Behaviour-based malware detector

The number of new malwares created every day is at an all-time high, one of the main reasons is that malware authors are using polymorphic methods. As a result, antivirus software is not able to detect the malware in a timely manner, therefore, it is insufficient to use an antivirus software to dete...

Full description

Saved in:
Bibliographic Details
Main Author: Kwong, Jordan Zheng Xi
Other Authors: Lam Kwok Yan
Format: Final Year Project
Language:English
Published: 2018
Subjects:
Online Access:http://hdl.handle.net/10356/74011
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-74011
record_format dspace
spelling sg-ntu-dr.10356-740112023-03-03T20:53:57Z Behaviour-based malware detector Kwong, Jordan Zheng Xi Lam Kwok Yan School of Computer Science and Engineering Certis CISCO Security Pte Ltd DRNTU::Engineering The number of new malwares created every day is at an all-time high, one of the main reasons is that malware authors are using polymorphic methods. As a result, antivirus software is not able to detect the malware in a timely manner, therefore, it is insufficient to use an antivirus software to detect new malware. Over the last few years, machine learning techniques have shown to be able to have high accuracy in classification tasks. Anti-malware solutions have also started using machine learning techniques to classify malware. This report presents a proof of concept software that uses convolutional neural network (CNN) to perform malware classification. Firstly, malicious and non-malicious files were collected and analysis was done for each of the files using a static analysis tool, pestudio. Subsequently, the important features were extracted and used to train the CNN to perform malware classification. The neural network is able to achieve 74% classification accuracy, with 80% of the malicious files detected. Moreover, support for detecting malware in PDF, Microsoft Office and Adobe Flash files is needed due to the increasing number of malware which targets these file formats. The open source tools: PeePDF, Olevba and SWFDump were used to help to detect malware in PDF, Microsoft Office and Adobe Flash files respectively. Last but not least, testing for sandbox evasion techniques is necessary due to the increasing number of malwares that are able to detect the presence of a sandbox. To prevent malware from detecting the sandbox environment, the sandbox environment has to be tested first using a benign malware from the open source tool, Al-Khaser, before analysing the malware using that sandbox. This ensures that a malware would not be employing any of the commonly used evasion techniques tested in the sandbox. Bachelor of Engineering (Computer Science) 2018-04-23T07:01:46Z 2018-04-23T07:01:46Z 2018 Final Year Project (FYP) http://hdl.handle.net/10356/74011 en Nanyang Technological University 54 p. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic DRNTU::Engineering
spellingShingle DRNTU::Engineering
Kwong, Jordan Zheng Xi
Behaviour-based malware detector
description The number of new malwares created every day is at an all-time high, one of the main reasons is that malware authors are using polymorphic methods. As a result, antivirus software is not able to detect the malware in a timely manner, therefore, it is insufficient to use an antivirus software to detect new malware. Over the last few years, machine learning techniques have shown to be able to have high accuracy in classification tasks. Anti-malware solutions have also started using machine learning techniques to classify malware. This report presents a proof of concept software that uses convolutional neural network (CNN) to perform malware classification. Firstly, malicious and non-malicious files were collected and analysis was done for each of the files using a static analysis tool, pestudio. Subsequently, the important features were extracted and used to train the CNN to perform malware classification. The neural network is able to achieve 74% classification accuracy, with 80% of the malicious files detected. Moreover, support for detecting malware in PDF, Microsoft Office and Adobe Flash files is needed due to the increasing number of malware which targets these file formats. The open source tools: PeePDF, Olevba and SWFDump were used to help to detect malware in PDF, Microsoft Office and Adobe Flash files respectively. Last but not least, testing for sandbox evasion techniques is necessary due to the increasing number of malwares that are able to detect the presence of a sandbox. To prevent malware from detecting the sandbox environment, the sandbox environment has to be tested first using a benign malware from the open source tool, Al-Khaser, before analysing the malware using that sandbox. This ensures that a malware would not be employing any of the commonly used evasion techniques tested in the sandbox.
author2 Lam Kwok Yan
author_facet Lam Kwok Yan
Kwong, Jordan Zheng Xi
format Final Year Project
author Kwong, Jordan Zheng Xi
author_sort Kwong, Jordan Zheng Xi
title Behaviour-based malware detector
title_short Behaviour-based malware detector
title_full Behaviour-based malware detector
title_fullStr Behaviour-based malware detector
title_full_unstemmed Behaviour-based malware detector
title_sort behaviour-based malware detector
publishDate 2018
url http://hdl.handle.net/10356/74011
_version_ 1759857033042984960