An improved malware detection framework

Abstract

The detection of malware intrusion requires the identification of its signature. However, cyber security practitioners are having difficulty to manually detect signature-based malware due to the increasing number of malware. As a consequence, malware are only detected after an incident has occurred. By then it would have already incurred monetary loss, thus causing a huge impact on an organisation’s brand and clients’ trusts. This research aims to propose a solution for the problem highlighted by formulating an improved malware detection framework. The improved malware detection framework was formulated based on the malware detection solution components identified as malware analysis, malware detection, machine learning algorithm, cyber threat intelligence data and digital forensics principle (preservation). Then, the formulated framework was implemented and evaluated by performing a threat hunting experiment. The implementation of the formulated framework produced information that described the distribution of high severity malware which posed the most threat in the top three states based on the clustering algorithm used. The clustering algorithm used 3 as the value of K which had the best silhouette score based on Euclidean distance calculated that is 0.931766381586 and assisted in generating the YARA rules. The experiment result shows that the generated YARA rules from the clustering algorithm and data enrichment were able to detect Bladabindi, Conficker as well as Zbot by referring to the signature derived from the automated malware analysis. As a conclusion, the framework itself, steps, techniques and the process flow utilised in formulating the improved framework served as an effective malware detection solution. Hence, cyber security practitioners can apply the improved malware detection framework as a guideline to conduct threat hunting within their organisation.