research-article

A Multilabel Fuzzy Relevance Clustering System for Malware Attack Attribution in the Edge Layer of Cyber-Physical Networks

Authors:

Mohammadhadi Alaeiyan,

Ali Dehghantanha,

Tooska Dargahi,

Saeed ParsaAuthors Info & Claims

ACM Transactions on Cyber-Physical Systems, Volume 4, Issue 3

Article No.: 31, Pages 1 - 22

https://doi.org/10.1145/3351881

Published: 12 March 2020 Publication History

Abstract

The rapid increase in the number of malicious programs has made malware forensics a daunting task and caused users’ systems to become in danger. Timely identification of malware characteristics including its origin and the malware sample family would significantly limit the potential damage of malware. This is a more profound risk in Cyber-Physical Systems (CPSs), where a malware attack may cause significant physical damage to the infrastructure. Due to limited on-device available memory and processing power in CPS devices, most of the efforts for protecting CPS networks are focused on the edge layer, where the majority of security mechanisms are deployed.

Since the majority of advanced and sophisticated malware programs are combining features from different families, these malicious programs are not similar enough to any existing malware family and easily evade binary classifier detection. Therefore, in this article, we propose a novel multilabel fuzzy clustering system for malware attack attribution. Our system is deployed on the edge layer to provide insight into applicable malware threats to the CPS network. We leverage static analysis by utilizing Opcode frequencies as the feature space to classify malware families.

We observed that a multilabel classifier does not classify a part of samples. We named this problem the instance coverage problem. To overcome this problem, we developed an ensemble-based multilabel fuzzy classification method to suggest the relevance of a malware instance to the stricken families. This classifier identified samples of VirusShare, RansomwareTracker, and BIG2015 with an accuracy of 94.66%, 94.26%, and 97.56%, respectively.

References

[1]

Abuse.ch. [n.d.]. Ransomware Tracker. Retrieved from https://ransomwaretracker.abuse.ch/.

[2]

A.S.L. [n.d.]. Exeinfo PE. Retrieved from http://exeinfo.atwebpages.com.

[3]

Amin Azmoodeh, Ali Dehghantanha, and Kim-Kwang Raymond Choo. 2018. Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE Transactions on Sustainable Computing 4, 1 (2018), 88--95.

[4]

Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, and Kim-Kwang Raymond Choo. 2017. Detecting crypto-ransomware in IoT networks based on energy consumption footprint. Journal of Ambient Intelligence and Humanized Computing 9, 4 (2017), 1141--1152.

[5]

Mauro Conti, Ali Dehghantanha, Katrin Franke, and Steve Watson. 2018. Internet of Things security and forensics: Challenges and opportunities. Future Generation Computer Systems 78 (2018), 544--546.

[6]

Yuxin Ding, Wei Dai, Shengli Yan, and Yumei Zhang. 2014. Control flow-based opcode behavior analysis for malware detection. Computers 8 Security 44 (2014), 65--74.

[7]

Chris Eagle. 2011. The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press.

[8]

GDATA. [n.d.]. G-DATA. Retrieved from https://www.gdatasoftware.com/blog/2018/03/30610-malware-number-2017.

[9]

N. George and P. Vinod. 2015. Opcode position aware metamorphic malware detection: Signature vs histogram approach. In 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom’15). 1011--1017.

[10]

Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo. 2018. A deep recurrent neural network based approach for Internet of Things malware threat hunting. Future Generation Computer Systems 85 (2018), 88--96.

Digital Library

[11]

Hashem Hashemi and Ali Hamzeh. 2018. Visual malware detection using local malicious pattern. Journal of Computer Virology and Hacking Techniques 15, 1 (2018), 1--14.

[12]

Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, and Raouf Khayami. 2017. Know abnormal, find evil: Frequent pattern mining for ransomware threat hunting and intelligence. IEEE Transactions on Emerging Topics in Computing (2017), 1.

[13]

Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, Kim-Kwang Raymond Choo, and David Ellis Newton. 2019. DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer. Future Generation Computer Systems 90 (2019), 94--104.

[14]

Shamsul Huda, Rafiqul Islam, Jemal Abawajy, John Yearwood, Mohammad Mehedi Hassan, and Giancarlo Fortino. 2018. A hybrid-multi filter-wrapper framework to identify run-time behaviour for fast malware detection. Future Generation Computer Systems 83 (2018), 193--207.

[15]

Kaspersky. [n.d.]. Kaspersky Lab Number of the Year: 360,000 Malicious Files Detected Daily in 2017. Retrieved from https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-number-of-the-year.

[16]

Ludmila I. Kuncheva. 2004. Combining Pattern Classifiers: Methods and Algorithms. John Wiley 8 Sons.

Digital Library

[17]

Shie-Jue Lee and Jung-Yi Jiang. 2014. Multilabel text categorization based on fuzzy relevance clustering. IEEE Transactions on Fuzzy Systems 22, 6 (2014), 1457--1471.

[18]

Yuping Li, Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Xinming Ou, Doina Caragea, Xin Hu, and Jiyong Jang. 2015. Experimental study of fuzzy hashing in malware clustering analysis. In 8th Workshop on Cyber Security Experimentation and Test (cset’15), Vol. 5. 52.

[19]

MATLAB. 2016. version 9.1.0.441655 (R2016a). The MathWorks Inc., Natick, Massachusetts.

[20]

Microsoft. [n.d.]. Microsoft Malware Classification Challenge (BIG 2015). Retrieved from https://www.kaggle.com/c/malware-classification.

[21]

Nikola Milosevic, Ali Dehghantanha, and Kim-Kwang Raymond Choo. 2017. Machine learning aided Android malware classification. Computers 8 Electrical Engineering 61 (2017), 266--274.

[22]

Hamed Haddad Pajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo. 2018. Intelligent OS X malware threat detection with code inspection. Journal of Computer Virology and Hacking Techniques 14, 3 (Aug. 2018), 213--223.

[23]

Rodrigo Roman, Javier Lopez, and Masahiro Mambo. 2018. Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges. Future Generation Computer Systems 78 (2018), 680--698.

[24]

Igor Santos, Felix Brezo, Javier Nieves, Yoseba K. Penya, Borja Sanz, Carlos Laorden, and Pablo G. Bringas. 2010. Idea: Opcode-sequence-based malware detection. In International Symposium on Engineering Secure Software and Systems. Springer, 35--43.

[25]

Robert E. Schapire and Yoram Singer. 2000. BoosTexter: A boosting-based system for text categorization. Machine Learning 39, 2--3 (2000), 135--168.

Digital Library

[26]

Fabrizio Sebastiani. 2002. Machine learning in automated text categorization. ACM Computing Surveys (CSUR) 34, 1 (2002), 1--47.

Digital Library

[27]

Andrii Shalaginov and Katrin Franke. 2017. A deep neuro-fuzzy method for multi-label malware classification and fuzzy rules extraction. In IEEE Symposium Series on Computational Intelligence (SSCI’17). IEEE, 1--8.

[28]

Andrii Shalaginov, Lars Strande Grini, and Katrin Franke. 2016. Understanding Neuro-Fuzzy on a class of multinomial malware detection problems. In International Joint Conference on Neural Networks (IJCNN’16). IEEE, 684--691.

[29]

Grigorios Tsoumakas, Ioannis Katakis, and Ioannis Vlahavas. 2009. Mining multi-label data. In Data Mining and Knowledge Discovery Handbook. Springer, 667--685.

[30]

Umit Deniz Ulusar, Erdinc Turk, Ahmet Sefa Oztas, Alp Erkan Savli, Guner Ogunc, and Murat Canpolat. 2019. IoT and Edge Computing as a Tool for Bowel Activity Monitoring. Springer International Publishing, Cham, 133--144.

[31]

P. Vinod, Akka Zemmari, and Mauro Conti. 2018. A machine learning based approach to detect malicious android apps using discriminant system calls. Future Generation Computer Systems 94 (2018), 333--350.

[32]

virusshare. [n.d.]. virusshare. Retrieved from http://www.virusshare.com.

[33]

virustotal. [n.d.]. virustotal. Retrieved from http://www.virustotal.com.

[34]

Shanshan Wang, Qiben Yan, Zhenxiang Chen, Bo Yang, Chuan Zhao, and Mauro Conti. 2018. Detecting android malware leveraging text semantics of network flows. IEEE Transactions on Information Forensics and Security 13, 5 (2018), 1096--1109.

Digital Library

[35]

Ian H. Witten, Eibe Frank, Mark A. Hall, and Christopher J. Pal. 2016. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann.

Digital Library

[36]

Wing Wong and Mark Stamp. 2006. Hunting for metamorphic engines. Journal in Computer Virology 2, 3 (2006), 211--229.

[37]

Ding Yuxin and Zhu Siyi. 2017. Malware detection based on deep learning algorithm. Neural Computing and Applications 31, 2 (2017), 461--472.

Digital Library

Cited By

Atheeq CSultana RSabahath SMohammed M(2024)Advancing IoT Cybersecurity: Adaptive Threat Identification with Deep Learning in Cyber-Physical SystemsEngineering, Technology & Applied Science Research10.48084/etasr.696914:2(13559-13566)Online publication date: 2-Apr-2024
https://doi.org/10.48084/etasr.6969
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3653973
Nemati AMobayen SRouhani SSu C(2024)Design of nonsingular second-order terminal sliding mode controller for cyber-physical systems with time-delays and cyber-attack on actuatorsInternational Journal of Systems Science10.1080/00207721.2023.230071755:5(876-893)Online publication date: 18-Jan-2024
https://doi.org/10.1080/00207721.2023.2300717
Show More Cited By

Index Terms

A Multilabel Fuzzy Relevance Clustering System for Malware Attack Attribution in the Edge Layer of Cyber-Physical Networks
1. Security and privacy

Recommendations

Malware Function Classification Using APIs in Initial Behavior
ASIAJCIS '15: Proceedings of the 2015 10th Asia Joint Conference on Information Security

Malware proliferation has become a serious threat to the Internet in recent years. Most of the current malware are subspecies of existing malware that have been automatically generated by illegal tools. To conduct an efficient analysis of malware, ...
Malware classification method via binary content comparison
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation Symposium

With the wide spread uses of the Internet, the number of Internet attacks keeps increasing, and malware is the main cause of most Internet attacks. Malware is used by attackers to infect normal users' computers and to acquire private information as well ...
A novel malware analysis for malware detection and classification using machine learning algorithms
SIN '17: Proceedings of the 10th International Conference on Security of Information and Networks

Nowadays, Malware has become a serious threat to the digitization of the world due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively becomes an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Cyber-Physical Systems

ACM Transactions on Cyber-Physical Systems Volume 4, Issue 3

Special Issue on User-Centric Security and Safety for CPS

July 2020

279 pages

ISSN:2378-962X

EISSN:2378-9638

DOI:10.1145/3388234

Editor:
Tei-Wei Kuo
City University of Hong Kong and National Taiwan University, Taiwan

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 12 March 2020

Accepted: 01 July 2019

Revised: 01 March 2019

Received: 01 December 2018

Published in TCPS Volume 4, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
428
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Atheeq CSultana RSabahath SMohammed M(2024)Advancing IoT Cybersecurity: Adaptive Threat Identification with Deep Learning in Cyber-Physical SystemsEngineering, Technology & Applied Science Research10.48084/etasr.696914:2(13559-13566)Online publication date: 2-Apr-2024
https://doi.org/10.48084/etasr.6969
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3653973
Nemati AMobayen SRouhani SSu C(2024)Design of nonsingular second-order terminal sliding mode controller for cyber-physical systems with time-delays and cyber-attack on actuatorsInternational Journal of Systems Science10.1080/00207721.2023.230071755:5(876-893)Online publication date: 18-Jan-2024
https://doi.org/10.1080/00207721.2023.2300717
Alotaibi B(2023)A Survey on Industrial Internet of Things Security: Requirements, Attacks, AI-Based Solutions, and Edge Computing OpportunitiesSensors10.3390/s2317747023:17(7470)Online publication date: 28-Aug-2023
https://doi.org/10.3390/s23177470
Zhao ZYang SZhao D(2023)A New Framework for Visual Classification of Multi-Channel Malware Based on Transfer LearningApplied Sciences10.3390/app1304248413:4(2484)Online publication date: 15-Feb-2023
https://doi.org/10.3390/app13042484
Deng XPei XTian SZhang L(2023)Edge-Based IIoT Malware Detection for Mobile Devices With OffloadingIEEE Transactions on Industrial Informatics10.1109/TII.2022.321681819:7(8093-8103)Online publication date: Jul-2023
https://doi.org/10.1109/TII.2022.3216818
Alaeiyan MParsa SP. V(2023)SoberJournal of Information Security and Applications10.1016/j.jisa.2023.10345174:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103451
Sasi TLashkari ALu RXiong PIqbal S(2023)A comprehensive survey on IoT attacks: Taxonomy, detection mechanisms and challengesJournal of Information and Intelligence10.1016/j.jiixd.2023.12.001Online publication date: Dec-2023
https://doi.org/10.1016/j.jiixd.2023.12.001
Daniel ADeebalakshmi RThilagavathy RKohilakanagalakshmi TJanakiraman SBalusamy B(2023)Optimal feature selection for malware detection in cyber physical systems using graph convolutional networkComputers and Electrical Engineering10.1016/j.compeleceng.2023.108689108:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.compeleceng.2023.108689
Nemati APeimani MMobayen SSayyedfattahi S(2023)Adaptive non‐singular second‐order terminal sliding mode control for cyber‐physical systems subject to actuator cyber‐attacks and unwanted disturbancesInternational Journal of Adaptive Control and Signal Processing10.1002/acs.366837:11(2963-2982)Online publication date: 15-Aug-2023
https://dl.acm.org/doi/10.1002/acs.3668
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents