论文信息 - First Line Defense Against Spreading New Malware in the Network

First Line Defense Against Spreading New Malware in the Network

Mutable malware including metamorphic malware evades detection by mutating and altering its code structure in each infection. To provide a first line of defense against malware, this paper proposes a strategy to detect the malware contents at the network level as the first line of defense to protect systems connected to the network from being infected. This detection strategy is a combination of machine learning classification and malware sub-signature. This allows the detection of mutated malware from packet payload. To detect previously unseen or mutated malware, the frequency distribution of informative inherited mutated (n-gram) malware features are extracted. These extracted features are then classified using Support Vector Machine classifier. The proposed technique has been tested and verified using (DARPA, and metamorphic malware dataset) for the packet level and flow level. Experimental results showed that the proposed technique has been detected and dropped more than 97% of malware packets as well as metamorphic malware packets in the network level with low FPR around 3⊠10-3.

[1] Kyung-suk Lhee,et al. Classification of packet contents for malware detection , 2011, Journal in Computer Virology.

[2] Guanhua Yan,et al. Exploring Discriminatory Features for Automated Malware Classification , 2013, DIMVA.

[3] Yuval Elovici,et al. Unknown malcode detection and the imbalance problem , 2009, Journal in Computer Virology.

[4] Divya Bansal,et al. Malware Analysis and Classification: A Survey , 2014 .

[5] Vijay Laxmi,et al. REFORM: Relevant Features for Malware Analysis , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[6] Yuval Elovici,et al. Detection of malicious PDF files and directions for enhancements: A state-of-the art survey , 2015, Comput. Secur..

[7] Salvatore J. Stolfo,et al. Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[8] Sami Hasan. Performance-vetted 3-D MAC processors for parallel volumetric convolution algorithm: A 256×256×20 MRI filtering case study , 2016, 2016 Al-Sadeq International Conference on Multidisciplinary in IT and Communication Science and Applications (AIC-MITCSA).

[9] Mark Stamp,et al. HTTP attack detection using n-gram analysis , 2014, Comput. Secur..

[10] Yuval Elovici,et al. Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content , 2011, Secur. Commun. Networks.

[11] John Clemens. Automatic classification of object code using machine learning , 2015, Digit. Investig..

[12] Yogesh Kumar Meena,et al. Byte Level n–Gram Analysis for Malware Detection , 2011 .

[13] Mourad Debbabi,et al. Network malware classification comparison using DPI and flow packet headers , 2015, Journal of Computer Virology and Hacking Techniques.

[14] Xiangjian He,et al. RePIDS: A multi tier Real-time Payload-based Intrusion Detection System , 2013, Comput. Networks.

[15] Salvatore J. Stolfo,et al. Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic , 2009, NDSS.

[16] Yuval Elovici,et al. Unknown malcode detection via text categorization and the imbalance problem , 2008, 2008 IEEE International Conference on Intelligence and Security Informatics.

[17] Sulaiman Mohd Nor,et al. Incorporating known malware signatures to classify new malware variants in network traffic , 2015, Int. J. Netw. Manag..

[18] Gerardo Canfora,et al. Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics , 2013, Journal of Computer Virology and Hacking Techniques.

[19] Lília de Sá Silva,et al. Detecting attack signatures in the real network traffic with ANNIDA , 2008, Expert Syst. Appl..

[20] Wenke Lee,et al. McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[21] Jianping Yin,et al. Malicious Codes Detection Based on Ensemble Learning , 2007, ATC.

[22] Yuval Elovici,et al. Detecting unknown malicious code by applying classification techniques on OpCode patterns , 2012, Security Informatics.

[23] Sami Hasan. Rapidly-Fabricated Architectures of Parallel Multidimension Algorithms , 2017 .

[24] Yoseba K. Penya,et al. N-grams-based File Signatures for Malware Detection , 2009, ICEIS.

[25] Mark Stamp,et al. Eigenvalue analysis for metamorphic detection , 2014, Journal of Computer Virology and Hacking Techniques.

[26] Sami Hasan. FPGA implementations for parallel multidimensional filtering algorithms , 2013 .

[27] Salvatore J. Stolfo,et al. Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[28] Michael K. Reiter,et al. Traffic Aggregation for Malware Detection , 2008, DIMVA.

[29] Junho Choi,et al. Efficient Malicious Code Detection Using N-Gram Analysis and SVM , 2011, 2011 14th International Conference on Network-Based Information Systems.

[30] Salvatore J. Stolfo,et al. Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[31] João Bosco M. Sobral,et al. Intrusion detection through artificial neural networks , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[32] J.D.S. da Silva,et al. A neural network application for attack detection in computer networks , 2004, 2004 IEEE International Joint Conference on Neural Networks (IEEE Cat. No.04CH37541).

[33] Marcus A. Maloof,et al. Learning to Detect and Classify Malicious Executables in the Wild , 2006, J. Mach. Learn. Res..

[34] Hajime Inoue,et al. Comparing Anomaly Detection Techniques for HTTP , 2007, RAID.

[35] Mark Stamp,et al. Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[36] Ke Wang,et al. Fileprints: identifying file types by n-gram analysis , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[37] Salvatore J. Stolfo,et al. Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[38] Sami Hasan. Performance-Aware Architectures for Parallel 4D Color fMRI Filtering Algorithm: A Complete Performance Indices Package , 2016, IEEE Transactions on Parallel and Distributed Systems.

[39] Gonzalo Alvarez,et al. Applying feature selection to payload-based Web Application Firewalls , 2011, 2011 Third International Workshop on Security and Communication Networks (IWSCN).

[40] R. Nigel Horspool,et al. A framework for metamorphic malware analysis and real-time detection , 2015, Comput. Secur..

[41] Arun Lakhotia,et al. Malware and Machine Learning , 2015, Intelligent Methods for Cyber Warfare.