Computers & Security最新文献

筛选
英文 中文
Assessing the detection of lateral movement through unsupervised learning techniques 评估通过无监督学习技术检测横向移动的情况
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-06 DOI: 10.1016/j.cose.2024.104190
Christos Smiliotopoulos , Georgios Kambourakis , Constantinos Kolias , Stefanos Gritzalis
{"title":"Assessing the detection of lateral movement through unsupervised learning techniques","authors":"Christos Smiliotopoulos ,&nbsp;Georgios Kambourakis ,&nbsp;Constantinos Kolias ,&nbsp;Stefanos Gritzalis","doi":"10.1016/j.cose.2024.104190","DOIUrl":"10.1016/j.cose.2024.104190","url":null,"abstract":"<div><div>Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network. Typically, LM involves both pivoting through multiple systems and privilege escalation. As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud. Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed. This concerns the detection of LM through unsupervised machine learning (ML) techniques. This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform. We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection. In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep. The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94.7%/93% and 95.2%/93.8%, for the best shallow and deep neural network model, respectively. On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3.5%. Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104190"},"PeriodicalIF":4.8,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
An innovative practical roadmap for optimal control strategies in malware propagation through the integration of RL with MPC 通过将 RL 与 MPC 相结合,为恶意软件传播中的优化控制策略绘制创新实用路线图
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-06 DOI: 10.1016/j.cose.2024.104186
Mousa Tayseer Jafar, Lu-Xing Yang, Gang Li
{"title":"An innovative practical roadmap for optimal control strategies in malware propagation through the integration of RL with MPC","authors":"Mousa Tayseer Jafar,&nbsp;Lu-Xing Yang,&nbsp;Gang Li","doi":"10.1016/j.cose.2024.104186","DOIUrl":"10.1016/j.cose.2024.104186","url":null,"abstract":"<div><div>While there has been considerable research into optimal control formulations for mitigating cyber threats, a significant gap persists between the theoretical and numerical insights derived from such research and the practical implementation of these optimal mitigation strategies in real-time scenarios. This paper introduces a multifaceted approach to enhance and optimize optimal control strategies by seamlessly integrating reinforcement learning (RL) algorithms with model predictive control (MPC) techniques for the purpose of malware propagation control. Optimal control is a critical aspect of various domains, ranging from industrial processes and robotics to epidemiological modeling and cybersecurity. The traditional approaches to optimal control, particularly open-loop strategies, have limitations in adapting to dynamic and uncertain environments. This paper addresses these limitations by proposing a novel roadmap that leverages RL algorithms to fine-tune and adapt MPC parameters within the context of malware propagation containment. In sum, this practical roadmap is anticipated to serve as a valuable resource for researchers and practitioners engaged in the development of cybersecurity solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104186"},"PeriodicalIF":4.8,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661785","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
SecKG2vec: A novel security knowledge graph relational reasoning method based on semantic and structural fusion embedding SecKG2vec:基于语义和结构融合嵌入的新型安全知识图谱关系推理方法
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-05 DOI: 10.1016/j.cose.2024.104192
Xiaojian Liu , Xinwei Guo , Wen Gu
{"title":"SecKG2vec: A novel security knowledge graph relational reasoning method based on semantic and structural fusion embedding","authors":"Xiaojian Liu ,&nbsp;Xinwei Guo ,&nbsp;Wen Gu","doi":"10.1016/j.cose.2024.104192","DOIUrl":"10.1016/j.cose.2024.104192","url":null,"abstract":"<div><div>Knowledge graph technology is widely used in network security design, analysis, and detection. By collecting, organizing, and mining various security knowledge, it provides scientific support for security decisions. Some public Security Knowledge Repositories (SKRs) are frequently used to construct security knowledge graphs. The quality of SKRs affects the efficiency and effectiveness of security analysis. However, the current situation is that the identification of relational information among security knowledge elements is not sufficient and timely, and a large number of key relational information is missing. In view of this, we propose a security knowledge graph relational reasoning method, based on the fusion embedding of semantic correlation and structure correlation, named <em>SecKG2vec</em>. By <em>SecKG2vec</em>, the embedded vector simultaneously presents both semantic and structural characteristics, and it can exhibit better relational reasoning performance. In qualitative evaluation and quantitative experiments with baseline methods, <em>SecKG2vec</em> has better performance in relationship reasoning task and entity reasoning task, and potential capability of 0-shot scenario prediction.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104192"},"PeriodicalIF":4.8,"publicationDate":"2024-11-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654821","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Privacy protection against user profiling through optimal data generalization 通过优化数据概括,防止用户貌相隐私泄露
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-05 DOI: 10.1016/j.cose.2024.104178
César Gil, Javier Parra-Arnau, Jordi Forné
{"title":"Privacy protection against user profiling through optimal data generalization","authors":"César Gil,&nbsp;Javier Parra-Arnau,&nbsp;Jordi Forné","doi":"10.1016/j.cose.2024.104178","DOIUrl":"10.1016/j.cose.2024.104178","url":null,"abstract":"<div><div>Personalized information systems are information-filtering systems that endeavor to tailor information-exchange functionality to the specific interests of their users. The ability of these systems to profile users based on their search queries at Google, disclosed locations at Twitter or rated movies at Netflix, is on the one hand what enables such intelligent functionality, but on the other, the source of serious privacy concerns. Leveraging on the principle of data minimization, we propose a data-generalization mechanism that aims to protect users’ privacy against non-fully trusted personalized information systems. In our approach, a user may like to disclose personal data to such systems when they feel comfortable. But when they do not, they may wish to replace specific and sensitive data with more general and thus less sensitive data, before sharing this information with the personalized system in question. Generalization therefore may protect user privacy to a certain extent, but clearly at the cost of some information loss. In this work, we model mathematically an optimized version of this mechanism and investigate theoretically some key properties of the privacy-utility trade-off posed by this mechanism. Experimental results on two real-world datasets demonstrate how our approach may contribute to privacy protection and show it can outperform state-of-the-art perturbation techniques like data forgery and suppression by providing higher utility for a same privacy level. On a practical level, the implications of our work are diverse in the field of personalized online services. We emphasize that our mechanism allows each user individually to take charge of their own privacy, without the need to go to third parties or share resources with other users. And on the other hand, it provides privacy designers/engineers with a new data-perturbative mechanism with which to evaluate their systems in the presence of data that is likely to be generalizable according to a certain hierarchy, highlighting spatial generalization, with practical application in popular location based services. Overall, a data-perturbation mechanism for privacy protection against user profiling, which is optimal, deterministic, and local, based on a untrusted model towards third parties.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104178"},"PeriodicalIF":4.8,"publicationDate":"2024-11-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661787","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Web of shadows: Investigating malware abuse of internet services 阴影之网调查恶意软件滥用互联网服务
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-04 DOI: 10.1016/j.cose.2024.104182
Mauro Allegretta , Giuseppe Siracusano , Roberto González , Marco Gramaglia , Juan Caballero
{"title":"Web of shadows: Investigating malware abuse of internet services","authors":"Mauro Allegretta ,&nbsp;Giuseppe Siracusano ,&nbsp;Roberto González ,&nbsp;Marco Gramaglia ,&nbsp;Juan Caballero","doi":"10.1016/j.cose.2024.104182","DOIUrl":"10.1016/j.cose.2024.104182","url":null,"abstract":"<div><div>Internet Web and cloud services are routinely abused by malware, but the breadth of this abuse has not been thoroughly investigated. In this work, we quantitatively investigate this abuse by leveraging data from the Cyber Threat Alliance (CTA), where 36 security vendors share threat intelligence. We analyze CTA data collected over 4 years from January 2020 until December 2023 comprising over one billion cyber-security observations from where we extract 7.7M URLs and 1.8M domains related to malware. We complement this dataset with an active measurement where we periodically attempt to download the content pointed out by 33,876 recently reported malicious URLs. We investigate the following questions. How generalized is malware abuse of Internet services? How do domains of abused Internet services differ? For what purpose are Internet services abused? and How long do malicious resources remain active? Among others, we uncover a broad abuse affecting 22K domains of Internet services, that Internet services are largely abused for enabling malware distribution, and that malicious content in Internet services remains active longer than on malicious domains.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104182"},"PeriodicalIF":4.8,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654729","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Genetic programming for enhanced detection of Advanced Persistent Threats through feature construction 通过特征构建加强高级持续性威胁检测的遗传编程
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-11-03 DOI: 10.1016/j.cose.2024.104185
Abdullah Al Mamun , Harith Al-Sahaf , Ian Welch , Seyit Camtepe
{"title":"Genetic programming for enhanced detection of Advanced Persistent Threats through feature construction","authors":"Abdullah Al Mamun ,&nbsp;Harith Al-Sahaf ,&nbsp;Ian Welch ,&nbsp;Seyit Camtepe","doi":"10.1016/j.cose.2024.104185","DOIUrl":"10.1016/j.cose.2024.104185","url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) pose considerable challenges in the realm of cybersecurity, characterized by their evolving tactics and complex evasion techniques. These characteristics often outsmart traditional security measures and necessitate the development of more sophisticated detection methods. This study introduces Feature Evolution using Genetic Programming (FEGP), a novel method that leverages multi-tree Genetic Programming (GP) to construct and enhance features for APT detection. While GP has been widely utilized for tackling various problems in different domains, our study focuses on the adaptation of GP to the multifaceted landscape of APT detection. The proposed method automatically constructs discriminative features by combining the original features using mathematical operators. By leveraging GP, the system adapts to the evolving tactics employed by APTs, enhancing the identification of APT activities with greater accuracy and reliability. To assess the efficacy of the proposed method, comprehensive experiments were conducted on widely used and publicly accessible APT datasets. Using the combination of constructed and original features on the DAPT-2020 dataset, FEGP achieved a balanced accuracy of 79.28%, surpassing the best comparative methods by an average of 2.12% in detecting APT stages. Additionally, utilizing only constructed features on the Unraveled dataset, FEGP achieved a balanced accuracy of 83.14%, demonstrating a 3.73% improvement over the best comparative method. The findings presented in this paper underscore the importance of GP-based feature construction for APT detection, providing a pathway toward improved accuracy and efficiency in identifying APT activities. The comparative analysis of the proposed method against existing feature construction methods demonstrates FEGP’s effectiveness as a state-of-the-art method for multi-class APT classification. In addition to the performance evaluation, further analysis was conducted, encompassing feature importance analysis, and a detailed time analysis.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104185"},"PeriodicalIF":4.8,"publicationDate":"2024-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654819","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
FDN-SA: Fuzzy deep neural-stacked autoencoder-based phishing attack detection in social engineering FDN-SA:基于模糊深度神经堆叠自动编码器的社交工程中的网络钓鱼攻击检测
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-31 DOI: 10.1016/j.cose.2024.104188
P. Vidyasri, S. Suresh
{"title":"FDN-SA: Fuzzy deep neural-stacked autoencoder-based phishing attack detection in social engineering","authors":"P. Vidyasri,&nbsp;S. Suresh","doi":"10.1016/j.cose.2024.104188","DOIUrl":"10.1016/j.cose.2024.104188","url":null,"abstract":"<div><div>Phishing attacks have emerged as a major social engineering threat that affects businesses, governments, and general internet users. This work proposes a social engineering phishing detection technique based on Deep Learning (DL). Initially, website data is taken from the dataset. Then, the features of Natural Language Processing (NLP) like bag of words, n-gram, hashtags, sentence length, Term Frequency- Inverse Document Frequency of records (TF-IDF), and all caps are extracted and then web feature extraction is carried out. Later, the feature fusion is done using the Neyman similarity with Deep Belief Network (DBN). Afterwards, oversampling is used for data augmentation to enhance the number of training samples. Lastly, the detection of phishing attacks is performed by employing the proposed Fuzzy Deep Neural-Stacked Autoencoder (FDN-SA). Here, the proposed FDN-SA is developed by combining a Deep Neural Network (DNN), and Deep Stacked Autoencoder (DSA). Further, the investigation of FDN-SA is accomplished based on the accuracy, True Positive Rate (TPR), and True Negative Rate (TNR) and is observed to compute values of 0.920, 0.925, and 0.921, respectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104188"},"PeriodicalIF":4.8,"publicationDate":"2024-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661786","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Encoder decoder-based Virtual Physically Unclonable Function for Internet of Things device authentication using split-learning 基于编码器解码器的虚拟物理不可克隆功能,利用分裂学习实现物联网设备身份验证
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-30 DOI: 10.1016/j.cose.2024.104164
Raviha Khan , Hossien B. Eldeeb , Brahim Mefgouda , Omar Alhussein , Hani Saleh , Sami Muhaidat
{"title":"Encoder decoder-based Virtual Physically Unclonable Function for Internet of Things device authentication using split-learning","authors":"Raviha Khan ,&nbsp;Hossien B. Eldeeb ,&nbsp;Brahim Mefgouda ,&nbsp;Omar Alhussein ,&nbsp;Hani Saleh ,&nbsp;Sami Muhaidat","doi":"10.1016/j.cose.2024.104164","DOIUrl":"10.1016/j.cose.2024.104164","url":null,"abstract":"<div><div>Internet of Things (IoT) networks have been deployed widely making device authentication a crucial requirement that poses challenges related to security vulnerabilities, power consumption, and maintenance overheads. While current cryptographic techniques secure device communication; storing keys in Non-Volatile Memory (NVM) poses challenges for edge devices. Physically Unclonable Functions (PUFs) offer robust hardware-based authentication but introduce complexities such as hardware production and conservation expenses and susceptibility to aging effects. This paper’s main contribution is a novel scheme based on split learning, utilizing an encoder–decoder architecture at the device and server nodes, to first create a Virtual PUF (VPUF) that addresses the shortcomings of the hardware PUF and secondly perform device authentication. The proposed VPUF reduces maintenance and power demands compared to the hardware PUF while enhancing security by transmitting latent space representations of responses between the node and the server. Also, since the encoder is placed on the node, while the decoder is on the server, this approach further reduces the computational load and processing time on the resource-constrained node. The obtained results demonstrate the effectiveness of the proposed VPUF scheme in modeling the behavior of the hardware-based PUF. Additionally, we investigate the impact of Gaussian noise in the communication channel between the server and the node on the system performance. The obtained results further reveal that the achieved authentication accuracy of the proposed scheme is 100%, as measured by the validation rate of the legitimate nodes. This highlights the superior performance of the proposed scheme in emulating the capabilities of a hardware-based PUF while providing secure and efficient authentication in IoT networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104164"},"PeriodicalIF":4.8,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661694","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
GRAIN: Graph neural network and reinforcement learning aided causality discovery for multi-step attack scenario reconstruction GRAIN:图神经网络和强化学习辅助因果关系发现,用于多步骤攻击场景重建
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-30 DOI: 10.1016/j.cose.2024.104180
Fengrui Xiao , Shuangwu Chen , Jian Yang , Huasen He , Xiaofeng Jiang , Xiaobin Tan , Dong Jin
{"title":"GRAIN: Graph neural network and reinforcement learning aided causality discovery for multi-step attack scenario reconstruction","authors":"Fengrui Xiao ,&nbsp;Shuangwu Chen ,&nbsp;Jian Yang ,&nbsp;Huasen He ,&nbsp;Xiaofeng Jiang ,&nbsp;Xiaobin Tan ,&nbsp;Dong Jin","doi":"10.1016/j.cose.2024.104180","DOIUrl":"10.1016/j.cose.2024.104180","url":null,"abstract":"<div><div>Correlating individual alerts to reconstruct attack scenarios has become a critical issue in identifying multi-step attack paths. Most of existing reconstruction approaches depend on external expertise, such as attack templates or attack graphs, to identify known attack patterns, which are incapable of uncovering unknown attack patterns that exceed prior knowledge. Recently, several expertise-independent methods utilize alert similarity or statistical correlations to reconstruct multi-step attacks. However, these methods often miss rare but high-risk events. The key to overcoming these drawbacks lies in discovering the potential causalities between security alerts. In this paper, we propose GRAIN, a novel graph neural network and reinforcement learning aided causality discovery approach for multi-step attack scenario reconstruction, which does not rely on any external expertise or prior knowledge. By matching the similarity between alerts’ attack semantics, we first remove redundant alerts to alleviate alert fatigue. Then, we correlate these alerts as alert causal graphs that embody the causalities between attack incidents via causality discovery. Afterwards, we employ a graph neural network to evaluate the causal effect between correlated alerts. In light of the fact that the alerts triggered by multi-step attacks have the maximum causal effect, we utilize reinforcement learning to screen out authentic causal relationships. Extensive evaluations on 4 public multi-step attack datasets demonstrate that GRAIN significantly outperforms existing methods in terms of accuracy and efficiency, providing a robust solution for identifying and analyzing sophisticated multi-step attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104180"},"PeriodicalIF":4.8,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142578162","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Multi-perspective API call sequence behavior analysis and fusion for malware classification 用于恶意软件分类的多视角 API 调用序列行为分析与融合
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-29 DOI: 10.1016/j.cose.2024.104177
Peng Wu , Mohan Gao , Fuhui Sun , Xiaoyan Wang , Li Pan
{"title":"Multi-perspective API call sequence behavior analysis and fusion for malware classification","authors":"Peng Wu ,&nbsp;Mohan Gao ,&nbsp;Fuhui Sun ,&nbsp;Xiaoyan Wang ,&nbsp;Li Pan","doi":"10.1016/j.cose.2024.104177","DOIUrl":"10.1016/j.cose.2024.104177","url":null,"abstract":"<div><div>The growing variety of malicious software, i.e., malware, has caused great damage and economic loss to computer systems. The API call sequence of malware reflects its dynamic behavior during execution, which is difficult to disguise. Therefore, API call sequence can serve as a robust feature for the detection and classification of malware. The statistical analysis presented in this paper reveals two distinct characteristics within the API call sequences of different malware: (1) the API existence feature caused by frequent calls to the APIs with some special functions, and (2) the API transition feature caused by frequent calls to some special API subsequence patterns. Based on these two characteristics, this paper proposes MINES, a Multi-perspective apI call sequeNce bEhavior fuSion malware classification Method. Specifically, the API existence features from different perspectives are described by two graphs that model diverse rich and complex existence relationships between APIs, and we adopt the graph contrastive learning framework to extract the consistent shared API existence feature from two graphs. Similarly, the API transition features of different hops are described by the multi-order transition probability matrices. By treat each order as a channel, a CNN-based contrastive learning framework is adopted to extract the API transition feature. Finally, the two kinds of extracted features are fused to classify malware. Experiments on five datasets demonstrate the superiority of MINES over various state-of-the-arts by a large margin.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104177"},"PeriodicalIF":4.8,"publicationDate":"2024-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信