1
Prepublication Copy Malware Code Detection Technique for Generic Computer System Sanjay Chakraborty Institute of Engineering & Management, India
[email protected]
Lopamudra Dey Heritage Institute of Technology, India
[email protected]
Abstract: Security is one of the major concerns in generic computing which is used in our day to day life to deal with various aspects like education, banking, communication, entertainment etc. Security is obtained to prevent threats that usually affect the end users of other areas as well (like grid computing, cloud computing etc.). Malicious code deployment is the main cause of threat. This paper mainly proposes a novel malicious code detection technique (proposed malware detection system (PMDS)) which provides security in the traditional computing system. PMDS prevents the malicious code running in one machine (infected) to spread into another non-infected machine. The main aim of this paper is to detect the malicious code by the help of proposed technique and warn the other non-infected guest machines about it. A prototype of PMDS is designed and implemented in this paper. It creates less overhead as well as occupies less storage space compare to other well-known anti-viruses. It is also less expensive to implement compare to others. In this paper, PMDS technique follows a rule based probabilistic approach to detect the malicious code among several codes. At last a comparison analysis of this proposed approach is given with other traditional malware detection approaches. Keywords: Comprehensibility, Complexity, Malware, Memory utilization, probabilistic, Processing overhead, Security.
I. INTRODUCTION Now a day, many computer systems are vulnerable to attacks and get infected with malwares due to the wide use of internet. „Cloud computing with IoT‟ is responsible for today‟s high speed shared internet. It renders the internet as a large repository where resources are virtualized and used to provide services to the users. It brings revolution in the field of internet. Scientific and engineering applications, data mining, computational financing, gaming and social networking, as well as many other computational and dataintensive activities [9][28]. However, internet users not only achieve the benefits of these services but also used to face several challenges in terms of security. Traditional system architecture is totally based on a hosted machine (HM) running on host OS and multiple machines (VM) instances running on guest OS. So the common security challenge faced by the users is the deployment of malicious code in one machine which affects other noninfected machines. A malware is a malicious code which violates the security policy of a computer system with respect to confidentiality, integrity and availability of data [26][30]. Malware can be classified in different forms, such as virus, Trojan horse, spyware, rootkits, botnet, adware, scareware, trapdoor etc.
Guest M1
Guest M2
……….
Guest Mn
Hosted Machine OS Platform Hardware
Fig.1. Traditional System Architecture
The classification of malware is a difficult process. Malwares comes in various forms and categories. There are some common types of malwares available, such as, Virus: It is a special computer program which can propagate by injecting itself with other programs. But it needs human intervention to infect other files and propagate itself. Worms: It is self-replicating program which can spread from one machine to another through a network without human intervention. (Example, Morris Worm). Trojan horse: It is a imposter program which appears as a legitimate program and hijacks user password to gain control of system remotely. Spyware: It is installed in the user‟s system when a free or trial version of software is downloaded. It silently collect the confidential and personal information of the user and sends that information back to the attacker so the attacker can use the stolen information in some disreputable way. Adware: It is a advertising supported software that automatically plays, displays, or downloads advertisements to a computer after malicious software is installed or application is used. Rootkits: This software program is usually running under UNIX operation system. It actually occupies the control of infected machine by gaining administrator access of the system. Botnet: It is a remotely controlled zombie program which performs some unethical activites. Scareware: It is malware masquerading software which is installed when the user downloading any free pirated security software through the internet. After installation, it will collect all confidential and personal information of the user (passwords, financial codes etc.) and reveals infront of other cyber criminals.
2 Malware detection system is such a system which is used to determine whether the current program has malicious intent or not [27]. A basic malware detector system architecture is shown below,
Malicious Codes (Virus, worms)
Malware Detector
Signature Based
Behaviour Based
Detected Malware or Benign
Fig.2. Malware Detector System
This paper mainly examines and detects those vulnerable codes by using a new probabilistic approach and informs the other non-infected hosted machines in terms of warning. This paper also analyses different architectures and models and also develops an architecture framework, named “Proposed malware detection system (PMDS)” which provides malware detection service in fully transparent mode. It actually proposes this PMDS as a prototype and tries to implement and deploy on a traditional computing system .Clearly, there is a very urgent need to find, not just a suitable method to detect infected files, but too build a smart methodology that can detect new viruses by studying the structure of the program made by malware. This paper is organized as following. Some prior works on security through malware detection are analyzed and discussed in section II. Section III describes the proposed probabilistic approach with malware detection technique. Section IV discusses the detailed of result analysis on a WINDOWS computing platform (Sandbox). Section V gives a detail comparison of the PMDS approach with other well-known approaches. Finally, section VI gives the conclusion of this paper. II. RELATED WORK Security plays a very important role not only in traditional computing but also in cloud. Now a day, most of the online activities are done through the cloud architecture. Several works have been done to handle all the security issues on these above architectures. One paper has given a brief descriptions about different security challenges and solutions in cloud computing. This paper mainly discussed about policy, software and hardware security[13][14]. A short paper has discussed a highly scalable security solution for guest VMs. In this work, they have described how they securely bridged the semantic gap into the operating system semantics. The presented solution enables novel security services for fast changing cloud environments where customers run a variety of guest operating systems, which need to be monitored closely and quarantined promptly in case of compromise [2] .The basic
idea regarding next generation cloud architecture can be obtained from a paper [11]. There are several techniques by which a malware code can be detected. Those various techniques have been discussed by some papers [10][7]. The aim of this paper has been influenced by a secure virtualization technique known as advanced cloud protection system (ACPS) which provides fully transparent security to cloud resources applicable on Eucalyptus and Open-ECP architectures[4].A novel malware detection technique is also introduced as a standard to detect malicious codes deployment [1] [7]. So a fast changing internet faces different challenges in the form of malwares, viruses etc. and various techniques has been introduced to detect and prevent those challenges.All these new relevant features, as well as extensive experiments on both security and performance, make the present proposal a novel contribution [8]. Some solutions are given to prevent malware injection attack through storing OS type of the customer virtually. As cloud OS is platform independent, before launching the infected instances or services on the actual OS of customer‟s VM, it should be cross checking on this virtual OS type [17].However, when a customer uses a cloud system, the image of customer‟s VM is integrated with the hardware level of the system, because it is very difficult for an attacker to intrude in the IaaS level. A file allocation table (FAT) with the Hypervisor is utilized to check over the previous instances that had been already executed from the customers machine can be put to determine the validity and integrity of the new instance [17]. An approach based on a dedicated cloud resilience manager (CRM) which is installed in host VM. This CRM software component consists of a Network Analysis Engine (NAE), and a System Analysis Engine (SAE) for detecting infected packets and a System Resilience Engine (SRE) and Coordination and Organisation Engine (COE) for destroying an infected VM or blocking information destined to a vulnerable VM. This system is specially built for preventing Kelihos injection. This approach is also useful for gathering and analysing data at the network level through the use of network monitors [18]. One approach has been recently introduced where feature based malware detection can be done using one class support vector machine (SVM) formulation at the hypervisor level. These features are gathered at the system and network levels of the cloud node. This security system is built by considering not only system-level data, but also network-level data depending on the attack type with no prior-knowledge. This approach is flexible and useful for real-time data where the behaviour or features of the data are continuously changing [19]. Paper [30] gives a detailed survey of the existing detection and analysis methodologies used for obfuscated malicious code. This paper also introduces a new „static bi-features based classification approach‟ which is used for malware detection and analysis purpose. A survey paper presents some existing technologies used by security researchers to tackle various types of threats. It explains static, dynamic and hybrid malware analysis techniques, their comparative study, existing traditional malware detection techniques and their advantagesdisadvantages [28].
3 A new innovative next generation technique for malware detection is introduced in the paper [27] which is characterized by the intense use of polymorphic and metamorphic techniques aimed at circumventing the current malware detectors, based on pattern matching. This technique proposed a pragmatical approach that is able to cope quite well with this treat which is based on (i) the defection of the mutation process which is reverted through code normalization and the problem of detecting malware inside an executable is reduced to the subgraph isomorphism problem: a well known NP-complete problem that nevertheless can be efficiently computed when sparse graphs are concerned and (ii) the analysis of a program in order to verify the presence of the searched malicious code [27]. A new methodology based on sandbox evasion technique is introduced to detect and control various malware activities. This paper will examine the general Sandbox structure, with a major focus on a novel behavior based malware detection method leveraging Sandbox-evasion behaviors as an avenue to detecting, mitigating or totally evading the malware [26]. Sometimes, malware detection developer faces a common problem of new coming malwares with new signatures. It is a difficult task to identify malwares with those new signatures. That‟s why, malware detectors develop a new technique of detecting such malwares using semantic feature extraction technique or pattern matching. Some process of technique based on rule mining and some other are based self propagated feature extraction technique [29]. III. PROPOSED APPROACH Malware detection techniques are used to detect malwares and prevent the computing system from being infected, malfunctioned and also protects it from confidential information loss. There are three types of malware detection techniques, i. Signature Based Detection: In this technique, a predefined database of signatures is used and detects the malwares by comparing the patterns against that database. The DNA patterns of the binary files of malwares are disassembled and features are extracted to construct the signature of particular malware family. DNA sequencing is the process of determining the precise order of nucleotides within a DNA molecule to identify regions of local or global similarity, or interactions with specific enzymes. ii. Symbolic Detection Process: In Symbolic detection process we cluster the files according to their file formats and use symbol to detect malware containing file. The database table which contain all the symbols of conventional malware signatures symbols is use to determine that the file is infected or not. iii. Behavioral Detection Process: One of the best ways to identify malware accurately is to analyze behavior of the file. And to do that without affecting the computer is to use sandbox. There are many Offline and Online sandboxes are available to check that behavior of the file and some of them are free like „Anubis‟. In Behavioral detection process, we observe the behavior of the file when it execute. And determine whether it is a malicious program or not using Anubis sandbox. The behavior detector which basically consists of following components [28] (Fig. 3), A. Data collection: This component collects the dynamic and static raw information.
B. Interpretation: Raw information from data collection module is transformed into intermediate information. C. Matching Algorithm: It is used to compare the intermediate information with the behavior signature stored in the predefined database. Data Collection
Interpretation
Intermediate Information Matching
Behaviour Database
Prediction Fig3. Behavioral Detection Process
The entire approach of this paper is basically probabilistic approach which based on three parameters, such as, Memory utilization (MU), Processing overhead (PO) and Comprehensibility [7]. These are the main factors which are used to detect the vulnerability of a malicious code. These factors are also called malware signatures. These parameters are related with the behaviour of a code during its execution. They use to maintain some threshold values to distinguish between normal and abnormal code execution. A. Memory utilization (MU): Memory utilization is one of the important factors by which the performance of an executing code can be measured. Memory utilization means how much memory it is using when a request process is successfully executing. The complex code needs more memory compare to a simple code. It is also being represented in terms of space complexity. It is a common fact that unnecessary memory utilization is not desirable in any computing services. This total approach is very similar based with the human analysis factors for malware code detection. Memory utilization factor is evaluated here based on the usage of kernel and physical memory (service based resources) of the main server (on which OS running) and represents the difference of the occupied space (in percentage) between normal and malicious code. The proposed PMDS plays the role to measure the memory utilization of those end user service requests to make a primary guess of a malicious code (by the help of some threshold value checking) [10] [15]. B. Processing Overhead (PO): In computer science, overhead is any combination of excess or indirect computation time, memory, bandwidth, or other resources that are required to attain a particular goal. In this part this factor mainly deals with the processor overhead of the main server system. Processor overhead measures the amount of work a computer's central processing unit can
4 perform and the percentage of that capacity that's used by individual computing tasks. Some of these tasks involve supporting the functions of the computer's operating system. These include communication with internal components, such as hard drives and graphics processing units, with connective functionality such as networking support, and with external components like your computer's monitor. A malicious code or a software bug can draw too many CPU clock cycles and overtax your system unexpectedly [6].The PMDS plays the role to measure the processor overhead of those end user service requests to make a primary guess of a malicious code (by the help of some threshold value checking). C. Comprehensibility (C): Comprehensibility in malware detection is how easy to read and understand the instructions within the executing code. This means it points to the complexity of the code from reading and understanding. Comprehensibility is measured here by using the popular concept of Complexity Profile Graph (CPG).Complexity Profile Graph is a graphical representation to measure statement level complexity in a code. The CPG divides the entire source code into some measurable units which is called CPG segments.CPG segments consist of simple statements(e.g., assignment, procedure call) and clauses (e.g., declarations) in the underlying source language [1] [12].Based on the detailed analysis of statement level complexity of a source program, it can be divided into two types of statements. They are listed in Table I. CPG is based on a profile metric which is actually represented different granular level complexity. The profile metric can be measured as, F = {μx | X is a measurable unit} Here X is a different CPG segments and F calculates a specific aspect of X‟s complexity. Again the profile complexity is further divided into two basic complexities, TABLE I STATEMENT-LEVEL CLASSIFICATION Simple statement assignment statement
delay statement exit statement goto statement
null statement procedure call return statement declarations
Compound Statement IF condition THEN ELSIF condition THEN ELSE END IF; CASE expression, END CASE; Loop statements; Block statement: [Name][DECLARE] BEGIN END [Name]; Record declaration; Generic Procedure Generic Function
Profile complexity
Content complexity
Context complexity
Fig.4.Classification of Profile Complexity
C.I. Content complexity(δ(X)) Content complexity is used to measure the amount of information contained within a measurable unit or segment. It does not give any care on quality. As for example, camera_1 of type real camera and camera_2 of type toy camera. However, the camera_1 structure may be more complicated than the camera_2 structure. Hence those two things are treated here as a camera only. It is very similar to semantic analysis of a code. The content complexity and the context complexity both are independent but both are required to measure the overall profile complexity of a source code. Currently, the content contribution is constrained to be between 0 and 3, while the context contribution is constrained to be between 0 and 15 [1].This design provides the effect that the content complexity is a ripple riding on the curve of the context complexity [1]. Although the content complexity for most tokens is indeed held constant, i.e., 1.0, there are few exceptions: left parenthesis, logical operators (e.g., and, or, not), and comparison operators (e.g.,>, THMU / >THPO / >THC
1
A detailed description of how PMDS integrates with the generic system‟s components is reported in Fig.6.
>â•ša.exe”); } }
Regular Code 1 #include void main() { i=0; while(iF Regular). Now the nature of the codes is also dependent on the CPU usage and memory usage parameters. CPU Usage: Here to calculate the usage of CPU in percentage, the below code is treated as virus code 2 and a simple code (calculate prime numbers) is considered as a regular code 2 for the experiment analysis (due to the lack of availability of virus code in public). Virus code 2: for(i=1;i> 80% 55.27% 83.05% 71.65% >>90% 54.35% 86% 72.7%
615 618 854 854 291 290 768 768
CPU-Utilization
100
>>80
80 83.05 71.65
60 40
55.27
20 0 1.359
5.39
2.781
Infinite
AVG. CPU-TIME (Seconds) Fig.7. CPU-Utilization vs. CPU-Time
The above Fig.7 shows the graphical relationship between average CPU time and CPU utilization based on the first four codes (virus code1, regular code1, virus code 2 and regular code 2). V. COMPARISON ANALYSIS The proposed PMDS approach is a simple, flexible and probabilistic approach which is mainly applicable in any generic computing architecture. Several traditional intrusion detection systems based on ANN, genetic algorithm, data mining etc, are facing some challenges. This approach has some important advantages over these traditional malware detection approaches. The comparison analysis is listed below,
Disadvantages of some popular malware detection techniques:
In paper [17], Due to the usage of FAT table, hypervisor method and virtual OS type, processing time for the users is very high. In paper [18], this approach is specifically focused on Kelihos attack. So, its processing time is high and implementation is expensive. The malware detection approach in paper [20] is only effective on Hadoop platform and its processing time is high due to a large number of files. In paper [19], a new malware detection method is used but the method is difficult to understand and also required high time to extract unique signatures.A new malware defence architecture for cloud computing (CloudIDEA) is proposed in paper [24]. However, an overhead is associated due to monitoring all sorts of system calls in VMs and also on the software running within the virtual machines. Besides that, a prior knowledge about the guest operating system is required in order to execute VMI to bridge the semantic gap and interpret the guest memory. Another cloud based malware detection and analysis technique is introduced in paper [21] where „Full Client replication‟ in VM consume lot of network bandwidth (memory utilization is high), the client computing power and energy. It also uses three layers hybrid architecture to implement a distributed malware detection system which is very expensive in practical. An approach in paper [22] is totally focused on signature based detection. Behavioural or heuristic based detection is also important to detect special type of malwares (such as, polymorphic, metamorphic etc). That‟s why, this method is easily vulnerable to the new malwares. A mobile computing based malware detection and classification technique is introduced in paper [25]. This approach is built on the basis of Android platform and behavioural detection of malware apps over virtual machine inspection is not present. Overall deployment strategy of this method is expensive. There are several methods where dynamic malware analysis techniques are used [28]. But some shortcomings of dynamic analysis like single execution path, significant performance overhead etc make static analysis more preferable than dynamic. In some cases, traditional signature based detection method is used which usually faces some challenges in the development of good disassembler, similarity analysis algorithm, so that the variants of malwares can be detected in shorter time with less overhead [31]. Also, signature based detection can be bypassed or tampered easily using malicious code obfuscation. In papers [32][33], some rule based classification and feature extraction techniques are used for detecting malicious codes. However, they have some limitations where classification technique only focuses on categorized rule of malware feature and feature extraction approach is not suitable for generic analysis.
Advantages of Proposed Approach (PMDS):
Less processing time and fast implementation time. Less expensive and low installation charge. Low Processing overhead. Very difficult for an attacker to intrude due to its integration with hardware based level. It is totally transparent to the user.
8
This approach deals with the behavioral detection technique which helps to detect polymorphic and metamorphic malwares. It is closely tied to the system they are running on. The system is extensible. Other antimalware engines can be easily added. VI. CONCLUSION & FUTURE WORK Malware is incorporating threats to user‟s computer systems in terms of stealing personal and secure information, corrupting our security systems. In this paper, PMDS has proposed an effective and efficient security method that can detect the different malware attacks. This approach is mainly based on the concept of a probabilistic behavioral malware detection technique. This paper discusses the basic techniques in brief needed for the development of PMDS system. This technique is actually cheap, requires less memory space and provides less overhead compare to other well-known malware detection systems. It is totally transparent to the user. In future work, some priority based threats storage pool can be used to listing all the threats according to their harmful nature. It is only used to detect malicious codes. In future one signature based prevention technique will also be proposed and implemented with this approach. ACKNOWLEDGMENT Special thanks to Dr. Prof. N.K. Nagwani from the National Institute of Technology Raipur, whose comments and partial review improved the presentation of this article. REFERENCES [1]J. H. Cross, “GRASP Version 5.0 Graphical Representations of Algorithms, Structures, and Processes”, Technical Report 96-15, September 29, 1996, Available: http://www.eng.auburn.edu/grasp. [2] M. Christodorescu, R. Sailer, D. Lee Schales, D. Sgandurra, D. Zamboni, “Cloud Security Is Not (Just) Virtualization Security”, CCSW‟09, November 13, 2009, Chicago, Illinois, USA.ACM 978-160558-784-4/09/11. [3] F. Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”, International Journal of Machine Learning and Computing, Vol. 2, No. 1, February 2012, pp. 39-45. [4] Lombardi F, Di Pietro R. , “Secure virtualization for cloud computing”, Journal of Network and Computer Application(2010),doi:10.1016/j.jnca.2010.06.008. [5] M.A.Vouk, “Cloud Computing – Issues, Research and Implementations”, Journal of Computing and Information Technology – CIT 16, 2008, 4, doi:10.2498/cit.1001391, pp. 235-246. [6] Q. Zhang · L. Cheng · R. Boutaba, “Cloud computing: state-of-theartand research challenges”, J Internet ServAppl (2010), Springer DOI 10.1007/s13174-010-0007-6, pp. 7-18. [7] C. Williams, “Applications of Genetic Algorithms to Malware Detection and Creation”, December 2009, pp.1-13. [8] Rashmi , Dr.G.Sahoo, Dr.S.Mehfuz, “Securing Software as a Service Model of Cloud Computing: Issues and solutions”, International Journal on Cloud Computing: Services and Architecture (IJCCSA) Vol.3, No.4,August 2013, DOI : 10.5121/ijccsa.2013.3401. [9] D. C. Marinescu, “Cloud Computing: Theory and Practice”, USA, December 6, 2012. [10] P. Singhal, N.Raul, “Malware Detection Module using Machine Learning Algorithms to Assist in Centralized Security in Enterprise Networks”, International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.1, January 2012. [11] Sarathy V., Narayan P., Mikkilineni Rao, “Next Generation Cloud Computing Architecture”, Enabling Technologies: Infrastructure forCollaboration Enterprise (WETICE), 19th IEEE International Workshop, 28-30 June, 2010, pp. 48-53. [12]D Swathigavaishnave and R Sarala, “Detection of Malicious Code-
Injection Attack Using Two Phase Analysis Technique”, International Journal of Computer Application, Volume 45- Number18, May 2012, pp.814. [13]E. Mathisen, “Security Challenges and Solutions in Cloud Computing”, 5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), June 2011, pp. 208-212. [14] M. A. AlZain, E. Pardede, B. Soh, J. A. Thom, “Cloud Computing Security: From Single to Multi-Clouds”,45th Hawaii International Conference on System Sciences (IEEE), 2012, pp.5490-5499. [15] Kundu, A. Banerjee, C. ; Guha, S.K. ; Mitra, A. ; Pal,C.; Roy, R., “Memory utilization in cloud computing using transparency”, Computer Sciences and Convergence Information Technology(ICCIT), 2010 5th International Conference (IEEE), 2010, PP. 22-27. [16] “www.Gohacking.com”, “www.vxheavens.com/lib/vbw06.html”&“www.viralforyou.blogspot.in/20 11/07” - Virus codes. [17] S.Singh, B.K.Pandey, R.Srivastava, N.Rawat, P.Rawat and Awantika, “Cloud Computing Attacks: A Discussion with Solutions”, Open journal of Mobile Computing and Cloud Computing,Vol.1, 2014. [18]A.K. Marnerides et al., “Malware Analysis in Cloud Computing: Network and System Characteristics”, IEEE Globecom Workshops (GC Wkshps),2013, pp.482-487. [19] M.R. Watson, N.Shirazi, A.K. Marnerides, A.Maute and D. Hutchison, “Malware Detection in Cloud Computing Infrastructures”, IEEE Transactions on Dependable and Secure Computing, 2015. [20]H.M.Kanaker, M.M.Saudi and M.F.Marhusin, “A Systematic Analysis on Worm Detection in Cloud Based Systems”, ARPN Journal of Engineering and Applied Sciences, Vol.10, No.2, 2015. [21] S.Alam, I. Sogukpinar, I.Traore and Y. Coady, “In-Cloud Malware Analysis and Detection: State of the Art”, proceedings of the 7th International Conference on Security of Information and Networks (SIN‟14), September 9 - 11, 2014. [22] Safaa Salam Hatem, et al, “Malware Detection in Cloud Computing”, International Journal of Advanced Computer Science and Applications, Vol. 5,No. 4, 2014, pp. 187 – 192. [23] Thu Yein Win, et al, “Detection of Malware and Kernel-level Rootkits in Cloud Computing Environments”, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, New York, USA, 3-5 Nov 2015, pp. 295-300. [24] Andreas Fischer, et al, “CloudIDEA: A Malware Defense Architecture for Cloud Data Centers, In: On the Move to Meaningful Internet Systems”: OTM 2015 Conferences, (Proceedings of Confederated International Conferences: CoopIS, ODBASE, and C&TC 2015, Rhodes, Greece, October 26-30, 2015) Lecture Notes in Computer Science, Volume 9415, 2015, pp 594-611. [25] Xiaolei Wang, Yuexiang Yang and Yingzhi Zeng, “Accurate mobile malware detection and classification in the cloud”, SpringerPlus, Vol.4, 2015, pp. 583. [26] D. Keragala, “Detecting Malware and Sandbox Evasion Techniques”, SANS Institute, January, 2016. [27] D. Bruschi , L. Martignoni and M. Monga, “Detecting Self-Mutating Malware Using Control Flow Graph Matching”, Detection of Intrusions and Malware & Vulnerability Assessment, Vol. 4064, Springer-LNCS, 2006, pp 129-143. [28] J. Landage and M.P. Wankhade, “Malware and Malware Detection Techniques: A Survey”, International Journal of Engineering Research & Technology (IJERT), Vol. 2 Issue 12, December – 2013. [29] M. K. Sahu , M. Ahirwar and A.Hemlata, “A Review of Malware Detection Based on Pattern Matching Technique”, International Journal of Computer Science and Information Technologies, Vol. 5, No.1, 2014, pp. 944-947. [30] K. Mathur and S. Hiranwal, “A Survey on Techniques in Detection and Analyzing Malware Executables”, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 3, Issue 4, April 2013. [31] Vinod P. V. Laxmi, M.S.Gaur, “Survey on Malware Detection Methods”, Workshop on Computer and Internet Security, Department of Computer Science and Engineering, Prabhu Goel Research Centre for Computer & Internet Security, IIT Kanpur, pp-74-79, March, 2009. [32] Yanfang Ye, Tao Li, Qingshan Jiang, and Youyu Wang, “CIMDS: Adapting Postprocessing Techniques of Associative Classification for Malware Detection”, IEEE Transactions On Systems, Man, And Cybernetics Part C: Applications And Reviews, Vol. 40, No. 3, May 2010 pp. 298-309. [33] Kai Huang, Yanfang Ye, Qinshan Jiang, “ISMCS: An Intelligent Instruction Sequence based Malware Categorization System” in IEEE, 2012, pp. 65-78.
