MALWARE ATTACK DETECTION USING MACHINE LEARNING TECHNIQUES

Abstract

ABSTRACT The present invention provides machine learning for malware detection by using a variety of algorithms to identify and categorize samples of both malware and legitimate software. Further, it creates and assesses machine learning models that use different attributes taken from the dataset to differentiate between malware and legitimate software.

Specification

Description:FORM 2
THE PATENTS ACT, 1970
(39 OF 1970)
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See section 10; rule 13)



Title: Malware Attack Detection Using Machine Learning Techniques



APPLICANT DETAILS:
(a) NAME: GRAPHIC ERA DEEMED TO BE UNIVERSITY
(b) NATIONALITY: Indian
(c) ADDRESS: 566/6, Bell Road, Society Area, Clement Town, Dehradun - 248002,
Uttarakhand, India







PREAMBLE TO THE DESCRIPTION:
The following specification particularly describes the nature of this invention and the manner in which it is to be performed.

MALWARE ATTACK DETECTION USING MACHINE LEARNING TECHNIQUES

Field of Invention:
The present invention relates method of selecting features and the importance of feature engineering in improving machine learning models' ability to identify malware.

Background of the Invention.
The following background discussion includes information that may be useful in understanding the present invention. It is not an admission that any of the information provided herein is prior art or relevant to the presently claimed invention, or that any publication expressly or implicitly referenced is prior art.
Machine learning has been proven to be effective in data analysis across a range of industries, including robotics, quality control, healthcare, and finance. Its broad range of applications is driving the field's rapid advancement. Nevertheless, cybersecurity experts may create a strong defense against changing security threats and weaknesses using machine learning effectively if it is properly recognized and executed. The importance of sophisticated cybersecurity solutions has increased due to the frequency and sophistication of cyberattacks. Real-time detection and prevention of developing threats is frequently beyond the capabilities of traditional rule-based techniques. As a result, machine learning (ML) approaches have become popular as effective means of enhancing cybersecurity defenses. Machine learning continually analyses the network's activity for abnormalities in order to identify risks. Massive volumes of data are processed in almost real-time by machine learning engines, which then identify crucial incidents. These methods enable the identification of unknown malware, insider threats, and policy infractions.
The threat posed by malware remains a major issue in the constantly changing field of cybersecurity. Robust and efficient malware detection techniques are essential as harmful actions get more sophisticated. Machine learning has the ability to more accurately and efficiently identify and respond to known as well as previously unknown malware by utilizing the power of algorithms that can learn from data patterns.
The present invention uses machine learning for malware detection by using a variety of algorithms to identify and categorize samples of both malware and legitimate software.

Object(s) of the present invention:
The primary objective of the present invention is to overcome the drawback associated with prior art.
An object of the present invention is to provide machine learning methods used for malware detection, such as supervised, and unsupervised learning approaches.

Summary of the Invention:
In an embodiment, the present invention provides machine learning for malware detection by using a variety of algorithms to identify and categorize samples of both malware and legitimate software. Further, it creates and assess machine learning models that use different attributes taken from the dataset to differentiate between malware and legitimate software.

Brief description of Drawings:
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, explain the disclosed principles. The reference numbers are used throughout the figures to describe the features and components. Some embodiments of system and/or methods in accordance with embodiments of the present subject matter are now described, by way of example only, and regarding the accompanying figures, in which
Figure 1: illustrates curve of Data Cleaning.
Figure 2: illustrates Confusion Matrix for Random Forest Model.
Figure 3: illustrates Confusion Matrix for Logistic Regression.
Figure 4: illustrates Confusion Matrix for Neural Network
Detailed description of the invention:
In the present document, the word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or implementation of the present subject matter described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example, in the drawings and will be described in detail below. It should be understood, however, that it is not intended to limit the disclosure to the specific forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternative falling within the spirit and the scope of the disclosure.
The terms "comprises", "comprising", "includes", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, device or method that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or device or method. In other words, one or more elements in a system or apparatus proceeded by "comprises... a" does not, without more constraints, preclude the existence of other elements or additional elements in the system or method.
In an embodiment, the present invention gives a lightweight behavioral malware detection model for windows platforms. The study provides an explanation of a minimal behavioral malware detection method that makes use of Microsoft windows prefetch files. It shows that the malware detection scales linearly for training data and achieves a high detection rate with a low false-positive rate of 1×10-3. They test malware detection's adaptability on two distinct Windows platforms using two separate sets of programs and also examine the decline in their malware detection system's performance due to concept drift and its capacity for adaptation. Lastly, they present an efficient auxiliary defensive method against such threats and compare our malware detection performance against evasive malware.
The present invention uses machine learning (ML) techniques to identify potential hazards from IoT Android malware. This approach builds an ML model using a set of high-quality apps and samples of Android malware. Different machine learning (ML) algorithms, such as Naive Bayes (NB), K-Nearest Neighbour (KNN), Decision Tree (DT), and Random Forest (RF), are utilized to detect malware in IoT devices using the Android Malware dataset. The NB, KNN, and RF models have accuracy rates of 84%, 89%, and 92%, respectively, while the DT model has the greatest accuracy rate of 95%.
The present invention uses a model for securing mobiles from malware. They have developed a model for a behaviour-based anomaly detection system from an Android mobile device using machine learning. In order to identify malware vulnerabilities in this system based on mobile application behaviour, they employed three machine algorithms. The author used KNN, Naive Bayes, and a decision tree to assess the correctness of mobile application behavior in this system.
Using the FFRI Dataset 2018, the present invention introduced a machine-learning malware detection model using surface analysis logs and PE header dumps. Furthermore, they confirmed the accuracy while keeping the FPR below a specific threshold. Because of this, they were able to develop a new model that has a high degree of accuracy: TPR is 99.7%, TPR is 98.7%, and TPR is 94.5% when FPR is less than 1%, 0.1%, or 0.1%. Also, they identified characteristics in this model that have a significant impact on malware identification.
In order to identify Android malware, the invention apply a distinct method. The GIST descriptor will be used to extract the features of the grayscale images created by the Android virus. Three distinct classifiers-k-nearest neighbor (KNN), random forest (RF), and decision tree (DT)-will be used for recognition and comparison. After implementing the model, they concluded that RF could offer 84.14% more accuracy than KNN and DT algorithms.
The author gave architecture that presents a novel strategy for the rapid classification of malicious software attacks on Internet of Things networks by utilizing machine learning and deep learning techniques. The primary goal of this research is to identify the most efficient and productive method by performing a comprehensive analysis of the Avast IoT-23 dataset. Because of its great accuracy and cheap time complexity cost, the Decision Tree (DT) algorithm is the most effective and efficient option in this proposed approach.
Two techniques for identifying malicious Java code are presented in the study. In order to create a detection model, the first method applies an unsupervised machine-learning technique, and the other uses the Perceptron algorithm. By combining their abilities, they were able to come up with a very effective way to identify Java threats ahead of time and ensure that known malware variants are still found. In reaction to the notion of malware as a service, the detection is concentrated on the class files.
In the present invention, a very low-resource malware detection technique that can identify undiscovered dangerous Android applications. For each application, a small number of features are first retrieved and split into three sets. The feature vectors for the apps are then obtained by embedding these three feature sets in the appropriate joint vector spaces. Following that, a machine learning technique is used to classify the feature vectors of each vector space. The final step involves grouping the three classification results, embedding them in a new space, and then classifying them once more. They test the detection on 1550 benign applications and 3427 malicious ones. The results of our experiments demonstrate the stability of our detection strategy, with detection accuracy (true-positive rate) consistently exceeding 98%, and the cost of each sample in the detection process is only 30 ms.

1. Data Collection and Investigation
This invention examine of the "Malware Data" dataset is its basis. The Pandas library is used to load the dataset first. It is derived from a variety of malware and genuine software samples. Descriptive statistics are produced to provide an understanding of the feature distribution, and the dataset is examined to comprehend its structure.

2. Preparing and Cleaning Data
The dataset is put through a number of data cleaning and preparation procedures in order to get it ready for machine learning model training. Managing missing values and guaranteeing data consistency are the first steps. The variable that needs to be predicted, 'legitimate,' is separated from the dataset. Redundant variables that are detrimental to the machine learning process are eliminated, such as "Name" and "md5". Subsets of the final dataset.
3. Comprehending Data and Selecting Features
Acquiring a thorough grasp of the "Malware Data" dataset is the primary goal of the methodology's first step. This include looking at the properties of the dataset, analysing the distribution of classes, and locating possible features that could make a big difference in the classification task. Relevant attributes are chosen for model training using feature selection approaches like relevance ranking and correlation analysis.
4. Preprocessing of Data
Building on the knowledge gained from EDA, data preprocessing is done to deal with missing values, deal with outliers, and scale or normalize features as needed. The class distribution is balanced by using techniques like oversampling and under sampling to rectify any imbalances in the encoded categorical data. The dataset is prepared for efficient model training during this phase.
programming language with some of its libraries keras, numpy, tensorflow, matplotlib.

Model Building
After finishing all the set up needed, we build the model for different Machine learning algorithm and evaluated their accuracy. Using well-known Python tools like Pandas, NumPy, and Seaborn, the project starts with an examination of the dataset. To understand the structure and properties of the dataset, descriptive statistics and visualizations are used. After that, the data is cleaned up and made ready for model training by dividing it into training and test sets and eliminating any extraneous variables. The algorithm used are random forest, Logistic Regression, Neural Network.

Random Forest
A Random Forest classifier, renowned for its resilience and capacity to handle a wide range of datasets, is the first model built. Using metrics like accuracy, F1 score, and confusion matrices on both the training and test datasets, the model's performance is comprehensively assessed.

Logistic Regression
A Logistic Regression model is applied after the Random Forest, offering an alternative viewpoint on virus identification. The Logistic Regression model evaluated based on confusion matrices, F1 score, and accuracy, same like the Random Forest.

Neural Network
Tensor Flow and Kera's are used to build a neural network that integrates deep learning into the analysis. The network's complex architecture is described, and an assessment of its performance using the training and test datasets is made.
V. RESULT ANALYSIS
Random Forest: Random Forest performs well on testing and training datasets in terms of accuracy. 98% accuracy was achieved on training and as well as testing dataset. A balance between recall and precision is shown by the F1 score. The model's performance can be understood through the confusion matrix.
Logistic Regression: Although a less complex model, Logistic Regression nevertheless attains a respectable level of accuracy of 70% on training dataset and 69% on testing dataset. Understanding the true positive and true negative rates is made easier with the use of the confusion matrix.
Neural Network: The neural network makes the model more sophisticated. Reports are provided regarding the test dataset's correctness and F1 score. The performance of the neural network is revealed via the confusion matrix. The model achieved 93% on training dataset and 94% on testing dataset.
Conclusion:
On the test dataset, a score for accuracy was obtained, and a confusion matrix was generated and the F1 score was calculated. Although the model appears to function rather well, more feature engineering and fine-tuning may be necessary to get better outcomes. Accurate and F1 score-evaluable logistic regression model was trained. Supplied a visualization-rich confusion matrix. It looks like the logistic regression model works well with this dataset. To improve model performance, look into the possibilities of extracting more pertinent features or combining already-existing ones. To get a more accurate assessment of the model's performance and to spot any overfitting problems, use cross-validation approaches. Give a thorough description of the models' architectures, hyperparameters, and training procedures. Make a thorough report outlining the conclusions and suggestions as well. Use continuous improvement techniques and real-time monitoring to adjust to changing virus trends when implementing these models in a real-world setting.
, Claims:FORM 2
THE PATENTS ACT, 1970
(39 OF 1970)
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See section 10; rule 13)



Title: Malware Attack Detection Using Machine Learning Techniques



APPLICANT DETAILS:
(a) NAME: GRAPHIC ERA DEEMED TO BE UNIVERSITY
(b) NATIONALITY: Indian
(c) ADDRESS: 566/6, Bell Road, Society Area, Clement Town, Dehradun - 248002,
Uttarakhand, India







PREAMBLE TO THE DESCRIPTION:
The following specification particularly describes the nature of this invention and the manner in which it is to be performed.

MALWARE ATTACK DETECTION USING MACHINE LEARNING TECHNIQUES

Field of Invention:
The present invention relates method of selecting features and the importance of feature engineering in improving machine learning models' ability to identify malware.

Background of the Invention.
The following background discussion includes information that may be useful in understanding the present invention. It is not an admission that any of the information provided herein is prior art or relevant to the presently claimed invention, or that any publication expressly or implicitly referenced is prior art.
Machine learning has been proven to be effective in data analysis across a range of industries, including robotics, quality control, healthcare, and finance. Its broad range of applications is driving the field's rapid advancement. Nevertheless, cybersecurity experts may create a strong defense against changing security threats and weaknesses using machine learning effectively if it is properly recognized and executed. The importance of sophisticated cybersecurity solutions has increased due to the frequency and sophistication of cyberattacks. Real-time detection and prevention of developing threats is frequently beyond the capabilities of traditional rule-based techniques. As a result, machine learning (ML) approaches have become popular as effective means of enhancing cybersecurity defenses. Machine learning continually analyses the network's activity for abnormalities in order to identify risks. Massive volumes of data are processed in almost real-time by machine learning engines, which then identify crucial incidents. These methods enable the identification of unknown malware, insider threats, and policy infractions.
The threat posed by malware remains a major issue in the constantly changing field of cybersecurity. Robust and efficient malware detection techniques are essential as harmful actions get more sophisticated. Machine learning has the ability to more accurately and efficiently identify and respond to known as well as previously unknown malware by utilizing the power of algorithms that can learn from data patterns.
The present invention uses machine learning for malware detection by using a variety of algorithms to identify and categorize samples of both malware and legitimate software.

Object(s) of the present invention:
The primary objective of the present invention is to overcome the drawback associated with prior art.
An object of the present invention is to provide machine learning methods used for malware detection, such as supervised, and unsupervised learning approaches.

Summary of the Invention:
In an embodiment, the present invention provides machine learning for malware detection by using a variety of algorithms to identify and categorize samples of both malware and legitimate software. Further, it creates and assess machine learning models that use different attributes taken from the dataset to differentiate between malware and legitimate software.

Brief description of Drawings:
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, explain the disclosed principles. The reference numbers are used throughout the figures to describe the features and components. Some embodiments of system and/or methods in accordance with embodiments of the present subject matter are now described, by way of example only, and regarding the accompanying figures, in which
Figure 1: illustrates curve of Data Cleaning.
Figure 2: illustrates Confusion Matrix for Random Forest Model.
Figure 3: illustrates Confusion Matrix for Logistic Regression.
Figure 4: illustrates Confusion Matrix for Neural Network
Detailed description of the invention:
In the present document, the word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or implementation of the present subject matter described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example, in the drawings and will be described in detail below. It should be understood, however, that it is not intended to limit the disclosure to the specific forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternative falling within the spirit and the scope of the disclosure.
The terms "comprises", "comprising", "includes", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, device or method that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or device or method. In other words, one or more elements in a system or apparatus proceeded by "comprises... a" does not, without more constraints, preclude the existence of other elements or additional elements in the system or method.
In an embodiment, the present invention gives a lightweight behavioral malware detection model for windows platforms. The study provides an explanation of a minimal behavioral malware detection method that makes use of Microsoft windows prefetch files. It shows that the malware detection scales linearly for training data and achieves a high detection rate with a low false-positive rate of 1×10-3. They test malware detection's adaptability on two distinct Windows platforms using two separate sets of programs and also examine the decline in their malware detection system's performance due to concept drift and its capacity for adaptation. Lastly, they present an efficient auxiliary defensive method against such threats and compare our malware detection performance against evasive malware.
The present invention uses machine learning (ML) techniques to identify potential hazards from IoT Android malware. This approach builds an ML model using a set of high-quality apps and samples of Android malware. Different machine learning (ML) algorithms, such as Naive Bayes (NB), K-Nearest Neighbour (KNN), Decision Tree (DT), and Random Forest (RF), are utilized to detect malware in IoT devices using the Android Malware dataset. The NB, KNN, and RF models have accuracy rates of 84%, 89%, and 92%, respectively, while the DT model has the greatest accuracy rate of 95%.
The present invention uses a model for securing mobiles from malware. They have developed a model for a behaviour-based anomaly detection system from an Android mobile device using machine learning. In order to identify malware vulnerabilities in this system based on mobile application behaviour, they employed three machine algorithms. The author used KNN, Naive Bayes, and a decision tree to assess the correctness of mobile application behavior in this system.
Using the FFRI Dataset 2018, the present invention introduced a machine-learning malware detection model using surface analysis logs and PE header dumps. Furthermore, they confirmed the accuracy while keeping the FPR below a specific threshold. Because of this, they were able to develop a new model that has a high degree of accuracy: TPR is 99.7%, TPR is 98.7%, and TPR is 94.5% when FPR is less than 1%, 0.1%, or 0.1%. Also, they identified characteristics in this model that have a significant impact on malware identification.
In order to identify Android malware, the invention apply a distinct method. The GIST descriptor will be used to extract the features of the grayscale images created by the Android virus. Three distinct classifiers-k-nearest neighbor (KNN), random forest (RF), and decision tree (DT)-will be used for recognition and comparison. After implementing the model, they concluded that RF could offer 84.14% more accuracy than KNN and DT algorithms.
The author gave architecture that presents a novel strategy for the rapid classification of malicious software attacks on Internet of Things networks by utilizing machine learning and deep learning techniques. The primary goal of this research is to identify the most efficient and productive method by performing a comprehensive analysis of the Avast IoT-23 dataset. Because of its great accuracy and cheap time complexity cost, the Decision Tree (DT) algorithm is the most effective and efficient option in this proposed approach.
Two techniques for identifying malicious Java code are presented in the study. In order to create a detection model, the first method applies an unsupervised machine-learning technique, and the other uses the Perceptron algorithm. By combining their abilities, they were able to come up with a very effective way to identify Java threats ahead of time and ensure that known malware variants are still found. In reaction to the notion of malware as a service, the detection is concentrated on the class files.
In the present invention, a very low-resource malware detection technique that can identify undiscovered dangerous Android applications. For each application, a small number of features are first retrieved and split into three sets. The feature vectors for the apps are then obtained by embedding these three feature sets in the appropriate joint vector spaces. Following that, a machine learning technique is used to classify the feature vectors of each vector space. The final step involves grouping the three classification results, embedding them in a new space, and then classifying them once more. They test the detection on 1550 benign applications and 3427 malicious ones. The results of our experiments demonstrate the stability of our detection strategy, with detection accuracy (true-positive rate) consistently exceeding 98%, and the cost of each sample in the detection process is only 30 ms.

1. Data Collection and Investigation
This invention examine of the "Malware Data" dataset is its basis. The Pandas library is used to load the dataset first. It is derived from a variety of malware and genuine software samples. Descriptive statistics are produced to provide an understanding of the feature distribution, and the dataset is examined to comprehend its structure.

2. Preparing and Cleaning Data
The dataset is put through a number of data cleaning and preparation procedures in order to get it ready for machine learning model training. Managing missing values and guaranteeing data consistency are the first steps. The variable that needs to be predicted, 'legitimate,' is separated from the dataset. Redundant variables that are detrimental to the machine learning process are eliminated, such as "Name" and "md5". Subsets of the final dataset.
3. Comprehending Data and Selecting Features
Acquiring a thorough grasp of the "Malware Data" dataset is the primary goal of the methodology's first step. This include looking at the properties of the dataset, analysing the distribution of classes, and locating possible features that could make a big difference in the classification task. Relevant attributes are chosen for model training using feature selection approaches like relevance ranking and correlation analysis.
4. Preprocessing of Data
Building on the knowledge gained from EDA, data preprocessing is done to deal with missing values, deal with outliers, and scale or normalize features as needed. The class distribution is balanced by using techniques like oversampling and under sampling to rectify any imbalances in the encoded categorical data. The dataset is prepared for efficient model training during this phase.
programming language with some of its libraries keras, numpy, tensorflow, matplotlib.

Model Building
After finishing all the set up needed, we build the model for different Machine learning algorithm and evaluated their accuracy. Using well-known Python tools like Pandas, NumPy, and Seaborn, the project starts with an examination of the dataset. To understand the structure and properties of the dataset, descriptive statistics and visualizations are used. After that, the data is cleaned up and made ready for model training by dividing it into training and test sets and eliminating any extraneous variables. The algorithm used are random forest, Logistic Regression, Neural Network.

Random Forest
A Random Forest classifier, renowned for its resilience and capacity to handle a wide range of datasets, is the first model built. Using metrics like accuracy, F1 score, and confusion matrices on both the training and test datasets, the model's performance is comprehensively assessed.

Logistic Regression
A Logistic Regression model is applied after the Random Forest, offering an alternative viewpoint on virus identification. The Logistic Regression model evaluated based on confusion matrices, F1 score, and accuracy, same like the Random Forest.

Neural Network
Tensor Flow and Kera's are used to build a neural network that integrates deep learning into the analysis. The network's complex architecture is described, and an assessment of its performance using the training and test datasets is made.
V. RESULT ANALYSIS
Random Forest: Random Forest performs well on testing and training datasets in terms of accuracy. 98% accuracy was achieved on training and as well as testing dataset. A balance between recall and precision is shown by the F1 score. The model's performance can be understood through the confusion matrix.
Logistic Regression: Although a less complex model, Logistic Regression nevertheless attains a respectable level of accuracy of 70% on training dataset and 69% on testing dataset. Understanding the true positive and true negative rates is made easier with the use of the confusion matrix.
Neural Network: The neural network makes the model more sophisticated. Reports are provided regarding the test dataset's correctness and F1 score. The performance of the neural network is revealed via the confusion matrix. The model achieved 93% on training dataset and 94% on testing dataset.
Conclusion:
On the test dataset, a score for accuracy was obtained, and a confusion matrix was generated and the F1 score was calculated. Although the model appears to function rather well, more feature engineering and fine-tuning may be necessary to get better outcomes. Accurate and F1 score-evaluable logistic regression model was trained. Supplied a visualization-rich confusion matrix. It looks like the logistic regression model works well with this dataset. To improve model performance, look into the possibilities of extracting more pertinent features or combining already-existing ones. To get a more accurate assessment of the model's performance and to spot any overfitting problems, use cross-validation approaches. Give a thorough description of the models' architectures, hyperparameters, and training procedures. Make a thorough report outlining the conclusions and suggestions as well. Use continuous improvement techniques and real-time monitoring to adjust to changing virus trends when implementing these models in a real-world setting.

Documents