Experimental Comparison of Machine Learning Models in Malware Packing Detection

Jong-Wouk Kim,Juhong Namgung,Yang-Sae Moon,Mi-Jung Choi 한국통신학회 2020 한국통신학회 APNOMS Vol.2020 No.09

Recently, malware is widely distributed by combining recent technologies such as packing, encoding and obfuscation to bypass anti-virus software. These kinds of technologies allow malware to survive longer, infect various computers and devices for longer periods of time, create a number of mutated malware, and make experts spend longer to analyze malware. Packers disrupt the reverse engineering process, making it difficult for security researchers to analyze new or unknown malware. Thus, we need to analyze as many malware as possible by first detecting the packed malware and analyzing not-packed malware, and then unpack the packed malware. Previously, the packing detection methods were based on mainly signature and entropy detection. However, these methods have increased the undetected rate with the appearance of custom packers. Due to these problems, there have been many research efforts on machine learning-based malware packing detection and classification. In this paper, we present an extensive experimental comparison of these machine learning-based algorithms. In particular, we extract a total of 13 important features and considers eight machine learning algorithms to detect the packing of malware. Experimental results show that we can also detect well malware packed by custom packers which did not studied in previous studies.

Effective Feature Selection for Classification of Malware Families

정태영,이성원,윤종희,조두산 사단법인 미래융합기술연구학회 2021 아시아태평양융합연구교류논문지 Vol.7 No.2

Nowadays, numerous new malwares are produced and distributed every day. Modified or new types of malware, which are different from existing malware, have been identified. It is very inefficient for analysts to manually analyze those types of malware one by one from the beginning. This paper presents a method to utilize API and DLL call frequency to detect and classify malware families efficiently. Those APIs and DLLs that are related to malware are selected, the calling patterns that appear in the process of actually analyzing the APIs and DLLs are quantified, and the results are used as a malware classification filter. An automatic analysis system is constructed to increase the efficiency of analysis of a large number of pieces of malware. Then, the features of each malware family are extracted using the results of analysis for malware classification. Data mining and open source tools are used to enhance the efficiency and accuracy of analysis. Based on the result of analyzing actual malware, it was found that it is sufficiently effective to detect and classify malicious codes through feature selection using APIs and DLLs. This paper proposes a new criterion for detecting and classifying malicious codes, and can be applied to or referred to other malicious code research in the future to improve the accuracy and efficiency of analysis.

A Cross-Platform Malware Variant Classification based on Image Representation

( Hamad Naeem ),( Bing Guo ),( Farhan Ullah ),( Muhammad Rashid Naeem ) 한국인터넷정보학회 2019 KSII Transactions on Internet and Information Syst Vol.13 No.7

Recent internet development is helping malware researchers to generate malicious code variants through automated tools. Due to this reason, the number of malicious variants is increasing day by day. Consequently, the performance improvement in malware analysis is the critical requirement to stop the rapid expansion of malware. The existing research proved that the similarities among malware variants could be used for detection and family classification. In this paper, a Cross-Platform Malware Variant Classification System (CP-MVCS) proposed that converted malware binary into a grayscale image. Further, malicious features extracted from the grayscale image through Combined SIFT-GIST Malware (CSGM) description. Later, these features used to identify the relevant family of malware variant. CP-MVCS reduced computational time and improved classification accuracy by using CSGM feature description along machine learning classification. The experiment performed on four publically available datasets of Windows OS and Android OS. The experimental results showed that the computation time and malware classification accuracy of CP-MVCS was higher than traditional methods. The evaluation also showed that CP-MVCS was not only differentiated families of malware variants but also identified both malware and benign samples in mix fashion efficiently.

Simulated Dynamic C&C Server Based Activated Evidence Aggregation of Evasive Server-Side Polymorphic Mobile Malware on Android

Han Seong Lee,Hyung-Woo Lee 한국인터넷방송통신학회 2017 Journal of Advanced Smart Convergence Vol.6 No.1

Diverse types of malicious code such as evasive Server-side Polymorphic are developed and distributed in third party open markets. The suspicious new type of polymorphic malware has the ability to actively change and morph its internal data dynamically. As a result, it is very hard to detect this type of suspicious transaction as an evidence of Server-side polymorphic mobile malware because its C&C server was shut downed or an IP address of remote controlling C&C server was changed irregularly. Therefore, we implemented Simulated C&C Server to aggregate activated events perfectly from various Server-side polymorphic mobile malware. Using proposed Simulated C&C Server, we can proof completely and classify veiled server-side polymorphic malicious code more clearly.

바이너리 시각화와 기계학습을 이용한 악성코드 분류

김태근,지환태,임을규 한국정보과학회 2018 정보과학회 컴퓨팅의 실제 논문지 Vol.24 No.4

The number of variants of malware is rapidly increasing. This can be attributed to reasons such as reuse of existing code and evolution of malware generation tools. Therefore, it is important to classify variants of malware accurately and quickly. The current malware classification system used whether binary file includes certain byte sequence in itself but these signature based malware classifications has difficulties in classifying variants of malware. This paper proposes a new method for classifying variants of malware. To classify variants of malware, it creates a fixed size image from malware binary file. The value of each byte of the binary is used as a coordinate and the two byte data is associated with the <x, y> coordinates, and the value of the pixel corresponding to each coordinate in the image is increased. The image feature information generated in this way is utilized for machine learning. The machine learning methods used in malware classification are random forest, convolutional neural network and the experiments of each classification method on 10868 malware samples resulted with high accuracy of 98.9% and 97.1% respectively. 악성코드 제작 시, 기존 코드의 재사용, 악성코드 제작 도구의 발전 등의 이유로 인해, 악성코드 변종의 수가 빠르게 증가하고 있다. 따라서 악성코드의 변종을 정확하고 신속하게 분류하는 것이 중요해지고 있다. 기존의 악성코드 분류는 바이너리 파일 내 특정 바이트 순열 포함 여부를 이용하였으나 이러한 시그니처 기반 악성코드 분류는 변종 악성코드를 분류하는 데 어려움이 있다. 본 논문은 악성코드변종을 보다 높은 정확도로 분류하기 위한 이미지 기반 악성코드 분류 방법을 제안한다. 악성코드 분류를 위해, 악성코드 바이너리로부터 고정된 크기의 이미지를 생성한다. 바이너리의 각 바이트의 값을 좌표로 이용하며, 2 바이트 데이터를 <x, y> 좌표로 대응시켜, 이미지에서 각 좌표에 해당되는 픽셀의 값을 증가시킨다. 이러한 방식으로 생성된 이미지 특징정보를 기계학습에 활용한다. 악성코드 분류에 사용된 기계학습 알고리즘은 random forest와 convolutional neural network이며, 각각의 분류 기법을 10868개의 악성코드 샘플에 실험한 결과, 각각 98.9%, 97.1%의 높은 정확도로 악성코드를 분류하였다.

Sharpness-Aware Minimization을 적용한 Separable Vision Transformer 기반악성코드 유형 분류 기법

정인웅,이한진,정재환,최석환 한국지능시스템학회 2024 한국지능시스템학회논문지 Vol.34 No.4

악성코드 시각화를 통한 악성코드 유형 분류 기법은 악성코드 이미지를 생성하고, ConvolutionalNeural Networks(CNNs)와 같은 인공지능 모델을 활용하여 분류를 수행한다. 하지만, CNN계열 모델을 활용한 기법은 난독화 기법에 취약하다는 한계점이 있다. 본 논문에서는 난독화기법에 강한 Separable Vision Transformer(SepViT) 기반 악성코드 유형 분류 기법을 제안한다. 제안하는 기법은 악성코드를 grayscale 이미지로 시각화한 후에 Sharpness-AwareMinimization(SAM)을 적용한 SepViT 모델로 악성코드 유형 분류를 수행한다. MicrosoftMalware Classification Challenge 데이터셋을 대상으로 한 실험을 통해, 제안하는 기법에서활용한 SAM Optimizer 기반 SepViT가 4개의 모델(ResNet18, ViT, CrossViT, 기존 SepViT)보다 정확하게 악성코드 유형을 분류할 수 있음을 보이며, Grad-Cam을 통해 분류 근거를 분석하였다. 또한, AndroDex 데이터셋을 대상으로 한 실험을 통해 악성코드에 난독 "The methods of classifying malware family through malware visualization generate malware images and then classify malware family using artificial intelligence models such as Convolutional Neural Networks(CNNs). However, such methods are vulnerable to malware obfuscation techniques. In this paper, we propose a malware classification method based on the Separable Vision Transformer(SepViT) that is robust against obfuscation techniques. The proposed method performs malware family classification using a SepViT model enhanced with Sharpness-Aware Minimization(SAM) after visualizing malware as grayscale images. From the experimental results using the Microsoft Malware Classification Challenge dataset, we show that SAM Optimizer-based SepViT used in the proposed method can classify malware family more accurately than four methods(ResNet18, ViT, CrossViT, SepViT). We also analyze the basis for classification of the proposed method using Grad-Cam. In addition, from the experiments using AndroDex dataset, we show that the proposed method shows good detection performance even in the presence of obfuscation in malware."

효율적인 악성코드 분류를 위한 최적의 API 시퀀스 길이 및 조합 도출에 관한 연구

최지연(Ji-yeon Choi),김희석(HeeSeok Kim),김규일(Kyu-il Kim),박학수(Hark-soo Park),송중석(Jung-suk Song) 한국정보보호학회 2014 정보보호학회논문지 Vol.24 No.5

인터넷이 지속적으로 발달하면서 이에 따른 부작용으로 사이버 해킹 공격 또한 지능적인 공격으로 진화하고 있다. 해킹 공격의 도구로 사용되는 악성코드는 공격자들이 자동 제작 툴을 이용해 손쉽게 악성코드를 생성할 수 있기 때문에 악성코드의 수가 급증하고 있다. 그러나 수많은 악성코드를 모두 분석하기에는 많은 시간과 노력이 요구됨에 따라 신·변종 악성코드에 대한 별도의 분류가 필요한 상황이다. 이에 따라 신·변종 악성코드를 분류하는 다양한 연구들이 등장하고 있으며, 해당 연구들은 악성코드 분석을 통해 악성 행위를 나타내는 다양한 정보를 추출하고 이를 악성코드를 대표하는 특징으로 정의하여 악성코드를 분류한다. 그 중, 대부분이 API 함수와 API 함수로부터 추출한 특정 길이의 API 시퀀스를 이용하여 악성코드를 분류하고 있다. 그러나 API 시퀀스의 길이는 분류의 정확성에 영향을 미치기 때문에 적합한 API 시퀀스의 길이를 선택하는 것이 매우 중요하다. 따라서 본 논문은 특정 길이에 한정하지 않고, 다양한 길이의 API 시퀀스를 생성 및 조합하여 악성코드 분류의 정확성을 향상시키기 위한 최적의 API 시퀀스 및 조합을 찾는 방법론을 제안한다. With the development of the Internet, the number of cyber threats is continuously increasing and their techniques are also evolving for the purpose of attacking our crucial systems. Since attackers are able to easily make exploit codes, i.e., malware, using dedicated generation tools, the number of malware is rapidly increasing. However, it is not easy to analyze all of malware due to an extremely large number of malware. Because of this, many researchers have proposed the malware classification methods that aim to identify unforeseen malware from the well-known malware. The existing malware classification methods used malicious information obtained from the static and the dynamic malware analysis as the criterion of calculating the similarity between malwares. Also, most of them used API functions and their sequences that are divided into a certain length. Thus, the accuracy of the malware classification heavily depends on the length of divided API sequences. In this paper, we propose an extraction method of optimized API sequence length and combination that can be used for improving the performance of the malware classification.

Andro-AutoPsy: Anti-malware system based on similarity matching of malware and malware creator-centric information

Jang, J.w.,Kang, H.,Woo, J.,Mohaisen, A.,Kim, H.K. Elsevier 2015 Digital investigation Vol.14 No.-

Mobile security threats have recently emerged because of the fast growth in mobile technologies and the essential role that mobile devices play in our daily lives. For that, and to particularly address threats associated with malware, various techniques are developed in the literature, including ones that utilize static, dynamic, on-device, off-device, and hybrid approaches for identifying, classifying, and defend against mobile threats. Those techniques fail at times, and succeed at other times, while creating a trade-off of performance and operation. In this paper, we contribute to the mobile security defense posture by introducing Andro-AutoPsy, an anti-malware system based on similarity matching of malware-centric and malware creator-centric information. Using Andro-AutoPsy, we detect and classify malware samples into similar subgroups by exploiting the profiles extracted from integrated footprints, which are implicitly equivalent to distinct characteristics. The experimental results demonstrate that Andro-AutoPsy is scalable, performs precisely in detecting and classifying malware with low false positives and false negatives, and is capable of identifying zero-day mobile malware.

딥 러닝 기반 분류 모델을 이용한 악성코드 제작자 그룹 분류

홍석진,홍지원,김상욱,김동필,김원호 한국정보과학회 2018 데이타베이스 연구 Vol.34 No.2

컴퓨터가 실생활에서 많이 사용됨에 따라, 악성코드(malware)를 만들어 악의적인 목적으로 다른 사람의 컴퓨터를 공격하려는 시도가 기하급수적으로 증가하고 있다. 악성코드들은 해당 악성코드를 제작한 제작자 그룹을 기준으로 분류될 수 있으며, 악성코드 제작자 정보는 디지털 포렌식(digital forensic)에 중요한 정보로 활용될 수 있다. 본 논문에서는 악성코드로부터 정적 특징 정보와 동적 특징 정보를 추출하여 악성코드를 각 특징의 보유 유무로써 표현하였다. 이를 바탕으로 딥 러닝 기법을 활용하여 주어진 악성코드의 제작자 그룹을 분류하는 방안을 제안하였다. 본 논문에서는 다양한 실험을 통해 악성코드 데이터에 맞는 딥 러닝 기법과 하이퍼 파라미터를 찾아 딥 러닝 기반 악성코드 제작자 그룹 분류 모델을 구축하고 평가하였으며, 본 논문에서 제안한 딥 러닝 기반 분류 모델이 기존 분류 모델보다 악성코드 제작자 그룹 분류 문제에서 높은 정확도를 보임을 확인하였다. As computers are heavily used in real life, attempts at creating malwares to attack others' computers for malicious purposes are increasing exponentially. Malwares can be categorized based on the group of authors who created the code, and their information is considered to be important for digital forensics. In this paper, we extract the static features and the dynamic features from the malware and use the features to represent the malware by considering the presence or absence of each feature in the malware. Based on the feature information, we proposed a method to classify a group of authors of a given malware by using a deep learning technique. Also, we find a hyperparameter and a deep learning technique that work best on the malware author group classification via extensive experiments. Using these, we construct and evaluate a deep learning based malware author group classification model. We confirmed that the classification accuracy of the proposed model is higher than those of the existing malware author group classification models.

멀티모달 기반 악성코드 유사도 계산 기법

유정도,김태규,김인성,김휘강 한국정보보호학회 2019 정보보호학회논문지 Vol.29 No.2

Malware has its own unique behavior characteristics, like DNA for living things. To respond APT (Advanced PersistentThreat) attacks in advance, it needs to extract behavioral characteristics from malware. To this end, it needs to doclassification for each malware based on its behavioral similarity. In this paper, various similarity of Windows malware isestimated; and based on these similarity values, malware’s family is predicted. The similarity measures used in this paperare as follows: ‘TF-IDF cosine similarity', ‘Nilsimsa similarity', ‘malware function cosine similarity' and ‘Jaccard similarity'. As a result, we find the prediction rate for each similarity measure is widely different. Although, there is no similaritymeasure which can be applied to malware classification with high accuracy, this result can be helpful to select a similaritymeasure to classify specific malware family. 사람의 DNA가 변하지 않는 것과 같이 사이버상의 악성코드도 변하지 않는 고유의 행위 특징을 갖고 있다. APT(Advanced Persistent Threat) 공격에 대한 방어수단을 사전에 확보하기 위해서는 악성코드의 악성 행위특징을 추출해야 한다. 이를 위해서는 먼저 악성코드 간의 유사도를 계산하여 유사한 악성코드끼리 분류할 수 있어야 한다. 본 논문에서는 Windows OS 상에서 동작하는 악성코드 간의 유사도 계산 방법으로 ‘TF-IDF 코사인 유사도’, ‘Nilsimsa 유사도’, ‘악성코드 기능 유사도’, ‘Jaccard 유사도’를 사용해 악성코드의 유형을 예측해보고, 그결과를 보인다. 실험결과, 유사도 계산 방식마다 악성코드 유형에 따라 예측률의 차이가 매우 컸음을 발견할 수 있었다. 모든 결과에 월등한 정확도를 보인 유사도는 존재하지 않았으나, 본 실험결과를 이용하여 특정 패밀리의 악성코드를 분류할 때 어떤 유사도 계산 방식을 활용하는 것이 상대적으로 유리할지를 결정할 때 도움이 될 것으로 판단된다.