Malware detection

Top PDF Malware detection:

Malware Detection in PDF Files Using Machine Learning

Malware Detection in PDF Files Using Machine Learning

We worked on three aspects of malware detection in PDF files. First we implemented our own PDF file classifier, using SVM algorithm, as it provides good results. We explored different possibilities for features selection: our initial choice was based on (Stevens, 2006) selec- tion. We refined this choice the following way: from the set of available features, we selected those which appeared to be the most discriminating in our case. We trained and tested our SVM with a dataset of 10 000 clean and 10 000 malicious PDF files from the Contagio database (Contagio Dump, 2013), and we also tuned the SVM to study its behavior. We came up with a classifier that had more than 99% success rate.
En savoir plus

9 En savoir plus

How to Teach the Undecidability of Malware Detection Problem and Halting Problem

How to Teach the Undecidability of Malware Detection Problem and Halting Problem

Universit´ e Clermont Auvergne, LIMOS, IREM Abstract. Malware detection is a term that is often associated to Com- puter Science Security. The underlying main problem is called Virus detection and consists in answering the following question: Is there a program that can always decide if a program is a virus or not? On the other hand, the undecidability of some problems is an important notion in Computer Science : an undecidable problem is a problem for which no algorithm exists to solve it. We propose an activity that demonstrates that virus detection is an undecidable problem. Hence we prove that the answer to the above question is no. We follow the proof given by Cohen in his PhD in 1983. The proof is close to the proof given by Turing in 1936 of the undecidability of the Halting problem. We also give an ac- tivity to prove the undecidability of the Halting problem. These proofs allow us to introduce two important ways of proving theorems in Com- puter Science : proof by contradiction and proof by case disjunction. We propose a simple way to present these notions to students using a maze. Our activity is unplugged, i.e. we use only a paper based model of com- puter, and is designed for high-school students. This is the reason why we use Scratch to write our ”programs“.
En savoir plus

12 En savoir plus

Morphological Detection of Malware

Morphological Detection of Malware

Abstract In the field of malware detection, method based on syntactical consideration are usually efficient. However, they are strongly vulnera- ble to obfuscation techniques. This study pro- poses an efficient construction of a morpho- logical malware detector based on a syntactic and a semantic analysis, technically on con- trol flow graphs of programs (CFG). Our con- struction employs tree automata techniques to provide an efficient representation of the CFG database. Next, we deal with classic obfusca- tion of programs by mutation using a generic graph rewriting engine. Finally, we carry out experiments to evaluate the false-positive ratio of the proposed methods.
En savoir plus

9 En savoir plus

Behavior Analysis of Malware by Rewriting-based Abstraction - Extended Version

Behavior Analysis of Malware by Rewriting-based Abstraction - Extended Version

Email: {Philippe.Beaucamps, Isabelle.Gnaedig, Jean-Yves.Marion}@loria.fr Abstract—We propose a formal approach for the detection of high-level program behaviors. These behaviors, defined as combinations of patterns in a signature, are detected by model- checking on abstracted forms of program traces. Our approach works on unbounded sets of traces, which makes our technique useful not only for dynamic analysis, considering one trace at a time, but also for static analysis, considering a set of traces inferred from a control flow graph. Our technique uses a rewriting-based abstraction mechanism, producing a high- level representation of the program behavior, independent of the program implementation. It allows us to handle similar behaviors in a generic way and thus to be robust with respect to variants. Successfully applied to malware detection, our approach allows us in particular to model and detect information leak.
En savoir plus

15 En savoir plus

Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence

Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence

against mobile devices. In more details, the power consump- tion of a device is correlated with IEEE 802.11 activities. If an irregularity is discovered, it is compared with existing signatures to perform the detection of the attack. Then, each mobile device exchanges alerts with peers, thus implement- ing a distributed network IDS. This work has been further extended by modifying the rates at which the battery status is polled, and by considering the activity of the Bluetooth air interface to increase the performance in terms of correct detections [27]. Moreover, Caviglione and Merlo [9] focused on how antivirus and network attacks such as port scan and ping floods impact over the battery depletion of different smartphones. They state the need for “green security” mech- anisms to effectively develop consumption-based malware detection systems [28]. Curti et al. [25] studied the energy footprints for benign applications like Skype or YouTube and also for network attacks like Denial of Service. They also provided a power consumption model for the hardware involved in IEEE 802.11 communications allowing to distin- guish a normal traffic pattern from a network threat. This work has been further extended by Merlo et al. [10] by analyzing the feasibility of porting the two aforementioned approaches on Android devices with the aim of developing a malware detection framework. Unfortunately, the proposed solutions turned out to be unsuitable, mainly due to implementation issues, which can be overcome by introducing the direct observation of power consumption from the battery hardware without the need to dwell deeply into the drivers.
En savoir plus

13 En savoir plus

Mining Malware Specifications through Static Reachability Analysis

Mining Malware Specifications through Static Reachability Analysis

1 Introduction Malware (malicious software) is software developed to damage the system that executes it, e.g.: virus, trojans, rootkits, etc. A malware variant performs the same damage as an- other known malware, but its code, its syntactical representation, is different. Malware can be grouped into families, sets of malware sharing a common trait. Security reports acknowledge a steady increase in the number of new malware. For instance, in 2010 the number of newly unique variants of malware was 286 million [ 13 ] and recent numbers confirm the trend [ 21 ]. Such numbers challenge current malware detection technology and because variants can be automatically generated the problem tends to get worse. Research confirms the unsuitability of current malware detectors [ 14 , 24 ]. The problem is the low-level of the techniques used.
En savoir plus

19 En savoir plus

Detection networks

Detection networks

to causality constraints, the agents seek to optimize a team cost functional by making discrete decisions which are conveyed to other agents on capacity constrained channe[r]

18 En savoir plus

Detection Signal Design for Failure Detection: a Robust Approach

Detection Signal Design for Failure Detection: a Robust Approach

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignemen[r]

38 En savoir plus

DETECTION ET RECONNAISSANCE DE VISAGE

DETECTION ET RECONNAISSANCE DE VISAGE

Résultats obtenus avec la méthode RIE: Les ensembles d'apprentissage et de test utilisés avec l'algorithme des visages propres des images réduites sont ceux de la deuxième configuration [r]

143 En savoir plus

Detection d'objets en mouvement

Detection d'objets en mouvement

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignemen[r]

5 En savoir plus

Detection and emergence

Detection and emergence

EHS fits naturally in our definition of emergence. If D k is a detector of level n, then all active detectors of level n  1 which are connected to D k become redundant. There are such detectors, since D k did not become active by magic. As a consequence, relative complexity automatically decreases and emergence necessarily occurs whenever an n-detector is activated while only (n  1)-detectors were previously active. The activation or availability of an n-detector systematically enables the building of a more compact – and therefore less complex – model that takes advantage of regularities and redundancy at the lower level. Emergence is thus a characteristic feature of detection hierarchies.
En savoir plus

10 En savoir plus

Acoustic boiling detection

Acoustic boiling detection

Array Size Indicator (normal): Allows the user to choose the number of data of the. type indicated by the Input Type Ring[r]

107 En savoir plus

Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data

Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data

Abstract. Being able to timely detect new kinds of attacks in highly distributed, heterogeneous and evolving networks without generating too many false alarms is especially challenging. Many researchers proposed various anomaly detection techniques to identify events that are incon- sistent with past observations. While supervised learning is often used to that end, security experts generally do not have labeled datasets and labeling their data would be excessively expensive. Unsupervised learn- ing, that does not require labeled data should then be used preferably, even if these approaches have led to less relevant results. We introduce in this paper a unified and unique graph representation called security objects’ graphs. This representation mixes and links events of different kinds and allows a rich description of the activities to be analyzed. To detect anomalies in these graphs, we propose an unsupervised learning approach based on auto-encoder. Our hypothesis is that as security ob- jects’ graphs bring a rich vision of the normal situation, an auto-encoder is able to build a relevant model of this situation. To validate this hypoth- esis, we apply our approach to the CICIDS2017 dataset and show that although our approach is unsupervised, its detection results are as good, and even better than those obtained by many supervised approaches.
En savoir plus

21 En savoir plus

Decentralized detection

Decentralized detection

We now define the class of decision rules that can be parametrized by a set of thresholds. Suppose that Assumption 2.1 holds and that there exists an optimal strategy. Th[r]

50 En savoir plus

On boundary detection

On boundary detection

The aim of this paper is to provide a statistical test to decide whether the bound- ary of the support is empty or not and, when the answer is affirmative, to provide an heuristic method[r]

42 En savoir plus

Malware: A future framework for Device, Network and Service Management

Malware: A future framework for Device, Network and Service Management

Our paper is structured as follows. The five main challenges that network management must face are presented in individual sections. Each section concludes with conceptual solutions ins- pired from current existing malware. Section II addresses the issue of large scale network management. Next, we consider the cases of multi-vendor and heterogeneous equipment which is the subject of section III. Three essential building blocks for any network management plane are given by its ability to be flexible, adaptive and to operate reliable and securely. These issues are addressed in the sections IV, V and respectively VI. A case study of a large scale distributed honeypot is described in section VII, where a malware based management is the only viable approach. Finally, we conclude the paper and highlight future works in section VIII.
En savoir plus

9 En savoir plus

Transport congestion events detection (TCED): towards decorrelating congestion detection from TCP

Transport congestion events detection (TCED): towards decorrelating congestion detection from TCP

detecting congestion occuring in the network. This al- gorithm is based on the combined use of two realistics and feasible assumptions which are 1) a delay or a times- tamp to validate a loss following retransmission and 2) the acknowledgments path. We have evaluated this algorithm with and without network reordering cases and shown that an external and live congestion events detection is possible. We also emphasized that previous solutions based only on RTT measurements are not able to cover all cases. In particular and following measure- ments done with the ICN algorithm, we show a lack of differentiation between retransmissions due to reorder- ing of loss and accuracy of the measurements with short TCP flows when using only RTT measurements.
En savoir plus

9 En savoir plus

Superpixel-based saliency detection

Superpixel-based saliency detection

However, the state-of-the-art saliency models are still insufficient to effectively highlight salient object regions completely with well-defined boundaries and effectively suppress background especially for some complicated images. In this paper, we propose a simple yet effective superpixel-based saliency model, in which superpixels are used as the basic primitives for saliency measuring. Based on the simplified image using superpixel representation and adaptive color quantization, we propose inter-superpixel similarity measure, global contrast measure and spatial sparsity measure to derive superpixel-level saliency map, which better highlights salient objects and suppresses background regions more effectively. Objective evaluations also demonstrate that the proposed saliency model achieves a consistently higher saliency detection performance than state-of-the-art saliency models.
En savoir plus

5 En savoir plus

Anomaly detection through explanations

Anomaly detection through explanations

Complex machines also lack internal communication. When the underlying parts disagree, they cannot justify their behavior. In the Uber self-driving vehicle acci- dent 5 , an unresolved disagreement among parts lead to a pedestrian fatality [180]. In summary, the vision system perceived an oscillating label where the pedestrian was located, although the LiDAR system detected a moving object in that region. The mechanism for combining this information chose to ignore the object. Instead, I created a system-wide explanatory monitoring architecture, Anomaly Detection Through Explanations (ADE). The architecture consists of local reasonableness mon- itors around subsystems, constructed into a system hierarchy, similar to how human organizations are structured. An explanation synthesizer reconciles disagreements. In the Uber example, the synthesizer is able to validate the vision system’s detection of an object, while discounting the oscillating labels of that object, because they are inconsistent. The synthesizer constructs a reason why, by examining the explanations from the underlying subsystems that support the judgement. The ADE architecture is presented in Chapter 7.
En savoir plus

230 En savoir plus

PCR Detection of Mimivirus

PCR Detection of Mimivirus

are essential parameters for viral detection. In practice, the search for mimivirus is complicated by the great genetic variability of the virus and the restricted availability of mimivirus culture systems to a few research laboratories (10). The deficiencies we found in the report by Zhang et al. highlight the need for carefully designed epidemiologic studies using sensitive laboratory test methods to accu- rately assess mimivirus prevalence and the potential role of mimivirus in human disease.

3 En savoir plus

Show all 3035 documents...