Malware Detection, Supportive Software Agents and Its Classification Schemes

Please download to get full document.

View again

of 17
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Similar Documents
Information Report



Views: 0 | Pages: 17

Extension: PDF | Download: 0

Over time, the task of curbing the emergence of malware and its dastard activities has been identified in terms of analysis, detection and containment of malware. Malware is a general term that is used to describe the category of malicious software
  International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.6,November 2012DOI : 10.5121/ijnsa.2012.460333 Malware Detection, Supportive Software Agentsand Its Classification Schemes 1 Adebayo, Olawale Surajudeen (B.Tech, MSc, MNCS, MCPN, MIACSIT) , 2 M.A.Mabayoje (B.Sc, MSc, MSAN, MCPN), 3 Amit Mishra, 4 Osho Oluwafemi (MTech.) 1,4 Cyber Security Science Department, F.U.T. Minna, Niger State, Nigeria. 1 2 Department of Computer Science, University of Ilorin, P.M.B 1515, Ilorin, Nigeria. 2 3 Mathematics & Computer Science Department,IBB University Lapai, Niger State,Nigeria. 3  Abstract Over time, the task of curbing the emergence of malware and its dastardactivities has been identifiedinterms of analysis, detection and containment of malware.Malware isageneral termthat is used todescribe the category of malicious software thatispart of security threats to the computer and internet system.Itis a malignant program designed tohamper theeffectiveness of a computerand internet system.This paper aims at identifying the malware as one of the most dreaded threats to an emergingcomputerand communicationtechnology. The paper identified the category of malware,malwareclassification algorithms, malwares activities and ways of preventing and removingmalware ifit eventually infectssystem.Theresearchalso describestools that classifymalware dataset using a rule-based classification schemeand machine learning algorithms to detect the malicious program from normal programthrough patternrecognition. Keywords:Malware, Malware Detection,Malware Classification,MalwareSupportiveSoftware Agents 1.Introduction Protecting, securingand maintaining computer and internet system from all forms of securitythreats including malware, internet fraud,andphishing among othersarethe most curious task that arebeing battledby thecontemporarycomputer professionals,usersand stakeholder.Malware remains one of the big threats thatareravaging thecontemporarycomputeremergence.The concern for the rate of spread of malware today is a global phenomenon,especially as it spreadingdoubleover the internet which is a means of global communication.Malware ismalicioussoftware that is included intentionally in a computing facilitypurposefully to harm a system.Malware can also be termed as all kind of intrusions that isdisastrous to the computer software and hardware system. Malware writer creates malware for  International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.6, November 201234 different reasons and purposes rangingfrom challenges to economic gain, destruction toretaliation among others.Itsgrowth is highly alarminginvolumeandits rate ofexpansioncannot be overlooked due to its damages.Once malwaregetsitself into the system by differentmedialike copying of files from external devicesonto the systemand mostlybydownloadingfiles from the internet, it checks the vulnerabilities of the system andinfectsthe system if thesystem is highly vulnerable.Another emerging technologythat is being threatening by malware activitiesis mobilecommunication.This technology is a very fast means of communication both over mobile andelectronic networks. As the services of mobile devicesare doubling daily which includeemailand messaging, multimedia and others, which adopt operating systems like Symbian and Linux,this hasmade the tools highly vulnerable to various form of attacks. F-Securepublishedmorethan 350 mobile malware including Cabir[1],Mabir[2], Skull[3]and others targeting atSymbian software platform.Computer malwares includecomputer viruses, worms, Trojan, Malicious Mobile Codes(Botnets, Nitda worm), Tracking Cokies (spywares, adwares, crimewares), Attacker Tools(Backdoors,Keylogger, Rootkits, E-mail generator) and other harmful software.A malwaredetectoris a system that aims at analyzing andidentifying malware while malwaredetection is a field of study that deals with the analysis, detection and containment of malware.Malware detector can be acommercial virusscanner which uses binaries signature and otherheuristic rules and algorithm to identify malware.A very common technique adopts by malware writer is code obfuscation[4]which prevent itsdetection by the detectors. Code obfuscation technique can be polymorphic or metamorphic. Ametamorphic virus obfuscate by hiding itself completely to evade detection while apolymorphic virus obfuscate its decryption loops using code insertion and transposition[4].Moreover, a metamorphic malwareadopt methods like register renaming, dead code insertion,block reordering and command substitute in order to perform its dastardly acts.Another technique adopted by malwarewriter is themodification and inclusion of newbehavior in their malware so as to increase its strength and viability. Malware like beagleworms, Sorbig A. throughSorbig F[4]. worm variants were developed iteratively withinclusion of new features. 2. Literature Review One of the greatest challenges in security tasks that are still battling the exploration of mobilecommunication devices, computer and network infrastructures, and web technology is Malwareattacks, detection and its analyses. Several solutions that havebeen adopted in the past in thedetection and containment of malware can be classified into static analysis, dynamic analysistechniques and combination of both static and dynamic methods. Static analysis is the process of analyzing a program’s code statis tically without actually executing the code. The staticanalysis approach has the advantage that an entire code can be covered and therefore, possibly acomplete program behavior, independent of any single path executed during run-time, will beeasily captured. However, the statics analysis is constrained with its inability to detect newmalware or new variants of malware.Dynamic analysis, on the other hand, is necessary to complement the lapses of static analysisdue to various obfuscation mechanisms, which rendered static analysis an ineffective method.Dynamic analysis was based on some heuristics such as the monitoring of modifications to the  International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.6, November 201235 system registry and the hooks’ insertion into system interface or library. Dynamic analysis, however also haveshortcomings since the heuristics are not based on the fundamental attributesof malware, they can be subjected to high false positive and false negative rates.The techniques of malware detection can also be classified as Signature-based malwaredetection, Specification-based malware detection and Behaviour-based detection. To overcomethe limitations of signature-based detection, behavior-based malware analysis and detectiontechniques was proposed by Forrest et al. [5], who designed host-based anomaly detection. Thebehaviour-based approaches observe the application behaviour of a code in the form of systemroutine calls and create a database of all the fixed-length consecutive system calls from normalapplications. Possible intrusions are discovered by looking for call sequences that do not appearin the database. The techniques of Advanced mining was later consolidated on the behaviouraldetection technique deviations on the call sequences by using heuristic algorithms[6], HiddenMarkov Model[7], and finite-state automata[8]. All the aforementioned detection methods share the same concept of representing programs’ normal behavior with system calls and performing anomaly detection by measuring the deviation from normal profiles. However, theabove approaches were characterized with shortcoming of ignoring the semantics of system callsequences and thus, could be evaded by simple obfuscation or mimicry attacks[10]. In other toaddress this deficiency,[9]proposed semantics-aware malware detection that attempts to detectpolymorphic malware by identifying semantically-equivalent instruction sequences in themalware categories. In this work, he described the malicious behavior e.g, decryption loop witha template of instruction sequences, where a matching algorithm is applied on the disassembledbinaries to find the instruction sequences that match the predefined malicious template. Theauthors discovered that it is resilient to several code obfuscation techniques by abstracting awaythe name of register and symbolic constants. However, attacks using the equivalent instructionreplacement and reordering are still possible because it is still requires exact matching betweenthe template node and application instructions.Salvatore al[11]presented File analysis for malware detection.They use statistical contentanalysis of files in order to detect anomalous file segments that may suggest infection bymalcode. Their goal is to develop an efficient means of detectingsuspect infected files forapplication to online network communication such as file sharing or media streaming, orscanning a large store of collected information, such as a data warehouse of acquired content.The problems with signature-based AV systems failing to detect new zero-day exploits are wellknown; a new generation of anomaly detection systems aimed at detecting zeroday exploits arebeginning to appear in commercial products.The behavioural malware detection on mobile handset in order to curb the casualty in themobile community is another detection technique by[12]. Their approach is unique in the definition of application behavior. Their approach observes the programs’ run-time behavior ata higher level (i.e., system events or resource-access) than system callsof [7]and machineinstructionsof [9]. This higher-level abstraction improves resilience to polymorphism andfacilitates detection of malware variants, as it abstracts away more low-level implementationdetails. Also, the approach employs a runtime analysis, effectively bypassing the need to dealwith code/data obfuscation[13]. Runtime analysis also avoids the possible loss of informationof the static approach, since a static analysis often fails to reveal inter-compnet/systeminteraction information[13]and disassembly is not always possible for all binaries (Linn andDebray, 2001) showed that dissemblers can be thwarted with simple obfuscations. Moreover, in contrast to Forrest’s anomaly detection [5]which learns only normal applic ations’ behaviouror Christodorescu’s misuse detection [9], which matches against only malicious templates, this  International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.6, November 201236 approach exploits information on both normal programs’ and malware’s behaviours, andemploys a machine learning (instead of exact matching) algorithm to improve the detectionaccuracy. Since the learning and classification are based on two opposite-side data sets, thisapproach conceptually combines the anomaly detection with misuse detection and therefore,could strike a balance between false positives and false negatives.Christopher Kruegel,et al [15]in another work propose binary analysis to detect the kernelrootkits by statically analyzing kernel modules and looking for suspicious instructionsequences.[16]is another work thatdeterminesa spyware component by statically extract a listfor Windows API calls invoked in response to browser events, and combines it with dynamicanalysis to identify the interactions between the component and the OS. A spyware-likebehavior is detected if the component monitors user behavior and leaks this information byinvoking some API calls. Static analysis is also widely used to collect the structural informationof an executable file (e.g., control and data flow) and detect various malware[17].Newsome and Song (2002) proposed a dynamic taint analysis to detect the buffer overflowexploits on commodity software. Their approach is to perform binary rewriting at run-time totrack the propagation and improper use of unsafe or tainted data.[13]collected a sequence of application events at run-time and constructed an opaque object to represent thebehaviourinrich syntax. Their work also applies a machine learning algorithm on high-levelbehaviourrepresentations. However, their work focuses on clustering malware into different familiesusing nearest-neighbouralgorithms based on the edit distance between data samples, while theyonly interested in distinguishing normal from malicious programs. They also used a supervisedlearning procedure to make best of existing normal and malicious program information whileclustering is a common unsupervised learning procedure.Ellis et al. in[18]present a novel approach for automatic detection of Internet worms usingtheirbehaviouralsignatures. These signatures were generated from wormbehavioursmanifested in network traffic; the behaviour includes tree-like propagation and changing aserver into a client. In the same vein, NetSpy[19]performsbehaviourcharacterization anddifferential analysis on the network traffic to help automatically generate network-levelsignatures of new spyware. Their approach is fundamentally different from that of[18]in thatthey focused on characterization of host-based malwarebehaviour, incorporating a wide rangeof system events intobehavioursignatures. The Primary Response from Sana Security[20]isanother host-basedbehaviouralapproach that monitors desktop applications and employsmultiplebehaviouralheuristics and correlations (e.g., Registry modification, key loggingprocedures, process hijacking, etc.) to identify a malicious application. In their BackTracker,King, S. T. and Chen, P. M. [21]aims to automatically identify potential sequences of activitiesthat occurred in an intrusion.Xuxian Jiang,et al [22]proposedStealthy Malware Detection Through VMM- Based “Out -of-the- Box” Semantic View Reconstruction where they presented VMwatcher, a novel VMM-based approach that enables out-of-the-box malware detection by addressing the semantic gapchallenge. More specifically, VMwatcher achieves stronger tamper-resistance by moving anti-malware facilities out of the monitored VM while maintaining the native semantic view of theVM via external semantic view reconstruction. Their evaluation of theVMwatcher prototypeon both Linux and Windows platforms demonstrates its practicality and effectiveness. Inparticular, the experiments with real-world self-hiding rootkits further demonstrate the power of the new malware detection capabilities enabled byVMwatcher.  International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.6, November 201237 In order to curb the disastrous effects of a class of code injection attacks called SQLIAs thattake the advantages of lack of validation of user input, William al [23]proposeAMNESIA (Analysis and Monitoring for Neutralizing SQL Injection Attacks), a fullyautomated technique and tool for detection and prevention of SQLIAs. The vulnerabilitiesoccur when a developer combine hard-coded strings with user input to create dynamic queries.Their approach combine the static analysis and routine monitoring, where the program analysisis used, in static part, to build automatically a model of legitimate queries that could begenerated by the application. 3.Malware Malware is the term that is used to describe computer software or hardware thatis harmful tothe emergence of other computing system.The classification of malware is based on theirattributes like replication tendency and strategy, purposes of creation, method of propagationand containment methodology. Malware may be created in order to destroy system of forvarious challenges (stuxnet, viruses), it may be created for financial gain (i.e. backdoors,botnets), or to gain unauthorized access to the systemby compromise system effectiveness(adware, spyware,worms).A malwarecan also be seen asa computer program that has various kinds of malicious intents[4]. Some commonly known Malware categorizations are viruses, Trojans, worms, Attackertoolkits, Malicious Mobile Code and Tracking Cokies. Malicious programs present an incessantthreat to the privacy and security of sensitive data and the availability of critical services atcrucial point in time. 3.1Categories of Malware There are various types of malware.Malware can be classifiedaccording to the purpose andmethod ofpropagation[25].This paperthereforecategorized malware according to thefollowing group:Computer worms,ComputerViruses, Trojan, Tracking Cookies, Attacker tools, MaliciousMobile Code. 3.1.1ComputerViruses This is a computer program that is designed to replicateitself and distribute the copieddata toother computer thereby causing disinfection to other programs and files. Virus haspayloadsthat containcodes for executing virus activities, which can either be benign or malicious innature.A benign program may either irritate or consumesmemory spaceunnecessarily while amalicious programcausesseveral damages to the system.A virus may be compiled orinterpreted. The source code of a compiled virus is converted by a compiler program for properexecution on the operating system whileinterpreted viruses codescan only be executed bysomeapplications.The obfuscation of virus has made it difficult for its detection. Malware writer used obfuscationlike polymorphism, metamorphism, stealth, self-encryption and decryption, armoring amongothers to efface detection by the detectors.The basic purpose of creating virus is for systemdestruction by attackers.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!