Browsing by Author "M.a, M.A.A."

Now showing 1 - 4 of 4

Execution time measurement of virtual machine volatile artifacts analyzers
(IEEE Computer Society help@computer.org, 2016) M.a, M.A.A.; Jaidhar, C.D.
Due to a rapid revaluation in a virtualization environment, Virtual Machines (VMs) are target point for an attacker to gain privileged access of the virtual infrastructure. The Advanced Persistent Threats (APTs) such as malware, rootkit, spyware, etc. are more potent to bypass the existing defense mechanisms designed for VM. To address this issue, Virtual Machine Introspection (VMI) emerged as a promising approach that monitors run state of the VM externally from hypervisor. However, limitation of VMI lies with semantic gap. An open source tool called LibVMI address the semantic gap. Memory Forensic Analysis (MFA) tool such as Volatility can also be used to address the semantic gap. But, it needs to capture a memory dump (RAM) as input. Memory dump acquires time and its analysis time is highly crucial if Intrusion Detection System IDS (IDS) depends on the data supplied by FAM or VMI tool. In this work, live virtual machine RAM dump acquire time of LibVMI is measured. In addition, captured memory dump analysis time consumed by Volatility is measured and compared with other memory analyzer such as Rekall. It is observed through experimental results that, Rekall takes more execution time as compared to Volatility for most of the plugins. Further, Volatility and Rekall are compared with LibVMI. It is noticed that examining the volatile data through LibVMI is faster as it eliminates memory dump acquire time. Â© 2015 IEEE.
Experimental analysis of Android malware detection based on combinations of permissions and API-calls
(Springer-Verlag France 22, Rue de Palestro Paris 75002, 2019) Singh, A.K.; Jaidhar, C.D.; M.a, M.A.A.
Android-based smartphones are gaining popularity, due to its cost efficiency and various applications. These smartphones provide the full experience of a computing device to its user, and usually ends up being used as a personal computer. Since the Android operating system is open-source software, many contributors are adding to its development to make the interface more attractive and tweaking the performance. In order to gain more popularity, many refined versions are being offered to customers, whose feedback will enable it to be made even more powerful and user-friendly. However, this has attracted many malicious code-writers to gain anonymous access to the user’s private data. Moreover, the malware causes an increase of resource consumption. To prevent this, various techniques are currently being used that include static analysis-based detection and dynamic analysis-based detection. But, due to the enhancement in Android malware code-writing techniques, some of these techniques are getting overwhelmed. Therefore, there is a need for an effective Android malware detection approach for which experimental studies were conducted in the present work using the static features of the Android applications such as Standard Permissions with Application Programming Interface (API) calls, Non-standard Permissions with API-calls, API-calls with Standard and Nonstandard Permissions. To select the prominent features, Feature Selection Techniques (FSTs) such as the BI-Normal Separation (BNS), Mutual Information (MI), Relevancy Score (RS), and the Kullback-Leibler (KL) were employed and their effectiveness was measured using the Linear-Support Vector Machine (L-SVM) classifier. It was observed that this classifier achieved Android malware detection accuracy of 99.6% for the combined features as recommended by the BI-Normal Separation FST. © 2019, Springer-Verlag France SAS, part of Springer Nature.
Information gain score computation for N-grams using multiprocessing model
(Institute of Electrical and Electronics Engineers Inc., 2017) Shiva Darshan, S.L.S.; M.a, M.A.A.; Jaidhar, C.D.
Currently, the Internet faces serious threat from malwares, and its propagation may cause great havoc on computers and network security solutions. Several existing anti-malware defensive solutions detect known malware accurately. However, they fail to recognize unseen malware, since most of them rely on signature-based techniques, which are easily evadable using obfuscation or polymorphism technique. Therefore, there is immediate requirement of new techniques that can detect and classify the new malwares. In this context, heuristic analysis is found to be promising, since it is capable of detecting unknown malwares and new variants of current malwares. The N-Gram extraction technique is one such heuristic method commonly used in malware detection. Previous works have witnessed that shorter length N-Grams are easier to extract. In order to identify and remove noisy N-Grams, a popular Feature Selection Technique (FST), namely, Information Gain (IG), which computes score for each N-Gram (feature) in the dataset has been used in this work. N-Grams with the highest IG score are considered as best features, while the remaining N-Grams are neglected. The IG-FST (Information Gain-Feature Selection Technique) is computational resource demanding and takes time to generate IG scores for larger N-Gram datasets, if the processing is to be accomplished in the sequential mode. To address this issue, the present work presents a multiprocessing model that computes IG scores rapidly for larger N-Gram datasets. The proposed model has been designed, implemented, and compared with the sequential mode of IG score computation. The experimental results demonstrate that the proposed multiprocessing model performance is 80% faster than the sequential model of IG score computation. Â© 2017 IEEE.
Windows malware detection based on cuckoo sandbox generated report using machine learning algorithm
(Institute of Electrical and Electronics Engineers Inc., 2016) Shiva Darshan, S.L.S.; M.a, M.A.A.; Jaidhar, C.D.
Malicious software or malware has grown rapidly and many anti-malware defensive solutions have failed to detect the unknown malware since most of them rely on signature-based technique. This technique can detect a malware based on a pre-defined signature, which achieves poor performance when attempting to classify unseen malware with the capability to evade detection using various code obfuscation techniques. This growing evasion capability of new and unknown malwares needs to be countered by analyzing the malware dynamically in a sandbox environment, since the sandbox provides an isolated environment for analyzing the behavior of the malware. In this paper, the malware is executed on to the cuckoo sandbox to obtain its run-time behavior. At the end of the execution, the cuckoo sandbox reports the system calls invoked by the malware during execution. However, this report is in JSON format and has to be converted to MIST format to extract the system calls. The collected system calls are structured in the form of N-Grams, which help to build the classifier by using the Information Gain (IG) as a feature selection technique. A comprehensive experiment was conducted to perceive the best fit classifier among the chosen classifiers, including the Bayesian-Logistic-Regression, SPegasos, IB1, Bagging, Part, and J48 defined within the WEKA tool. From the experimental results, the overall best performance for all the selected top N-Grams such as 200, 400, and 600 goes to SPegasos with the highest accuracy, highest True Positive Rate (TPR), and lowest False Positive Rate (FPR). Â© 2016 IEEE.