Malware Evolution and Detection Based on the Variable Precision Rough Set Model
Manel Jerbi, Zaineb Chelly Dagdia, Slim Bechikh, Lamjed Ben Said
DOI: http://dx.doi.org/10.15439/2022F266
Citation: Proceedings of the 17th Conference on Computer Science and Intelligence Systems, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 30, pages 253–262 (2022)
Abstract. The integration of approaches that address imperfect data and knowledge are becoming appealing to come up with innovative malware evolution techniques. In fact, malware writers tend to target some precise features within the app's code to camouflage the malicious content. Those features may sometimes present conflictual information about the true nature of the content of the app (malicious/benign). In this paper, we show how the Variable Precision Rough Set (VPRS) model can be combined with optimization techniques, in particular Bilevel-Optimization-Problems (BLOPs), in order to establish a detection model capable of following the crazy race of malware evolution initiated among malware-developers. We propose a new malware detection technique, based on such hybridization, named Variable Precision Rough set Malware Detection (ProRSDet), that offers robust detection rules capable of revealing the new nature of a given app. ProRSDet attains encouraging results when tested against various state-of-the-art malware detection systems using common evaluation metrics.
References
- G. Ollmann, “The evolution of commercial malware development kits and colour-by-numbers custom malware,” Computer Fraud & Security, vol. 2008, no. 9, pp. 4–7, 2008. http://dx.doi.org/10.1016/S1361-3723(08)70135-0
- D. Li, T. Qiu, S. Chen, Q. Li, and S. Xu, “Can we leverage predictive uncertainty to detect dataset shift and adversarial examples in android malware detection?” in Annual Computer Security Applications Conference, 2021. https://doi.org/10.1145/3485832.3485916 pp. 596–608.
- I. Santos, J. Nieves, and P. G. Bringas, “Semi-supervised learning for unknown malware detection,” in International Symposium on Distributed Computing and Artificial Intelligence. Springer, 2011. http://dx.doi.org/10.1007/978-3-642-19934-9_53 pp. 415–422.
- M. Nauman, N. Azam, and J. Yao, “A three-way decision making approach to malware analysis using probabilistic rough sets,” Information Sciences, vol. 374, pp. 193–209, 2016. http://dx.doi.org/https://doi.org/10.1016/j.ins.2016.09.037
- K. Riad and L. Ke, “Roughdroid: operative scheme for functional android malware detection,” Security and Communication Networks, vol. 2018, 2018. https://doi.org/10.1155/2018/8087303
- S. Piparia, D. Adamo, R. Bryce, H. Do, and B. Bryant, “Combinatorial testing of context aware android applications,” in 2021 16th Conference on Computer Science and Intelligence Systems (FedCSIS), 2021. http://dx.doi.org/10.15439/2021F003 pp. 17–26.
- F. Alotaibi and A. Lisitsa, “Matrix profile for ddos attacks detection,” in 2021 16th Conference on Computer Science and Intelligence Systems (FedCSIS), 2021. http://dx.doi.org/10.15439/2021F114 pp. 357–361.
- P. Kishore, S. K. Barisal, and D. P. Mohapatra, “Decentralized controller for software interconnected system subject to malicious attacks.” in FedCSIS (Position Papers), 2021. http://dx.doi.org/10.15439/2021F90 pp. 211–218.
- K. Xu, Y. Li, R. Deng, K. Chen, and J. Xu, “Droidevolver: Self-evolving android malware detection system,” in 2019 IEEE European Symposium on Security and Privacy (EuroS P), 2019. http://dx.doi.org/10.1109/EuroSP.2019.00014 pp. 47–62.
- F. Cara, M. Scalas, G. Giacinto, and D. Maiorca, “On the feasibility of adversarial sample creation using the android system api,” Information, vol. 11, no. 9, p. 433, 2020. https://doi.org/10.3390/info11090433
- W. Hu and Y. Tan, “Generating adversarial malware examples for black-box attacks based on gan,” arXiv preprint https://arxiv.org/abs/1702.05983, 2017. http://dx.doi.org/https://doi.org/10.48550/arXiv.1702.05983
- Z. Moti, S. Hashemi, and A. Namavar, “Discovering future malware variants by generating new malware samples using generative adversarial network,” in 2019 9th International Conference on Computer and Knowledge Engineering (ICCKE), 2019. http://dx.doi.org/10.1109/ICCKE48569.2019.8964913 pp. 319–324.
- V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha, “An architecture for generating semantic aware signatures.” in USENIX security symposium, 2005, pp. 97–112.
- S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated worm fingerprinting.” in OSDI, vol. 4, 2004, pp. 4–4.
- K. Griffin, S. Schneider, X. Hu, and T.-c. Chiueh, “Automatic generation of string signatures for malware detection,” in International workshop on recent advances in intrusion detection. Springer, 2009. https://doi.org/10.1007/978-3-642-04342-0_6 pp. 101–120.
- J. O. Kephart, “Automatic extraction of computer virus signatures,” in Proc. 4th Virus Bulletin International Conference, Abingdon, England, 1994, 1994, pp. 178–184.
- Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez, “Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience,” in 2006 IEEE Symposium on Security and Privacy (S P’06), 2006. http://dx.doi.org/10.1109/SP.2006.18 pp. 15 pp.–47.
- J. Newsome, B. Karp, and D. Song, “Polygraph: automatically generating signatures for polymorphic worms,” in 2005 IEEE Symposium on Security and Privacy (S P’05), 2005. http://dx.doi.org/10.1109/SP.2005.15 pp. 226–241.
- E. Aydogan and S. Sen, “Automatic generation of mobile malwares using genetic programming,” in European conference on the applications of evolutionary computation. Springer, 2015. http://dx.doi.org/10.1007/978-3-319-16549-3_60 pp. 745–756.
- M. F. Zolkipli and A. Jantan, “A framework for malware detection using combination technique and signature generation,” in 2010 Second International Conference on Computer Research and Development. IEEE, 2010. http://dx.doi.org/10.1109/ICCRD.2010.25 pp. 196–199.
- H. G. Kayacık, A. N. Zincir-Heywood, and M. I. Heywood, “Can a good offense be a good defense? vulnerability testing of anomaly detectors through an artificial arms race,” Applied Soft Computing, vol. 11, no. 7, pp. 4366–4383, 2011. https://doi.org/10.1016/j.asoc.2010.09.005
- Y. Xue, G. Meng, Y. Liu, T. H. Tan, H. Chen, J. Sun, and J. Zhang, “Auditing anti-malware tools by evolving android malware and dynamic loading technique,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 7, pp. 1529–1544, 2017. http://dx.doi.org/10.1109/TIFS.2017.2661723
- S. Sen, E. Aydogan, and A. I. Aysan, “Coevolution of mobile malware and anti-malware,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2563–2574, 2018. http://dx.doi.org/10.1109/TIFS.2018.2824250
- M. Jerbi, Z. C. Dagdia, S. Bechikh, M. Makhlouf, and L. B. Said, “On the use of artificial malicious patterns for android malware detection,” Computers & Security, p. 101743, 2020. doi: https://doi.org/10.1016/j.cose.2020.101743
- M. Jerbi, Z. C. Dagdia, S. Bechikh, and L. B. Said, “Android malware detection as a bi-level problem,” Computers & Security, p. 102825, 2022. https://doi.org/10.1016/j.cose.2022.102825. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S016740482200219X
- M. Jerbi, Z. Chelly Dagdia, S. Bechikh, and L. Ben Said, “Malware detection using rough set based evolutionary optimization,” in Neural Information Processing, T. Mantoro, M. Lee, M. A. Ayu, K. W. Wong, and A. N. Hidayanto, Eds. Cham: Springer International Publishing, 2021. ISBN 978-3-030-92307-5 pp. 634–641.
- B. Colson, P. Marcotte, and G. Savard, “An overview of bilevel optimization,” Annals of operations research, vol. 153, no. 1, pp. 235–256, 2007. https://doi.org/10.1007/s10479-007-0176-2
- J.-A. Mejía-de Dios, E. Mezura-Montes, and M. Quiroz, “Automated parameter tuning as a bilevel optimization problem solved by a surrogate-assisted population-based approach,” Applied Intelligence, vol. 51, pp. 1–23, 08 2021. http://dx.doi.org/10.1007/s10489-020-02151-y
- W. Ziarko, “Set approximation quality measures in the variable precision rough set model.” in HIS, 2002, pp. 442–452.
- L. Nanni and A. Lumini, “Generalized needleman–wunsch algorithm for the recognition of t-cell epitopes,” Expert Systems with Applications, vol. 35, no. 3, pp. 1463–1467, 2008. http://dx.doi.org/https://doi.org/10.1016/j.eswa.2007.08.028
- D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket.” in Ndss, vol. 14, 2014. http://dx.doi.org/10.14722/ndss.2014.23247 pp. 23–26.
- H. Rathore, S. K. Sahay, P. Nikam, and M. Sewak, “Robust android malware detection system against adversarial attacks using q-learning,” Information Systems Frontiers, vol. 23, no. 4, pp. 867–882, 2021. http://dx.doi.org/https://doi.org/10.1007/s10796-020-10083-8
- C. Wu, J. Shi, Y. Yang, and W. Li, “Enhancing machine learning based malware detection model by reinforcement learning,” in Proceedings of the 8th International Conference on Communication and Network Security, 2018. https://doi.org/10.1145/3290480.3290494 pp. 74–78.
- D. Ślęzak, “Rough sets and bayes factor,” in Transactions on Rough Sets III. Springer, 2005, pp. 202–229.
- D. Slezak and W. Ziarko, “The investigation of the bayesian rough set model,” International journal of approximate reasoning, vol. 40, no. 1-2, pp. 81–91, 2005. https://doi.org/10.1016/j.ijar.2004.11.004