Skip to main content
SpringerLink
Log in

A multiview learning method for malware threat hunting: windows, IoT and android as case studies

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Malware remains a threat to our cyberspace and increasingly digitalized society. Current malware hunting techniques employ a variety of features, such as OpCodes, ByteCodes, and API calls, to distinguish malware from goodware. However, existing malware hunting approaches generally focus on a single particular view, such as using dynamic information or opcodes only. While single-view malware hunting systems may provide lean and optimized basis for detecting a specific type of malware, their performance can be significantly limited when dealing with other types of malware; thus, making it trivial for an advanced attacker to develop malware that simply obfuscates features monitored by a single-view malware detection system. To address these limitations, we propose a multi-view learning method that uses multiple views including OpCodes, ByteCodes, header information, permission, attacker’s intent and API call to hunt malicious programs. Our system automatically assigns weights to different views to optimize detection in different environment. Using experiments conducted on various Windows, Android and Internet of Things (IoT) platforms, we demonstrate that our method offers high accuracy with a low false positive rate on these case study platforms. Moreover, we also investigate the robustness of detection against weak views (features with low power of discrimination). The proposed method is the first malware threat hunting method that can be applied to different platforms, at the time of this research, and it is considerably difficult for attackers to evade detection (since it requires attackers to obfuscate multiple different views).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16

Similar content being viewed by others

Notes

  1. publicly available at https://www.sec.cs.tu-bs.de/~danarp/drebin/download.html

  2. https://github.com/erocarrera/pefile

References

  1. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: Drebin: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp 23–26 (2014)

  2. Azmoodeh, A., Dehghantanha, A., Choo, K.K.R.: Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE Trans. Sustain. Comput. (2018)

  3. Azmoodeh, A., Dehghantanha, A., Conti, M., Choo, K.K.R.: Detecting crypto-ransomware in iot networks based on energy consumption footprint. J. Ambient. Intell. Humaniz. Comput., 1–12 (2017)

  4. Bai, J., Wang, J.: Improving malware detection using multi-view ensemble learning. Secur. Commun. Netw. 9(17), 4227–4241 (2016)

    Article  Google Scholar 

  5. Beel, J., Gipp, B., Langer, S., Breitinger, C.: Research-paper recommender systems: a literature survey. Int. J. Digital Libraries 17(4), 305–338 (2015). https://doi.org/10.1007/s00799-015-0156-0

    Article  Google Scholar 

  6. Bishop, C.M., et al.: Neural Networks for Pattern Recognition. Oxford University Press, London (1995)

    MATH  Google Scholar 

  7. Chakraborty, T., Pierazzi, F., Subrahmanian, V.: Ec2: ensemble clustering and classification for predicting android malware families. IEEE Trans. Dependable Secure Comput. (1), 1–1 (2017)

  8. Cui, H., Zhou, Y., Wang, C., Li, Q., Ren, K.: Towards privacy-preserving malware detection systems for android. In: 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), pp 545–552 (2018)

  9. Darabian, H., Dehghantanha, A., Hashemi, S., Homayoun, S., Choo, K.K.R.: An opcode-based technique for polymorphic internet of things malware detection. Concurrency and Computation: Practice and Experience, e5173 (2019)

  10. Farrokhmanesh, M., Hamzeh, A.: Music classification as a new approach for malware detection. Journal of Computer Virology and Hacking Techniques, 1–20 (2018)

  11. Garcia, J., Hammad, M., Pedrood, B., Bagheri-Khaligh, A., Malek, S.: Obfuscation-Resilient, Efficient, and Accurate Detection and Family Identification of Android Malware. Department of Computer Science, George Mason University, Tech. Rep (2015)

  12. Guo, J., Zhu, W.: Partial multi-view outlier detection based on collective learning. In: Thirty-Second AAAI Conference on Artificial Intelligence (2018)

  13. Guo, S., Yuan, Q., Lin, F., Wang, F., Ban, T.: A malware detection algorithm based on multi-view fusion. In: International Conference on Neural Information Processing, pp 259–266. Springer (2010)

  14. HaddadPajouh, H., Dehghantanha, A., Khayami, R., Choo, K.K.R.: A deep recurrent neural network based approach for internet of things malware threat hunting. Futur. Gener. Comput. Syst. 85, 88–96 (2018)

    Article  Google Scholar 

  15. Hearst, M.A., Dumais, S.T., Osuna, E., Platt, J., Scholkopf, B.: Support vector machines. IEEE Int. Sys. Appl. 13(4), 18–28 (1998)

    Article  Google Scholar 

  16. Hopkins, M., Dehghantanha, A.: Exploit kits: the production line of the cybercrime economy?. In: 2015 Second International Conference on Information Security and Cyber Forensics (Infosec), pp 23–27. IEEE (2015)

  17. Hu, Q., Zhu, P., Yang, Y., Yu, D.: Large-margin nearest neighbor classifiers via sample weight learning. Neurocomputing 74(4), 656–660 (2011)

    Article  Google Scholar 

  18. Idrees, F., Rajarajan, M., Conti, M., Chen, T.M., Rahulamathavan, Y.: Pindroid: a novel android malware detection system using ensemble learning methods. Comput. Secur. 68, 36–46 (2017)

    Article  Google Scholar 

  19. Kohavi, R., et al.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: Ijcai, vol. 14, pp 1137–1145. Montreal, Canada (1995)

  20. Maiorca, D., Biggio, B., Giacinto, G.: Towards adversarial malware detection: lessons learned from pdf-based attacks. ACM Computing Surveys (CSUR) 52(4), 78 (2019)

    Article  Google Scholar 

  21. Narayanan, A., Chandramohan, M., Chen, L., Liu, Y.: A multi-view context-aware approach to android malware detection and malicious code localization. Empir. Softw. Eng. 23(3), 1222–1274 (2018)

    Article  Google Scholar 

  22. Narayanan, A., Soh, C., Chen, L., Liu, Y., Wang, L.: Apk2vec: semi-supervised multi-view representation learning for profiling android applications. In: 2018 IEEE International Conference on Data Mining (ICDM), pp 357–366 (2018)

  23. Nari, S., Ghorbani, A.A.: Automated malware classification based on network behavior. In: 2013 International Conference on Computing, Networking and Communications (ICNC), pp 642–647. IEEE (2013)

  24. Nguyen-Vu, L., Ahn, J., Jung, S.: Android fragmentation in malware detection. Comput. Secur. 87, 101573 (2019)

    Article  Google Scholar 

  25. O’Kane, P., Sezer, S., Carlin, D.: Evolution of ransomware. IET Netw. 7 (5), 321–327 (2018)

    Article  Google Scholar 

  26. Prayudi, Y., Riadi, I., et al.: Implementation of malware analysis using static and dynamic analysis method. Int. J. Comput. Appl. 117(6) (2015)

  27. Raff, E., Sylvester, J., Nicholas, C.: Learning the pe header, malware detection with minimal domain knowledge. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp 121–132. ACM (2017)

  28. Rokach, L.: Ensemble-based classifiers. Artif. Intell. Rev. 33(1-2), 1–39 (2010)

    Article  Google Scholar 

  29. Ronen, R., Radu, M., Feuerstein, C., Yom-Tov, E., Ahmadi, M.: Microsoft malware classification challenge. arXiv:1802.10135 (2018)

  30. Sahs, J., Khan, L.: A machine learning approach to android malware detection. In: 2012 European Intelligence and Security Informatics Conference, pp 141–147. IEEE (2012)

  31. Salehi, Z., Sami, A., Ghiasi, M.: Maar: robust features to detect malicious activity based on api calls, their arguments and return values. Eng. Appl. Artif. Intel. 59, 93–102 (2017)

    Article  Google Scholar 

  32. Sami, A., Yadegari, B., Rahimi, H., Peiravian, N., Hashemi, S., Hamze, A.: Malware detection based on mining api calls. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp 1020–1025. ACM (2010)

  33. Sarma, BP, Li, N, Gates, C, Potharaju, R, Nita-Rotaru, C, Molloy, I: Android permissions: a perspective combining risks and benefits Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp 13–22, ACM (2012)

  34. Santos, I., Devesa, J., Brezo, F., Nieves, J., Bringas, P.G.: Opem: a static-dynamic approach for machine-learning-based malware detection. In: International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions, pp 271–280. Springer (2013)

  35. Shalaginov, A., Banin, S., Dehghantanha, A., Franke, K.: Machine learning aided static malware analysis: a survey and tutorial. Cyber Threat Intelligence, 7–45 (2018)

  36. Sheen, S., Anitha, R., Sirisha, P.: Malware detection by pruning of parallel ensembles using harmony search. Pattern Recogn. Lett. 34(14), 1679–1686 (2013)

    Article  Google Scholar 

  37. Shijo, P., Salim, A.: Integrated static and dynamic analysis for malware detection. Procedia Comput. Sci. 46, 804–811 (2015)

    Article  Google Scholar 

  38. Sikorski, M., Honig, A.: Pratical Malware Analysis O’Reilly (2012)

  39. Singh, A., Dutta, D., Saha, A.: Migan: malware image synthesis using gans. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 33, pp 10033–10034 (2019)

    Article  Google Scholar 

  40. Skolka, P., Staicu, C.A., Pradel, M.: Anything to hide? Studying minified and obfuscated code in the web. In: The World Wide Web Conference, pp 1735–1746. ACM (2019)

  41. Steinwart, I., Christmann, A.: Support Vector Machines. Springer, Berlin (2008)

    MATH  Google Scholar 

  42. Sun, S.: A survey of multi-view machine learning. Neural Comput. Applic. 23 (7-8), 2031–2038 (2013)

    Article  Google Scholar 

  43. Taheri, M., Azad, H., Ziarati, K., Sanaye, R.: A quadratic margin-based model for weighting fuzzy classification rules inspired by support vector machines. Iranian J. Fuzzy Sys. 10(4), 41–55 (2013)

    MathSciNet  MATH  Google Scholar 

  44. Wang, Q., Guo, W., Zhang, K., Ororbia, II, Xing, A.G., Liu, X., Giles, C.L.: Adversary resistant deep neural networks with an application to malware detection. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp 1145–1153. ACM (2017)

  45. Xu, C., Tao, D., Xu, C.: A survey on multi-view learning. arXiv:1304.5634 (2013)

  46. Xu, Z., Sun, S.: An algorithm on multi-view adaboost. In: International Conference on Neural Information Processing, pp 355–362. Springer (2010)

  47. Yakura, H., Shinozaki, S., Nishimura, R., Oyama, Y., Sakuma, J.: Neural malware analysis with attention mechanism. Comput. Secur. 87, 101592 (2019)

    Article  Google Scholar 

  48. Ye, Y., Hou, S., Chen, L., Lei, J., Wan, W., Wang, J., Xiong, Q., Shao, F.: Out-of-sample node representation learning for heterogeneous graph in real-time android malware detection. In: 28th International Joint Conference on Artificial Intelligence (IJCAI), 2019 (2019)

  49. Ye, Y., Li, T., Adjeroh, D., Iyengar, S.S.: A survey on malware detection using data mining techniques. ACM Computing Surveys (CSUR) 50(3), 41 (2017)

    Article  Google Scholar 

  50. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA), pp 297–300. IEEE (2010)

  51. Zhao, J., Xie, X., Xu, X., Sun, S.: Multi-view learning overview: recent progress and new challenges. Information Fusion 38, 43–54 (2017)

    Article  Google Scholar 

  52. Zhou, D., He, J., Candan, K.S., Davulcu, H.: Muvir: multi-view rare category detection. In: Twenty-Fourth International Joint Conference on Artificial Intelligence (2015)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran

    Hamid Darabian, Sattar Hashemi & Mohammad Taheri

  2. Cyber Science Lab, School of Computer Science, University of Guelph, Ontario, Canada

    Ali Dehghantanha & Amin Azmoodeh

  3. IT and Computer Engineering Faculty, Shiraz University of Technology, Shiraz, Iran

    Sajad Homayoun

  4. Department of Information Systems and Cyber Security and Department of Electrical and Computer Engineering, The University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Kim-Kwang Raymond Choo

  5. Department of Software Engineering and Game Development, Kennesaw State University, Marietta, GA, 30060, USA

    Reza M. Parizi

Authors
  1. Hamid Darabian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ali Dehghantanha
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sattar Hashemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Taheri
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Amin Azmoodeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sajad Homayoun
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Reza M. Parizi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sattar Hashemi.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Special Issue on Smart Computing and Cyber Technology for Cyberization

Guest Editors: Xiaokang Zhou, Flavia C. Delicato, Kevin Wang, and Runhe Huang

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Darabian, H., Dehghantanha, A., Hashemi, S. et al. A multiview learning method for malware threat hunting: windows, IoT and android as case studies. World Wide Web 23, 1241–1260 (2020). https://doi.org/10.1007/s11280-019-00755-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-019-00755-0

Keywords

Search

Navigation