The proper interpretation of the malware API call sequence plays a crucial role in identifying its malicious intent. Moreover, there is a necessity to characterize smart malware mimicry activities that resemble goodware programs. Those types of malware imply further challenges in recognizing their malicious activities. In this paper, we propose a standard and straightforward contextual behavioral models that characterize Windows malware and goodware. We relied on the word embedding to realize the contextual association that may occur between API functions in malware sequences. Our empirical results proved that there is a considerable distinction between malware and goodware call sequences. Based on that distinction, we propose a new method to detect malware that relies on the Markov chain. We also propose a heuristic method that identifies malware’s mimicry activities by tracking the likelihood behavior of a given API call sequence. Experimental results showed that our proposed model outperforms other peer models that rely on API call sequences. Our model returns an average malware detection accuracy of 0.990, with a false positive rate of 0.010. Regarding malware mimicry, our model shows an average noteworthy accuracy of 0.993 in detecting false positives.

虚拟化技术在云计算环境中已得到广泛应用，其安全性也越来越重要.当前，恶意代码攻击正向复杂性、隐蔽性和持久性等方向发展，已成为我国云基础设施面临的重要威胁之一.特别是在云数据中心大量采用Linux和基于内核的虚拟机(kernelbased virtual machine, KVM)虚拟化背景下，研究KVM虚拟化环境下Linux内核级Rootkit的检测及防护技术具有十分重要的意义.而当前基于虚拟化环境实现Rootkit检测和防护技术研究偏重于检测，在响应和保护阶段还比较缺乏.针对这一问题，提出一种KVM虚拟化环境下集内核级Rootkit安全检测、响应及主动防护的安全架构，并在KVM虚拟化平台中进行了验证.实验结果表明，该安全架构可以有效检测并防止客户虚拟机中内核级Rootkit的攻击.

An increasing amount of malicious code causes harm on the internet by threatening user privacy as one of the primary sources of network security vulnerabilities. The detection of malicious code is becoming increasingly crucial, and current methods of detection require much improvement. This paper proposes a method to advance the detection of malicious code using convolutional neural networks (CNNs) and intelligence algorithm. The CNNs are used to identify and classify grayscale images converted from executable files of malicious code. Non-dominated Sorting Genetic Algorithm II (NSGA-II) is then employed to deal with the data imbalance of malware families. A series of experiments are designed for malware image data from Vision Research Lab. The experimental results demonstrate that the proposed method is effective, maintaining higher accuracy and less loss. (C) 2019 Elsevier Inc.

Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.

The promotion of cloud computing makes the virtual machine (VM) increasingly a target of malware attacks in cybersecurity such as those by kernel rootkits. Memory forensic, which observes the malicious tracks from the memory aspect, is a useful way for malware detection. In this paper, we propose a novel TKRD method to automatically detect kernel rootkits in VMs from private cloud, by combining VM memory forensic analysis with bio-inspired machine learning technology. Malicious features are extracted from the memory dumps of the VM through memory forensic analysis method. Based on these features, various machine learning classifiers are trained including Decision tree, Rule based classifiers, Bayesian and Support vector machines (SVM). The experiment results show that the Random Forest classifier has the best performance which can effectively detect unknown kernel rootkits with an Accuracy of 0.986 and an AUC value (the area under the receiver operating characteristic curve) of 0.998.

随着需求响应(demand response,DR)业务及“源-网-荷-储”互动调控的发展,越来越多需求响应终端接入电力网络,需要针对需求响应终端受到分布式拒绝服务(distributed denial of service,DDoS)攻击行为进行预测与防御技术研究。针对当前电力系统网络攻击研究,重点考虑攻击流量自相似特征,提出了一种基于集合经验模态分解(ensemble empirical mode decomposition,EEMD)与长短期记忆(long short-term memory,LSTM)网络相结合的双重检测方法。首先通过集合经验模态分解攻击流量提取模态特征;其次基于改进的LSTM神经网络进行攻击检测;最后进行仿真实验及对比分析,EEMD-LSTM神经网络的检测方法与传统LSTM检测方法相比具有更好的动态性能,有效提高了DDoS攻击检测精度。

With the development of demand response (DR) business and interactive regulation of “source-network-load-storage”, as more and more demand response terminals access the power network, it is necessary to carry out the prediction and defense technology research on the distributed denial of service (DDoS) behavior of demand response terminals. Aiming at the current network attack research of power system, this paper focuses on the self-similar characteristics of attack traffic, and proposes a network attack model based on ensemble empirical mode decomposition (EEMD) and long short-term memory (LSTM). The detection method firstly extracts the modal features by ensemble empirical mode decomposition attack traffic, then detects the attack applying the improved LSTM neural network, and finally carries out the simulation experiment and comparative analysis. Compared with the traditional LSTM detection method, the EEMD-LSTM neural network detection method has better dynamic performance and effectively improves the DDoS attack detection accuracy.

随着新型能源互联网的发展,大规模的传感量测系统为基于数据驱动的虚假数据注入攻击检测方法提供了数据支持,然而攻击样本数据不平衡问题会影响此类方法的性能。提出了基于改进生成对抗网络(generative adversarial network, GAN)和极端随机树的数据重平衡攻击检测模型。首先,为了生成高质量数据,设计GAN的结构使其训练稳定;其次,使用Copula函数构建电力系统状态量之间的空间关联性以适应分布式能源的接入;然后,对改进的GAN进行对抗训练得到重平衡的数据集,采用极端随机树分类器实现攻击检测。此外,设计基于多种分类器的数据有效性指标评估生成数据的质量。通过对比实验对所提方法进行验证,结果表明该方法能生成高质量的量测数据,可以有效解决数据不平衡问题,攻击检测率达98.95%。

With the development of new-type energy internet, large-scale sensing measurement systems provide data support for data-driven detection of false data injection attack. However, the problem of unbalanced attack data will affect the performance of such methods. Therefore, a data rebalance attack detection model based on improved generative adversarial network (GAN) and extremely randomized tree is proposed. Firstly, the GAN structure is designed to make the training procedure stable enough to generate high-quality data. Secondly, the Copula function is used to construct the spatial correlation between the power system states to adapt to the integration of the distributed energy resources. Then, a rebalanced dataset is obtained through the adversarial training of the improved GAN, and the extremely randomized tree classifier is used to detect the attack. In addition, the data validity index based on multiple classifiers is designed to evaluate the quality of the generated data. The effect of the proposed method is verified by comparative experiments. Results show that the method can generate high-quality measurement data, solve the problem of data imbalance, and the attack detection rate is 98.95%.