TMaD: Three‐tier malware detection using multi‐view feature for secure convergence ICT environments

IF 3 4区计算机科学 Q2 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Expert Systems Pub Date : 2024-07-19 DOI:10.1111/exsy.13684

Jueun Jeon, Byeonghui Jeong, Seungyeon Baek, Young‐Sik Jeong

{"title":"TMaD: Three‐tier malware detection using multi‐view feature for secure convergence ICT environments","authors":"Jueun Jeon, Byeonghui Jeong, Seungyeon Baek, Young‐Sik Jeong","doi":"10.1111/exsy.13684","DOIUrl":null,"url":null,"abstract":"As digital transformation accelerates, data generated in a convergence information and communication technology (ICT) environment must be secured. This data includes confidential information such as personal and financial information, so attackers spread malware in convergence ICT environments to steal this information. To protect convergence ICT environments from diverse cyber threats, deep learning models have been utilized for malware detection. However, accurately detecting rapidly generated variants and obfuscated malware is challenging. This study proposes a three‐tier malware detection (TMaD) scheme that utilizes a cloud‐fog‐edge collaborative architecture to analyse multi‐view features of executable files and detect malware. TMaD performs signature‐based malware detection at the edge device tier, then sends executables detected as unknown or benign to the fog tier. The fog tier conducts static analysis on non‐obfuscated executables and those transferred from the previous tier to detect variant malware. Subsequently, TMaD sends executables detected as benign in the fog tier to the cloud tier, where dynamic analysis is performed on obfuscated executables and those detected as benign to identify obfuscated malware. An evaluation of TMaD's detection performance resulted in an accuracy of 94.78%, a recall of 0.9794, a precision of 0.9535, and an f1‐score of 0.9663. This performance demonstrates that TMaD, by analysing executables across several tiers and minimizing false negatives, exhibits superior detection performance compared to existing malware detection models.","PeriodicalId":51053,"journal":{"name":"Expert Systems","volume":null,"pages":null},"PeriodicalIF":3.0000,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Expert Systems","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1111/exsy.13684","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

As digital transformation accelerates, data generated in a convergence information and communication technology (ICT) environment must be secured. This data includes confidential information such as personal and financial information, so attackers spread malware in convergence ICT environments to steal this information. To protect convergence ICT environments from diverse cyber threats, deep learning models have been utilized for malware detection. However, accurately detecting rapidly generated variants and obfuscated malware is challenging. This study proposes a three‐tier malware detection (TMaD) scheme that utilizes a cloud‐fog‐edge collaborative architecture to analyse multi‐view features of executable files and detect malware. TMaD performs signature‐based malware detection at the edge device tier, then sends executables detected as unknown or benign to the fog tier. The fog tier conducts static analysis on non‐obfuscated executables and those transferred from the previous tier to detect variant malware. Subsequently, TMaD sends executables detected as benign in the fog tier to the cloud tier, where dynamic analysis is performed on obfuscated executables and those detected as benign to identify obfuscated malware. An evaluation of TMaD's detection performance resulted in an accuracy of 94.78%, a recall of 0.9794, a precision of 0.9535, and an f1‐score of 0.9663. This performance demonstrates that TMaD, by analysing executables across several tiers and minimizing false negatives, exhibits superior detection performance compared to existing malware detection models.

查看原文本刊更多论文

TMaD：利用多视角特征进行三层恶意软件检测，确保融合信息和通信技术环境的安全

随着数字化转型的加速，在融合信息和通信技术（ICT）环境中生成的数据必须得到保护。这些数据包括个人和财务信息等机密信息，因此攻击者会在融合 ICT 环境中传播恶意软件，以窃取这些信息。为了保护融合 ICT 环境免受各种网络威胁，深度学习模型已被用于恶意软件检测。然而，准确检测快速生成的变种和混淆的恶意软件具有挑战性。本研究提出了一种三层恶意软件检测（TMaD）方案，利用云-雾-边协同架构分析可执行文件的多视图特征并检测恶意软件。TMaD 在边缘设备层执行基于签名的恶意软件检测，然后将检测到的未知或良性可执行文件发送到雾层。雾层对未经混淆处理的可执行文件和从上一层传输过来的可执行文件进行静态分析，以检测变种恶意软件。随后，TMaD 将在雾层中检测到的良性可执行文件发送到云层，在云层中对经过混淆处理的可执行文件和检测到的良性可执行文件进行动态分析，以识别经过混淆处理的恶意软件。对 TMaD 检测性能的评估结果是：准确率 94.78%，召回率 0.9794，精确度 0.9535，f1 分数 0.9663。这一性能表明，TMaD 通过分析多个层级的可执行文件并最大限度地减少误判，与现有的恶意软件检测模型相比，具有更出色的检测性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Expert Systems 工程技术-计算机：理论方法

CiteScore

7.40

自引率

6.10%

发文量

266

审稿时长

24 months

期刊介绍： Expert Systems: The Journal of Knowledge Engineering publishes papers dealing with all aspects of knowledge engineering, including individual methods and techniques in knowledge acquisition and representation, and their application in the construction of systems – including expert systems – based thereon. Detailed scientific evaluation is an essential part of any paper. As well as traditional application areas, such as Software and Requirements Engineering, Human-Computer Interaction, and Artificial Intelligence, we are aiming at the new and growing markets for these technologies, such as Business, Economy, Market Research, and Medical and Health Care. The shift towards this new focus will be marked by a series of special issues covering hot and emergent topics.