The evolving behavior of the attacks may affect the decision boundaries of the trained machine learning models. The issue has not been well investigated, especially with hypervisor-based security solutions where virtual machine (VM)’s network artifacts are introspected and analyzed. In this paper, we proposed a sustainable and explainable flow-filtering-based concept drift-driven network intrusion detection approach, called ‘SFC-NIDS’ which introspects network activities by analyzing VM traffic profile. The VM traffic is captured and pre-processed at the hypervisor to extract important network artifacts. The redundant and trivial network flows have been filtered using the proposed gradient descent-based flow filtering mechanism and validated using explainability. SFC-NIDS employs auto-encoders to reconstruct the traffic features to capture additional patterns. Afterward, the 1D-convolution neural network has been employed to learn and detect malicious attack flows. The model’s sustainability is ensured by integrating the drift detection mechanism with the decision model to retrain it with evolving attack patterns. The approach has been validated with virtual network traffic artifacts collected at the hypervisor and provides 98.9% accuracy, 99.03%, and F1-Score. In addition, the approach has also been validated using the KDD99 dataset, showcasing an accuracy of 99.97% and an F1-Score of 99.98%.

With the ever-increasing threat of malware attacks, building an effective malware classifier to detect malware promptly is of utmost importance. Malware visualization approaches and deep learning techniques have proven effective in classifying sophisticated malware from benchmark datasets. A major problem with traditional deep learning classifier is the need to re-train the classifier when a new malware family emerges. In this paper, we propose few-shot classification techniques which allows us to classify malware based on a few instances and without the need for re-training the classifier for novel malware families. We also propose a novel malware visualization technique that can represent a malware binary as a 3-channel image. We experiment with two distinct few-shot learning architectures namely CSNN (Convolutional Siamese Neural Network) and Shallow-FS (Shallow Few-Shot). CSNN is more suitable when scarce data is available for training, otherwise Shallow-FS can be used to achieve better performance. Our architectures outperforms state of the art few-shot learning approaches and achieves high accuracy in traditional malware classification. Our experiments show our models’ ability to classify recent and novel malware families from just a few instances with high accuracy.

Malware is often hidden in illegitimately cloned software. Android, with over two billions active devices, is one of the most affected platforms because code cloning is quite simple and there are several not controlled markets. Obfuscation is both a cause and a solution to this scenario: a cause because obfuscated malware is harder to detect, a solution because obfuscation of legitimate applications makes code cloning more difficult. A deeper understanding of the obfuscation techniques would lead to more effective and aware use. In the literature, there are few methods of obfuscation detection with limited accuracy. Manual reverse engineering is too time-consuming to achieve this purpose, we need faster and automated techniques. In this work, we propose several deep learning models that can detect and classify the presence of obfuscation in Android applications. In addition to classical ML methods, we leverage natural language processing or image recognition approaches, then with a hybrid model, we exploit the best of each approach. Tests over a large dataset, made using different obfuscation tools, showed improvements compared to previous obfuscation detection methods. We target four obfuscation classes: identifier renaming, string encryption, reflection and class encryption, achieving an average F-measure of 0.985.

A Content Distribution Network (CDN) is a new kind of network to distribute services and content spatially relative to end-users, providing high availability and high performance. The Origin server uses several replicas to reach this goal, but trust issues are present between them and between servers and clients. In this work, we present a proof-of-concept for secure static content delivery (e.g., documents, images) by using Blockchain, a technology with the capability to ensure reliability and trust without a central authority. To test our proposal’s feasibility, we developed a system prototype on the Ethereum private network. The test shows the system’s goodness and the ability to create a new content distribution model over the Internet.

Domain name detection techniques are widely used to detect Algorithmically Generated Domain names (AGD) applied by Botnets. A major difficulty with these algorithms is to detect those generated names which are meaningful. In this way, Command and Control (C2) servers are detected. Machine learning techniques have been of great use to generalize the attributes of the meaningful names, generated algorithmically. To resist such techniques, the distribution of characters is used as a basis to generate meaningful domain names. Such techniques are called adversarial attacks attempting to fool machine learning methods. However, our experiments with more than 252757 samples show that in addition to character distribution of domain names, randomness property and pronounceability attributes are of great use to detect such meaningful names. Using these additional attributes, we have been able to identify malicious domain names with an accuracy of 98.19%.

The widespread adoption of smartphones dramatically increases the risk of attacks and the spread of mobile malware, especially on the Android platform. Machine learning-based solutions have been already used as a tool to supersede signature-based anti-malware systems. However, malware authors leverage features from malicious and legitimate samples to estimate statistical difference in-order to create adversarial examples. Hence, to evaluate the vulnerability of machine learning algorithms in malware detection, we propose five different attack scenarios to perturb malicious applications (apps). By doing this, the classification algorithm inappropriately fits the discriminant function on the set of data points, eventually yielding a higher misclassification rate. Further, to distinguish the adversarial examples from benign samples, we propose two defense mechanisms to counter attacks. To validate our attacks and solutions, we test our model on three different benchmark datasets. We also test our methods using various classifier algorithms and compare them with the state-of-the-art data poisoning method using the Jacobian matrix. Promising results show that generated adversarial samples can evade detection with a very high probability. Additionally, evasive variants generated by our attack models when used to harden the developed anti-malware system improves the detection rate up to 50% when using the generative adversarial network (GAN) method.