Narrow Results

Malicious firmware upgrading represents a critical security vulnerability in Internet of Things (IoT) devices. This study introduces HyCNNAt, a novel hybrid deep learning network for IoT malware detection that synergistically combines Convolutional Neural Networks (CNNs) with transformer attention mechanisms. HyCNNAt’s architecture vertically and horizontally stacks convolution and attention layers, enhancing the network’s generalization capabilities, capacity, and overall effectiveness. We evaluated HyCNNAt using a publicly available IoT firmware dataset, where it demonstrated superior performance with the highest accuracy ($97.11\%\pm 1.02\%$), F1-score ($99.992\%\pm 0.004\%$), and recall ($97.48\%\pm 2.6556\%$), highlighting its robust classification capabilities, although its precision ($91.27\%\pm 45.08\%$) exhibited variability compared to state-of-the-art models such as CoAtNet, MobileViT, MobileNet, and MobileNet variants using transfer learning. These results underscore HyCNNAt’s potential as a robust solution for addressing the pressing challenge of IoT malware detection.

Machine learning is among the most popular methods in designing unknown and variant malware detection algorithms. However, most of the existing methods take a single type of features to build binary classifiers. In practice, these methods have limited ability in depicting malware characteristics and the binary classification suffers from inadequate sampling of benign samples and extremely imbalanced training samples when detecting malware. In this paper, we present a malware detection Framework based on ENsemble One-Class Learning, namely FENOC. It uses hybrid features at different semantic layers to ensure a comprehensive insight of the program to be analyzed. We construct the malware detector by a novel learning algorithm called Cost-sensitive Twin One-class Classifier (CosTOC), which uses a pair of one-class classifiers to describe malware and benign programs respectively. CosTOC is more flexible and robust in comparison to conventional binary classifiers when training samples are extremely imbalanced or the benign programs are inadequately sampled. Finally, random subspace method and clustering-based ensemble method are developed to enhance the generalization ability of CosTOC. Experimental results show that FENOC gives a comparative detection rate and a lower false positive rate than many other binary classification algorithms, especially when the detector are trained with imbalanced data, or evaluated in terms of false positive rate.

Recently, Android applications have been playing a vital part in the everyday life as several services are offered via mobile applications. Due of its market dominance, Android is more at danger from malicious software, and this threat is growing. The exponential growth of malicious Android apps has made it essential to develop cutting-edge methods for identifying them. Despite the prevalence of a number of security-based approaches in the research, feature selection (FS) methods for Android malware detection methods still have to be developed. In this research, researchers provide a method for distinguishing malicious Android apps from legitimate ones by using a intelligent hyperparameter tuned deep learning based malware detection (IHPT-DLMD). Extraction of features and preliminary data processing are the main functions of the IHPT-DLMD method. The proposed IHPT-DLMD technique initially aims to determine the considerable permissions and API calls using the binary coyote optimization algorithm (BCOA)-based FS technique, which aids to remove the unnecessary features. Besides, bidirectional long short-term memory (Bi-LSTM) model is employed for the detection and classification of Android malware. Finally, the glowworm swarm optimization (GSO) algorithm is applied to optimize the hyperparameters of the BiLSTM model to produce effectual outcomes for Android application classification. This IHPT-DLMD method is checked for quality using a benchmark dataset and evaluated in several ways. The test data demonstrated overall higher performance of the IHPT-DLMD methodology in comparison to the most contemporary methods that are currently in use.

Most of the existing static analysis-based detection methods adopt one or few types of typical static features for avoiding the problem of dimensionality and computational resource consumption. In order to further improve detecting accuracy with reasonable resource consumption, in this paper, a new Android malware detection model based on multiple features with feature selection method and feature vectorization method are proposed. Feature selection method for each type of features reduces the dimensionality of feature set. Weight-based feature vectorization method for API calls, intent and permission is designed to construct feature vector. Co-occurrence matrix-based vectorization method is proposed to vectorize opcode sequence. To demonstrate the effectiveness of our method, we conducted comprehensive experiments with a total of 30,000 samples. Experimental results show that our method outperforms state-of-the-art methods.

Domain-Flux malware is hard to detect because of the variable C&C (Command and Control) domains which were randomly generated by the technique of domain generation algorithm (DGA). In this paper, we propose a Domain-Flux malware detection approach based on DNS failure traffic. The approach fully leverages the behavior of DNS failure traffic to recognize nine features, and then mines the DGA-generated domains by a clustering algorithm and determinable rules. Theoretical analysis and experimental results verify its efficiency with both test dataset and real-world dataset. On the test dataset, our approach can achieve a true positive rate of 99.82% at false positive rate of 0.39%. On the real-world dataset, the approach can also achieve a relatively high precision of 98.3% and find out 197,026 DGA domains by analyzing DNS traffic in campus network for seven days. We found 1213 hosts of Domain-Flux malware existing on campus network, including the known Conficker, Fosniw and several new Domain-Flux malwares that have never been reported before. We classified 197,026 DGA domains and gave the representative generated patterns for a better understanding of the Domain-Flux mechanism.

Mobile applications create their own security and privacy models through permission-based models. Some applications may request extra permissions that they do not need but may use for suspicious activities. The aim of this study is to identify those spare permissions requested and use this information in the security and privacy approach, which uses static and code analysis together and applies them to the existing datasets; then the results are compared and accuracy level is determined. Classification is made with an accuracy rate of 91.95%.

Besides the applications aimed at increasing the efficiency of the Android mobile devices, also many malicious applications, millions of Android malware according to various security company reports, are being developed and uploaded into the application stores. In order to detect those applications, a malicious Android application detection system based on permission and permission groups namely, AppPerm Analyzer has been developed. The AppPerm Analyzer software extracts the manifest and code permissions of analyzed applications, creates duple and triple permission groups from them, calculates risk scores of these permissions and permission groups according to their usage rates in malicious and benign applications and calculates the total risk score of the analyzed application. After training the software with 7776 applications in total, it is tested with 1664 benign and 1664 malicious applications. In the tests, AppPerm Analyzer detected malicious applications with an accuracy of 96.19% at most. At this point, sensitivity (true-positive ratio) is 95.50% and specificity (true-negative ratio) is 96.88%. If a false-positive ratio up to 10% is accepted, the sensitivity increases to 99.04%.

To address the emerging security challenges in Multi-Access Edge Computing (MEC), it is imperative that solutions go beyond the current infrastructure-centric measures. These methods, including authentication and access control, are insufficient to combat malware that conceals itself within ME applications. The acknowledged flaws in the ME application layer necessitate an immediate call for creative solutions. In this work, we propose a non-invasive security architecture for MEC, meticulously designed to strike a balance between performance burden and security protection capabilities. The objective of the design contains three major aspects, i.e. user experience, service density and serviceability. We conduct a thorough evaluation that enables us to quantify the significance of high bandwidth, low user experience latency and MEC serviceability. The experimental results and ablation studies indicate that our proposed method effectively balances user experience and security capabilities. This not only provides a practical and cost-effective solution but also establishes a strong precedent for the community to develop a secure MEC with superior performance in real-world production environments.

The Mirai botnet, notorious for launching significant Distributed Denial of Service (DDoS) attacks and crippling portions of internet services in late 2016, has emerged as a significant threat. Its threat is magnified by the open-source nature of the original Mirai code, which enables a propagation and evolution rate that surpasses traditional malware and frequently defies common sense.

As the primary targets of Mirai attacks, Internet of Things (IoT) devices must promptly adapt to the evolving variations of the Mirai threat scenario. In practice, however, IoT devices are frequently constrained by insufficient security detection resources. Therefore, there is an urgent need for a lightweight framework capable of handling Mirai variants and dynamically updating its rule set in order to effectively counter the threat.

In response to these challenges, we present Efficient and lightweight Mirai Variants Detection (EVaDe), a novel, lightweight framework for detecting Mirai. EVaDe unleashes the power of sample function mining to efficiently automate the generation of detection rules, requiring limited hardware resources while maintaining effectiveness against Mirai and its numerous variants. In addition, to improve the efficacy of rule generation, we propose a sophisticated algorithm designed to optimize the maximum submatrix problem, thereby facilitating the efficient and rapid extraction of malicious rules from the sample group.

We validated the experiments on actual IoT devices with significantly compressed performance overheads. An average sample detection time of 5 ms to make sure the system can be deployed in real production. According to the result, the approach has an average detection rate of 95% for Mirai and its variants, which beats every other well-known piece of commercial antivirus software on the market by 3% to 56%.

Cybercriminals motivated by malign purpose and financial gain are rapidly developing new variants of sophisticated malware using automated tools, and most of these malware target Windows operating systems. This serious threat demands efficient techniques to analyze and detect zero-day, polymorphic and metamorphic malware. This paper introduces two frameworks for Windows malware detection using random forest algorithms. The first scheme uses features obtained from static and dynamic analysis for training, and the second scheme uses features obtained from static, dynamic, malware image analysis, location-sensitive hashing and file format inspections. We carried out an extensive experiment on two feature sets, and the proposed schemes are evaluated using seven standard evaluation metrics. The experiment results demonstrate that the second scheme recognizes unseen malware better than the first scheme and three state-of-the-art works. The findings show that the second scheme’s multi-view feature set contributes to its 99.58% accuracy and lowers false positive rate of 0.54%.

Number of malware detection models has been proposed recently, which still poses major limitations in terms of detection rate. Hence, to overcome this, this paper introduces a new malware detection model with three stages: Feature Extraction, Feature selection and Classification. In feature extraction phase, the Term Frequency-Inverse Document Frequency (TF-IDF) and Information gain (IG) features are extracted. More importantly, the IG feature is subjected with the Holoentropy evaluation. Following the feature extraction phase feature selection is performed using Principle Component Analysis (PCA). Finally, to do the classification process, Deep Belief Network (DBN) is used with optimized activation function. To work out this optimization scenario, this paper intends to propose a new hybrid algorithm that combines the concept of Lion Algorithm (LA) and Glowworm Swarm Algorithm (GSO). The performance of proposed Lion Updated GSO (LU-GSO) is compared over other conventional models with respect to various evaluation measures and proves the betterments over others. Through the performance analysis, it was observed that the proposed model attains high accuracy, which is 10.21%, 10.04%, 9.18% and 6.42% better than LA, GSO, GWO and PSO, respectively.

With the rapid evolution of mobile malware, especially Android malware, machine learning (ML)-based Android malware detection systems have drawn massive attention. Although ML algorithms have recently led to many vital breakthroughs in malware detection, they are still particularly vulnerable to adversarial example (AE) attacks. By applying small random perturbations (e.g. simply modifying different kinds of features from the application’s manifest file), an AE attack can cause the misclassification of legitimate applications. This paper proposes AAGAN, an automated Android malware generation system based on Generative Adversarial Networks (GAN) that can successfully deceive current ML detectors. Our experiment results indicate that AEs generated by our system can flip the prediction of the state-of-the-art detection algorithms in 99% of cases using a real-world dataset. To defend against AE attacks, we improve the robustness of our detection system by alternatively retraining with these newly generated AEs. Surprisingly, after retraining five times, AAGAN can achieve an 89% success rate in bypassing our malware detection system.

There is a remarkable increase in mobile device usage in recent years. The Android operating system is by far the most preferred open-source mobile operating system around the world. Besides, the Android operating system is preferred in many devices on the Internet of Things (IoT) devices are used in many areas of daily life. Smart cities, smart environment, health, home automation, agriculture, and livestock are some of the usage areas. Health is one of the most frequently used areas. Since the Android operating system is both the widely used operating system and open-source, the vast majority of malware released on the market is now designed for Android platforms. Therefore, devices using the Android operating system are under serious threat. In this study, a system that detects malware on Android operating systems based on machine learning is proposed. Besides, feature vectors are created with permissions that have an important place in the security of the Android operating system. Feature vectors created using the k-nearest neighbor algorithm (KNN), one of the machine learning techniques, are given as input to this algorithm, and a classification of malicious software and benign software is provided. In the KNN algorithm, the k value and the distance metric used to find the closest sample directly affect the classification performance. In addition, the study examining the parameters of the KNN algorithm in detail in permission-based studies is limited. For this reason, the performance of the malware detection system is presented comparatively using five different k values and five different distance metrics under different data sets. When the results are examined, it is observed that higher classification performances are obtained when values such as 1, 3 are given to k and metrics such as Euclidean and Minkowski are chosen instead of the Chebyshev distance metric.

With the increase in popularity of Portable Document Format (PDF) documents and increasing vulnerability of PDF users, effective detection of malicious PDF documents becomes a more and more significant issue. In this paper, we proposed a method for the detection of JavaScript-bearing malicious documents and established the prototype detection system. We de-obfuscate the JavaScript code extracted from PDF documents through static analysis, and emulate the code execution during dynamic analysis. The combination of static and dynamic analysis in our approach makes the detection immune to obfuscation. Our experimental evaluation shows that our method can detect a broad range of malicious PDF documents and markedly enhance the detection accuracy with an acceptable overhead.