-00335-w.
41
Sadek, Ibrahim, Penny Chong, Shafiq Ul Rehman, Yuval Elovici, and Alexander Binder. "Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques." Data in Brief 26 (October 2019): 104437. http://dx.doi.org/10.1016/j.dib.2019.104437.
42
Menéndez, Héctor D., David Clark, and Earl T. Barr. "Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer." Entropy 23, no. 4 (March 26, 2021): 395. http://dx.doi.org/10.3390/e23040395.
Анотація:
Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants.
43
Noor, Muzzamil, Haider Abbas, and Waleed Bin Shahid. "Countering cyber threats for industrial applications: An automated approach for malware evasion detection and analysis." Journal of Network and Computer Applications 103 (February 2018): 249–61. http://dx.doi.org/10.1016/j.jnca.2017.10.004.
44
Song, Chongya, Alexander Pons, and Kang Yen. "AA-HMM: An Anti-Adversarial Hidden Markov Model for Network-Based Intrusion Detection." Applied Sciences 8, no. 12 (November 28, 2018): 2421. http://dx.doi.org/10.3390/app8122421.
Анотація:
In the field of network intrusion, malware usually evades anomaly detection by disguising malicious behavior as legitimate access. Therefore, detecting these attacks from network traffic has become a challenge in this an adversarial setting. In this paper, an enhanced Hidden Markov Model, called the Anti-Adversarial Hidden Markov Model (AA-HMM), is proposed to effectively detect evasion pattern, using the Dynamic Window and Threshold techniques to achieve adaptive, anti-adversarial, and online-learning abilities. In addition, a concept called Pattern Entropy is defined and acts as the foundation of AA-HMM. We evaluate the effectiveness of our approach employing two well-known benchmark data sets, NSL-KDD and CTU-13, in terms of the common performance metrics and the algorithm’s adaptation and anti-adversary abilities.
45
Hajaj, Chen, Nitay Hason, and Amit Dvir. "Less Is More: Robust and Novel Features for Malicious Domain Detection." Electronics 11, no. 6 (March 21, 2022): 969. http://dx.doi.org/10.3390/electronics11060969.
Анотація:
Malicious domains are increasingly common and pose a severe cybersecurity threat. Specifically, many types of current cyber attacks use URLs for attack communications (e.g., C&C, phishing, and spear-phishing). Despite the continuous progress in detecting cyber attacks, there are still critical weak spots in the structure of defense mechanisms. Since machine learning has become one of the most prominent malware detection methods, a robust feature selection mechanism is proposed that results in malicious domain detection models that are resistant to evasion attacks. This mechanism exhibits a high performance based on empirical data. This paper makes two main contributions: First, it provides an analysis of robust feature selection based on widely used features in the literature. Note that even though the feature set dimensional space is cut by half, the performance of the classifier is still improved (an increase in the model’s F1-score from 92.92% to 95.81%). Second, it introduces novel features that are robust with regard to the adversary’s manipulation. Based on an extensive evaluation of the different feature sets and commonly used classification models, this paper shows that models based on robust features are resistant to malicious perturbations and concurrently are helpful in classifying non-manipulated data.
46
Afzal, Shehroz, and Jamil Asim. "Systematic Literature Review over IDPS, Classification and Application in its Different Areas." STATISTICS, COMPUTING AND INTERDISCIPLINARY RESEARCH 3, no. 2 (December 31, 2021): 189–223. http://dx.doi.org/10.52700/scir.v3i2.58.
Анотація:
Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). Network security is vital for any organization connected to the Internet. Rock solid network security is a major challenge that can be overcome by strengthening the network against threats such as hackers, malware, botnets, data thieves, etc. Firewalls, antivirus, and intrusion detection systems are used to protect the network. The firewall can control network traffic, but reliance on this type of security alone is not enough. Attackers use open ports such as port 80 of the web server (http) and port 110 of the POP server to infiltrate networks. The Intrusion Detection System (IDS) minimizes security breaches and improves network security by scanning network packets to filter out malicious packets. Real-time detection with prevention using Intrusion Detection and Prevention Systems (IDPS) has elevated network security to an advanced level by strengthening the network against malicious activities. In this Survey paper focuses on Classifying various kinds of IDS with the major types of attacks based on intrusion methods. Presenting a classification of network anomaly IDS evaluation metrics and discussion on the importance of the feature selection. Evaluation of available IDS datasets discussing the challenges of evasion techniques.
47
Afzal, Shehroz, and Jamil Asim. "Systematic Literature Review over IDPS, Classification and Application in its Different Areas." STATISTICS, COMPUTING AND INTERDISCIPLINARY RESEARCH 3, no. 2 (December 31, 2021): 189–223. http://dx.doi.org/10.52700/scir.v3i2.58.
Анотація:
Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). Network security is vital for any organization connected to the Internet. Rock solid network security is a major challenge that can be overcome by strengthening the network against threats such as hackers, malware, botnets, data thieves, etc. Firewalls, antivirus, and intrusion detection systems are used to protect the network. The firewall can control network traffic, but reliance on this type of security alone is not enough. Attackers use open ports such as port 80 of the web server (http) and port 110 of the POP server to infiltrate networks. The Intrusion Detection System (IDS) minimizes security breaches and improves network security by scanning network packets to filter out malicious packets. Real-time detection with prevention using Intrusion Detection and Prevention Systems (IDPS) has elevated network security to an advanced level by strengthening the network against malicious activities. In this Survey paper focuses on Classifying various kinds of IDS with the major types of attacks based on intrusion methods. Presenting a classification of network anomaly IDS evaluation metrics and discussion on the importance of the feature selection. Evaluation of available IDS datasets discussing the challenges of evasion techniques.
48
Dos Santos Fh, Ailton, Ricardo J. Rodríguez, and Eduardo L. Feitosa. "Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks." Digital Threats: Research and Practice, August 13, 2021. http://dx.doi.org/10.1145/3480463.
Анотація:
Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes previous taxonomies. We also note some relevant issues and outline ways of future research in the use of DBI frameworks for security purposes
49
"Evasion Attack on Text Classified Training Datasets." International Journal of Engineering and Advanced Technology 8, no. 6S (September 6, 2019): 45–50. http://dx.doi.org/10.35940/ijeat.f1009.0886s19.
Анотація:
Machine learning algorithms are widespread used in real world training data classification and detection malware. The learning algorithms to detect malware adversarial manipulated training datasets in evasion. The evasion attacker has certain knowledge on training datasets either internal in deploying time attack or external attack do based on adversarial knowledge. Evasion attack targeted document properties features malware. To present this paper, to do an evasion attack on collected text documents using extraction keyword and find mean words using Naive Bayes models . Also to analyses different machine learning algorithms classification on evasion attacked training datasets and discussed defense methods to prevent training dataset from evasion attack
50
Nappa, Antonio, Aaron Úbeda-Portugués, Panagiotis Papadopoulos, Matteo Varvello, Juan Tapiador, and Andrea Lanzi. "Scramblesuit: An effective timing side-channels framework for malware sandbox evasion." Journal of Computer Security, August 18, 2022, 1–26. http://dx.doi.org/10.3233/jcs-220005.
Анотація:
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation of Scramblesuit across a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure to Scramblesuit is to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions.