Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Editors

List of Contributors

Preface

Acknowledgment

Disclaimer

Note for Readers

Introduction

Part I: Artificial Intelligence (AI) in Cybersecurity Analytics: Fundamental and Challenges

1 Analysis of Malicious Executables and Detection Techniques

1.1 Introduction

1.2 Malicious Code Classification System

1.3 Literature Review

1.4 Malware Behavior Analysis

1.5 Conventional Detection Systems

1.6 Classifying Executables by Payload Function

1.7 Result and Discussion

1.8 Conclusion

References

2 Detection and Analysis of Botnet Attacks Using Machine Learning Techniques

2.1 Introduction

2.2 Literature Review

2.3 Botnet Architecture

2.4 Methodology Adopted

2.5 Experimental Setup

2.6 Results and Discussions

2.7 Conclusion and Future Work

References

3 Artificial Intelligence Perspective on Digital Forensics

3.1 Introduction

3.2 Literature Survey

3.3 Phases of Digital Forensics

3.4 Demystifying Artificial Intelligence in the Digital World

3.5 Application of Machine Learning in Digital Forensics Investigations

3.6 Implementation of Artificial Intelligence in Forensics

3.7 Pattern Recognition Using Artificial Intelligence

3.8 Applications of AI in Criminal Investigations

3.9 Conclusion

References

4 Review on Machine Learning‐based Traffic Rules Contravention Detection System

4.1 Introduction

4.2 Technologies Involved in Smart Traffic Monitoring

4.3 Literature Review

4.4 Comparison of Results

4.5 Conclusion and Future Scope

References

5 Enhancing Cybersecurity Ratings Using Artificial Intelligence and DevOps Technologies

5.1 Introduction

5.2 Literature Review

5.3 Proposed Methodology

5.4 Results

5.5 Conclusion and Future Scope of Work

References

Part II: Cyber Threat Detection and Analysis Using Artificial Intelligence and Big Data

6 Malware Analysis Techniques in Android‐Based Smartphone Applications

6.1 Introduction

6.2 Malware Analysis Techniques

6.3 Hybrid Analysis

6.4 Result

6.5 Conclusion

References

7 Cyber Threat Detection and Mitigation Using Artificial Intelligence – A Cyber‐physical Perspective

7.1 Introduction

7.2 Types of Cyber Threats

7.3 Cyber Threat Intelligence (CTI)

7.4 Materials and Methods

7.5 Cyber‐Physical Systems Relying on AI (CPS‐AI)

7.6 Experimental Analysis

7.7 Conclusion

References

8 Performance Analysis of Intrusion Detection System Using ML Techniques

8.1 Introduction

8.2 Literature Survey

8.3 ML Techniques

8.4 Overview of Dataset

8.5 Proposed Approach

8.6 Simulation Results

8.7 Conclusion and Future Work

References

9 Spectral Pattern Learning Approach‐based Student Sentiment Analysis Using Dense‐net Multi Perception Neural Network in E‐learning Environment

9.1 Introduction

9.2 Related Work

9.3 Proposed Implementation

9.4 Result and Discussion

9.5 Conclusion

References

10 Big Data and Deep Learning‐based Tourism Industry Sentiment Analysis Using Deep Spectral Recurrent Neural Network

10.1 Introduction

10.2 Related Work

10.3 Materials and Method

10.4 Result and Discussion

10.5 Conclusion

References

Part III: Applied Artificial Intelligence Approaches in Emerging Cybersecurity Domains

11 Enhancing Security in Cloud Computing Using Artificial Intelligence (AI)

11.1 Introduction

11.2 Background

11.3 Identification Function (IF)

11.4 Protection Function (PF)

11.5 Detection Function (DF)

11.6 Response Function (RF)

11.7 Recovery Function (RcF)

11.8 Analysis, Discussion and Research Gaps

11.9 Conclusion

References

12 Utilization of Deep Learning Models for Safe Human‐Friendly Computing in Cloud, Fog, and Mobile Edge Networks

12.1 Introduction

12.2 Human‐Centered Computing (HCC)

12.3 Improving Cybersecurity Through Deep Learning (DL) Models: AI‐HCC Systems

12.4 Case Studies

12.5 Discussion

12.6 Conclusion

References

13 Artificial Intelligence for Threat Anomaly Detection Using Graph Databases – A Semantic Outlook

13.1 Introduction

13.2 KGs in Cybersecurity

13.3 CSKG Construction Methodologies

13.4 Datasets

13.5 Application Scenarios

13.6 Discussion and Future Trends on CSKG

13.7 Conclusion

References

14 Security in Blockchain‐Based Smart Cyber‐Physical Applications Relying on Wireless Sensor and Actuators Networks

14.1 Introduction

14.2 Methodology

14.3 GIBCS: An Overview

14.4 Blockchain Layer

14.5 Trust Management

14.6 Blockchain for Secure Monitoring Back‐End

14.7 Blockchain‐Enabled Cybersecurity: Discussion and Future Directions

14.8 Conclusions

References

15 Leveraging Deep Learning Techniques for Securing the Internet of Things in the Age of Big Data

15.1 Introduction to the IoT Security

15.2 Role of Deep Learning in IoT Security

15.3 Deep Learning Architecture for IoT Security

15.4 Future Scope of Deep Learning in IoT Security

15.5 Conclusion

References

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1 Comparison of existing malware detection approaches.

Table 1.2 Displaying malware families with the specific malware.

Chapter 2

Table 2.1 Confusion matrix.

Chapter 3

Table 3.1 The benefits of AI in forensics.

Chapter 4

Table 4.1 Summary of literature review.

Table 4.2 Summary of results.

Chapter 5

Table 5.1 Description of application security parameter.

Table 5.2 Description of endpoint security parameter.

Table 5.3 Description of infrastructure security parameter.

Sample Table 1.1

Sample Table 1.2

Table 5.4 Experimentation on application security issues.

Table 5.5 Experimentation on network security issues.

Table 5.6 Experimentation on endpoint security issues.

Chapter 8

Table 8.1 Selected features from the NSL‐KDD dataset.

Table 8.2 Comparative analysis of the various algorithms based on different ...

Chapter 9

Table 9.1 Simulation parameters settings.

Table 9.2 Analysis of classification accuracy performance.

Table 9.3 Analysis of sensitivity performance.

Table 9.4 Analysis of specificity performance.

Table 9.5 Analysis of false rate performance.

Chapter 10

Table 10.1 Sentiment analysis score.

Table 10.2 Details of simulation parameters.

Table 10.3 Exploration of classification performance.

Table 10.4 Exploration of precision and recall performance.

Table 10.5 Exploration of

F

‐measure performance.

Chapter 15

Table 15.1 Comparative analysis of related work around deep learning, IoT, a...

List of Illustrations

Chapter 2

Figure 2.1 Botnet architecture.

Figure 2.2 Logistic regression classification.

Figure 2.3 Example for decision tree classification.

Figure 2.4

K

‐nearest neighbor algorithm.

Figure 2.5 Random forest learning algorithm.

Figure 2.6 Confusion matrix (a) logistic regression, (b) KNN, (c) decision t...

Figure 2.7 Performance comparison among different classifiers.

Chapter 3

Figure 3.1 Phases of digital forensic investigation.

Figure 3.2 Types of artificial intelligence.

Figure 3.3 Evaluation of Forensics Data (a) using Gaussian Method and (b) Us...

Figure 3.4 Pattern recognition process.

Chapter 4

Figure 4.1 Illustration of violation capture process.

Figure 4.2 Workflow diagram for violation system.

Figure 4.3 Technologies for monitoring traffic congestion.

Figure 4.4 RFID system.

Figure 4.5 Computer vision workflow.

Figure 4.6 Working of Vehitrack system.

Figure 4.7 Architecture for traffic violation circuit.

Figure 4.8 Flowchart for proposed traffic monitoring system.

Figure 4.9 System for designing the traffic violation detection system.

Figure 4.10 Block diagram explaining system architecture.

Chapter 5

Figure 5.1 Enrolment to Cybersecurity rating platform.

Figure 5.2 Scope and parameters of Cybersecurity rating platform taken into ...

Figure 5.3 System architecture.

Figure 5.4 Workflow for logging an issue.

Figure 5.5 Workflow for closure of the issue.

Figure 5.6 Sample of Notification Data/Response in JSON Format.

Figure 5.7 Flow for validating the issue and closure of the same.

Figure 5.8 Sample JSON Data for closure.

Figure 5.9 Secure Nginx configuration file.

Figure 5.10 API Request for triggering notification for flagging issues.

Figure 5.11 API Response for notification related to flagging issues.

Figure 5.12 API Request for validating the issue.

Figure 5.13 API Response for validating the issue.

Figure 5.14 Sample of Background command for validating the issue.

Figure 5.15 Shows that X‐frame‐Options Header is missing from the applicatio...

Figure 5.16 API Request for applying the fix.

Figure 5.17 API Response for applying the fix.

Figure 5.18 Validating the issues after applying the fix in containerized en...

Figure 5.19 Nginx configuration file before applying fix.

Figure 5.20 Nginx configuration file after applying fix.

Figure 5.21 Snap of nginx web server is up and running.

Figure 5.22 Approval or consent workflow generated by the system.

Figure 5.23 Approval or consent workflow pending at concerned team.

Figure 5.24 Consent approved.

Figure 5.25 API Request for closure.

Figure 5.26 API Response for closure.

Figure 5.27 GitHub crawling module for identifying sensitive information ove...

Figure 5.28 Analytical Representation of Application Security Section or Tab...

Figure 5.29 Analytical Representation of Network Security Section or Table 5...

Figure 5.30 Analytical Representation of Endpoint Security Section or Table ...

Chapter 6

Figure 6.1 The Android attack surface.

Figure 6.2 Static feature extraction and detection.

Figure 6.3 APK decompilation process.

Figure 6.4 Suspicious API calls.

Figure 6.5 Dynamic feature extraction and detection.

Figure 6.6 Hybrid malware analysis.

Chapter 7

Figure 7.1 Generic CPS structure: real and virtual worlds.

Figure 7.2 Graphic representation of IPSS. First, there is the intrusion det...

Figure 7.3 Neural network method in a CPS‐AI.

Chapter 8

Figure 8.1 Working of random forest algorithm.

Figure 8.2 Working of gradient boosting algorithm.

Figure 8.3 Working of support vector machine algorithm.

Figure 8.4 (a) Before applying K‐NN. (b) After applying K‐NN.

Figure 8.5 (a) Before applying DBSCAN algorithm. (b) After applying DBSCAN a...

Figure 8.6 Count of normal and anomaly attack.

Figure 8.7 Accuracy analysis using all features.

Figure 8.8 Accuracy analysis using selected features.

Figure 8.9 Accuracy analysis comparison using complete and selected features...

Figure 8.10 Precision analysis for different algorithms and feature types.

Figure 8.11 Recall analysis for different algorithms and feature types.

Chapter 9

Figure 9.1 Proposed architecture diagram‐SPLA‐DMPNN.

Figure 9.2 Analysis of classification accuracy performance.

Figure 9.3 Analysis of sensitivity performance.

Figure 9.4 Analysis of specificity performance.

Figure 9.5 Analysis of false rate performance.

Figure 9.6 Analysis of time complexity.

Chapter 10

Figure 10.1 Proposed block diagram.

Figure 10.2 Exploration of classification performance.

Figure 10.3 Exploration of precision and recall performance.

Figure 10.4 Exploration of

F

‐measure performance.

Figure 10.5 Exploration of misclassification performance.

Figure 10.6 Exploration of time complexity performance.

Chapter 11

Figure 11.1 Multi‐layer cloud computing framework.

Chapter 12

Figure 12.1 Convergence between human‐centered computing and AI‐HCI within a...

Figure 12.2 Intelligent cyber‐physical system involving sub‐systems that rel...

Figure 12.3 An HCC stage with DL.

Chapter 13

Figure 13.1 Deep learning NER flowchart.

Figure 13.2 A CSKG construction framework.

Figure 13.3 Intelligent cybersecurity ontologies.

Chapter 14

Figure 14.1 General WSAN architecture. A sensor and actuator network with a ...

Figure 14.2 GIBCS‐CPS different layers.

Figure 14.3 WSAN architecture. Application layer: physical HW, virtual machi...

Figure 14.4 Trust management modules and interactions.

Chapter 15

Figure 15.1 Big data challenges in IoT security.

Figure 15.2 Deep learning techniques in IoT security.

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Editors

List of Contributors

Preface

Acknowledgment

Disclaimer

Note for Readers

Introduction

Begin Reading

Index

End User License Agreement

Pages

iii

iv

v

xvii

xviii

xix

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxix

xxxi

xxxiii

xxxiv

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

327

328

329

330

331

332

333

334

Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection

Edited by

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging‐in‐Publication Data Applied for:

Hardback ISBN: 9781394196449

Cover Design: WileyCover Image: © Yuichiro Chino/Getty Images

This work is dedicated to the cybersecurity professionals, academicians, researchers, and enthusiasts who strive to make the digital world a safer place for all. Dedicated to those on the front lines of cybersecurity, tirelessly safeguarding our digital landscapes, and to the relentless pursuit of knowledge that fuels our collective defense against evolving threats. Their commitment inspired the editors to push their boundaries of understanding and fortify the resilience of interconnected society.

About the Editors

Dr. Shilpa Mahajan is a distinguished Certified Ethical Hacker (CEHv11) and Cisco Certified Instructor with a notable career spanning over 16 years in research and education. She is currently serving as an Associate Professor at the NorthCap University. Dr. Mahajan holds a Ph.D. in Wireless Sensor Networks from Guru Nanak Dev University, Amritsar, and graduated with distinction from Punjab Engineering College, Chandigarh. Her extensive contributions include authoring numerous papers published in prestigious international journals, books, conferences, and holding patents. In her current role, she guides doctoral scholars and successfully supervises M.Tech and B.Tech projects. Dr. Mahajan has designed courses focusing on Computer Networks, Network Security, and Cryptography. She actively participates in various academic activities, serving as a resource person for Faculty Development Programs (FDPs), workshops, guest lectures, invited talks, and panel discussions. Dr. Mahajan’s expertise is underscored by her proactive involvement in chairing sessions at conferences, highlighting her standing within the academic community. Notably, she coordinated the ATAL FDP on Web Security in 2022 and organized EDPs for CCNA Modules. Remarkably, she has contributed as an editor for esteemed publishers including Springer, CRC Press, Wiley, and several others. Her contributions extend to the establishment of a Cisco lab at the NorthCap University, Gurgaon, in January 2014. Recognized by Cisco Networking Academy for her active participation over five years, Dr. Mahajan’s dedication and expertise continue to shape the academic landscape in the fields of Cybersecurity and Information Security.

Dr. Mehak Khurana is an accomplished and dedicated Certified Ethical Hacker (CEHv11) with an illustrious career spanning over 13 years in the fields of research and teaching. Dr. Mehak Khurana is currently leveraging her extensive expertise as an Associate Professor at the NorthCap University, contributing to the academic and practical realms of Cybersecurity and Information Security. Her academic journey is marked by exceptional achievements, including the attainment of a Ph.D. degree specializing in Information Security and Cryptography. Complementing this, she was honored with a silver medal for her M.Tech degree in Information Technology from USICT, GGSIPU. Her specialization lies in Cybersecurity, Information Security, and Cryptography. She has left an indelible mark on academia through her prolific publications in renowned journals, conferences books, and patents. She demonstrated her commitment to aligning education with industry best practices; she introduced and designed cutting‐edge courses in Penetration Testing, Secure Coding, Software Vulnerabilities, and Web and Mobile Security. Her mentorship extends to guiding B.Tech., M.Tech. projects, and Ph.D. scholars, nurturing the potential of future leaders in the field. She convened the International Conference on Cyber Security and Digital Forensics in collaboration with Springer in 2021. She served as a valuable resource person for various Faculty Development Programs (FDPs), workshops, guest lectures, invited talks, panelists, etc. Her active involvement in chairing sessions at various conferences underscores her expertise and prominence in the academic community. She edited books for esteemed publishers such as Springer, CRC Press, Wiley, and edited many more. Furthermore, her role as a reviewer for reputable journals and a Technical Program Committee (TPC) member for various international conferences highlights her commitment to fostering excellence. Her contributions have earned her recognition as the Emerging Women Leader in Cybersecurity Sector in 2023 by StarDiVvaz Women Awards, presented by Dr. Rajshri Singh, IPS, IGP Haryana State Crime. Likewise, her selection as one of the top three finalists for the Cyberjutsu award by Womencyberjutsu in Virginia, US, underscores her standing as a prominent Cyber Educator.

Dr. Vania Vieira Estrela has ample experience teaching postgraduate and undergraduate courses. She holds a B.Sc. degree from the Federal University of Rio de Janeiro (UFRJ) in Electrical and Computer Engineering (ECE), an M.Sc. from the Technological Institute of Aeronautics (ITA), Brazil, and M.Sc. in ECE at Northwestern University, USA, and a Ph.D. in ECE from the Illinois Institute of Technology (IIT), Chicago, IL, USA. She has taught at DePaul University, USA, and Universidade Estadual do Norte Fluminense (UENF), Brazil. She was a visiting professor at the Polytechnic Institute of Rio de Janeiro (IPRJ)/State University of Rio de Janeiro (UERJ) in Brazil. She works at Universidade Federal Fluminense’s (UFF) Department of Telecommunications. She has proposed and participated in various pedagogical projects for the specialities of “Computer Engineering” at UENF, “Computer Technology” at Universidade Estadual da Zona Oeste (UEZO)/UERJ, and “Material Science and Engineering with Emphasis on Polymers” also at UEZO/UERJ. Research interests include Cyber‐Physical Systems, Signal/Image/Video Processing, Multimedia, Biomedical Engineering, Neuroscience, Electronic Instrumentation, Computer Architecture, Unmanned Aerial Systems, Modeling/Simulation, Sustainable Projects, Smart Designs, Inverse Problems, Communications, Motion Estimation and Understanding, Artificial Intelligence, and Geoprocessing. She edits and reviews for several prestigious publishers. She is engaged in Humanitarian Engineering, Technology Transfer, STEAM Education, Environmental Issues, Digital Inclusion, and all UN Sustainable Development Goals (SDGs). She has served as editor of more than 15 books and special issues. She has served on a plethora of technical and organizational committees and is a member of IEEE.

List of Contributors

Nikolaos AndreopoulosComputer Science DepartmentTechnological Institute of IcelandReykjavíkIceland

Joaquim T. de AssisInstituto Politecnico do Rio de JaneiroNova FriburgoRJBrazil

Avi ChakravartiAmity School of Engineering and TechnologyAmity UniversityNoidaUttar PradeshIndia

Suman DasInformation SecurityZensar TechnologiesKolkataIndia

Anand DeshpandeElectronics and Communication EngineeringAngadi Institute of Technology and ManagementBelagaviIndia

Chingakham Nirma DeviDepartment of Computer ScienceVels Institute of ScienceTechnology and Advanced Studies (VISTAS)ChennaiIndia

Edwiges G.H. GrataDepartment of TelecommunicationsFederal Fluminense University (UFF)NiteróiRJBrazil

JahnaviDepartment of Computer ScienceDr. B.R. Ambedkar National Institute of TechnologyJalandharIndia

R. Jenice AromaDepartment of CSEKarunya Institute of Technology and SciencesKarunya UniversityCoimbatoreIndia

Maria A. de JesusDepartment of TelecommunicationsFederal Fluminense University (UFF)NiteróiRJBrazil

Ashish JoshiInformation SecurityZensar TechnologiesPuneIndia

Awais Khan JumaniDepartment of Computer ScienceSindh Madressa‐tul‐Islam UniversityKarachiSindhPakistan

Keshav KaushikSchool of Computer ScienceUniversity of Petroleum and Energy StudiesDehradunUttarakhandIndia

Abdullah A. KhanResearch Lab of Artificial Intelligence and Information SecurityFaculty of ComputingScience and Information TechnologyBenazir Bhutto Shaheed UniversityKarachiSindhPakistan

Asiya KhanSchool of EngineeringComputing and Mathematics (Faculty of Science and Engineering)University of PlymouthPlymouthUK

Mehak KhuranaThe NorthCap UniversityGurugramIndia

Dhanashree KulkarniDepartment of Computer Science and EngineeringAngadi Institute of Technology and ManagementBelagaviIndia

Asif A. LaghariSindh Madresstul Islam UniversityKarachiSindhPakistan

Ricardo T. LopesFederal University of Rio de Janeiro (COPPE/UFRJ)Nuclear Engineering Laboratory (LIN)Rio de JaneiroRJBrazil

Shilpa MahajanDepartment of Computer ScienceThe NorthCap UniversityGurgaonIndia

Geetika MunjalAmity School of Engineering and TechnologyAmity UniversityNoidaUttar PradeshIndia

Paridhi PasrijaThe NorthCap UniversityGurugramIndia

Vishwas PitreInformation SecurityZensar TechnologiesPuneIndia

Tushar PuriAmity School of Engineering and TechnologyAmity UniversityNoidaUttar PradeshIndia

Supriya RahejaAmity UniversityNoidaIndia

Kumudha RaimondDepartment of Computer Science and EngineeringKarunya Institute of Technology and SciencesCoimbatoreIndia

R. Renuga DeviDepartment of Computer Science and Applications (MCA)SRM Institute of Science and TechnologyRamapuramChennaiIndia

Satya SaladiInformation SecurityZensar TechnologiesHyderabadIndia

Mohammad ShabazModel Institute of Engineering and Technology,Jammu,Jammu and KashmirIndia

BhawnaDepartment of Computer ScienceThe NorthCap UniversityGurgaonIndia

Utkarsh SharmaAmity School of Engineering and TechnologyAmity UniversityNoidaUttar PradeshIndia

Laishram Kirtibas SinghDepartment of Computer ScienceVels Institute of ScienceTechnology and Advanced Studies (VISTAS)ChennaiIndia

Utkarsh SinghThe NorthCap UniversityGurugramIndia

Dalmo StutzCentro Federal de Educação Tecnológica Celso Suckow da Fonseca (CEFET) at Nova FriburgoNova FriburgoRJBrazil

Lin TengSoftware CollegeShenyang Normal UniversityShenyangChina

Andrey TerzievTerziASofiaBulgaria

Diego M.R. TudescoDepartment of TelecommunicationsFederal Fluminense University (UFF)NiteróiRJBrazil

UrvashiDepartment of Computer Science and EngineeringDr. B.R. Ambedkar National Institute of TechnologyJalandharIndia

Shoulin YinShenyang Normal UniversityShenyangLiaoning ProvinceChina

Preface

In the ever‐evolving digital landscape, the fusion of artificial intelligence (AI) with the realm of cybersecurity has introduced a formidable ally. AI’s unique capabilities in processing vast data volumes, recognizing intricate patterns, and swiftly adapting to emerging threats have marked the dawn of a new era in cyber defense. As AI continues to seamlessly integrate into our cybersecurity strategies, it plays a pivotal role in our ongoing battle against the ever‐shifting landscape of cyber threats.

The digital landscape is rapidly evolving, and with it, the nature of cyber threats. This book addresses a pressing need – to bridge the knowledge gap between the potent capabilities of AI and its practical applications in fortifying cybersecurity. Our aim is to provide readers with a comprehensive guide to understand, implement, and harness the power of AI in safeguarding digital ecosystems. Collecting insights from seasoned cybersecurity professionals and AI experts, this book seeks to demystify the world of AI in cybersecurity. It aims to serve as a valuable resource for cybersecurity professionals looking to enhance their defenses, students eager to explore the exciting intersection of AI and cybersecurity, and individuals concerned about their online security. Another aim of this book is to empower our readers with knowledge and tools to shield against evolving cyber threats and inspire innovation in the field.

This book offers a comprehensive exploration of the synergy between AI and cybersecurity. It delves into the realm of AI‐powered tools, techniques, and practices that empower organizations and individuals to stay ahead of malicious actors. The scope of the book encompasses AI applications in intrusion detection, threat identification, and risk assessment, among others. It provides practical guidance, real‐world case studies, and a holistic view of the evolving landscape of cyber threats and the innovative solutions AI offers to mitigate them. While we strive to cover a wide spectrum of AI techniques tailored for cyber defense, it is important to recognize that the field of AI and cybersecurity is dynamic and ever‐evolving. This book does not claim to be an exhaustive encyclopedia; rather, it serves as a snapshot of the state of the field at the time of its writing. As technology progresses, new challenges and solutions will arise, and our understanding of the subject will continue to evolve.

This book builds upon the existing body of literature that explores the integration of AI and cybersecurity, acknowledging the pioneering work of researchers and professionals in this field. It provides a comprehensive overview of the current landscape while offering fresh perspectives and insights.

In closing, this collaborative effort reflects the dedication of experts passionate about securing our digital world. The fusion of AI and cybersecurity has the potential to reshape the future of digital security. We hope this book empowers the readers to harness this potential and become a guardian of the digital realm.

Shilpa Mahajan

The NorthCap University, India

Mehak Khurana

The NorthCap University, India

Vania Vieira Estrela

Fluminense Federal University, Brazil

Acknowledgment

Heartfelt gratitude to the contributors and experts whose unwavering dedication has shaped this book. Their invaluable insights and expertise have played an instrumental role in bringing this collaborative effort to fruition.

Disclaimer

The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising here from. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

Note for Readers

Dear Readers,

This book is a collaborative effort aimed at providing you with a comprehensive understanding of the intricate world of cybersecurity analytics. The intention of the authors/editors is to equip you with insights, strategies, and practical knowledge that will empower you in navigating the complexities of cyberthreats. Throughout these chapters, you’ll find a blend of theoretical concepts and hands‐on approaches, all crafted to enhance your understanding and proficiency in addressing contemporary cybersecurity challenges. Whether you are a seasoned cybersecurity professional, a student entering the field, or simply someone passionate about the evolving digital landscape, we hope you find this book both informative and inspiring.

Introduction

In the realm of cybersecurity, where digital landscapes are in constant flux, the unceasing evolution of cyber threats poses an ever‐growing challenge. Navigating this intricate web of potential risks requires a comprehensive understanding of the various facets of cybersecurity and the implementation of effective detection and mitigation strategies. This book, “Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection,” takes a deep dive into the dynamic world of cybersecurity analytics, emphasizing the pressing need for innovative approaches to counteract a diverse array of cyber threats. The chapters within this book are carefully curated to offer a nuanced exploration of techniques, methodologies, and practical applications designed to fortify our defenses against malicious activities in the digital space.

As we embark on this exploration, the aim is to equip readers with a profound understanding of the multifaceted landscape of cybersecurity, encompassing not only the traditional forms of threats but also the more contemporary and sophisticated challenges that emerge with technological advancements. Each chapter is crafted to provide insights, analyses, and actionable strategies, offering a holistic view of cyberthreat detection and mitigation. The dynamic nature of the cybersecurity landscape necessitates an adaptive and informed approach. Therefore, this book serves as a compendium of knowledge, drawing on the collective expertise of contributors who bring real‐world experience and practical insights to the forefront. It is intended for cybersecurity professionals seeking to enhance their skills, students entering the field, and anyone intrigued by the ever‐evolving landscape of digital security.

As we traverse through the following pages, the goal is to shed light on effective strategies, methodologies, and practices that go beyond mere detection. The emphasis lies in understanding the intricacies of cyberthreats, enhancing the analytical capabilities of security practitioners, and fostering a proactive stance against potential risks. In closing, the collective wisdom encapsulated in these chapters aims to empower readers with the knowledge and tools needed to navigate the complexities of cybersecurity analytics. By fostering a deeper understanding of cyber threats and effective detection mechanisms, we can collectively contribute to fortifying the digital realms we inhabit.

Part IArtificial Intelligence (AI) in Cybersecurity Analytics: Fundamental and Challenges

1Analysis of Malicious Executables and Detection Techniques

Geetika Munjal and Tushar Puri

Amity School of Engineering and Technology, Amity University, Noida, Uttar Pradesh, India

1.1 Introduction

An instruction set created to harm a system is known as malware, which is short for malicious software [1]. The production of malware is increasing, making it more challenging for security firms to identify it. Traditionally, security firms and antivirus vendors employed antivirus software to distinguish between dangerous and clean data. Most of these tools compare the malicious programs to a database of well‐known malware signatures using a signature‐based method to identify them [2, 3]. The signature of an executable file serves as its distinctive identifier, and signatures can be generated using static, dynamic, and hybrid methodologies. However, this technique’s drawback is that it is ineffective at detecting new malware samples. Due to the continuous increase in the quantity of new malware samples, these signatures must be continually updated [3].

Static analysis, the method that extracts features from a program’s binary code by examining it and building models that illustrate the features, was developed to counter these tactics. These techniques are used to distinguish between hazardous and useful files. However, static analysis is easily evaded since malware authors utilize numerous code obfuscation techniques, like metamorphic and polymorphic approaches. Despite providing valuable insight into the behavior of programs, functions, and parameters, static analysis can still be unreliable [1].

Dynamic analysis, on the other hand, implements the software inside a secure environment to observe its behavior. This method exposes the code obfuscation strategies used by malware authors and works well with compressed files. However, dynamic analysis needs to be carried out within a secure environment to prevent system damage and can be time‐consuming. Additionally, malware may behave differently in a virtual (secure) environment compared to an actual environment, leading to an incorrect log of behavior [4].

Combining static and dynamic analysis techniques can result in a more effective and reliable malware detection strategy. The main categories of executable malicious code (MC) are (i) MC that has been injected, such as worms that use buffer overflow exploits to inject their code into active software processes, (ii) dynamically generated malware (MC), and (iii) obfuscated malware (MC), which includes, viruses, Trojan horses, and worms that cloak their code via data manipulations and obscure computations to avoid detection and analysis. Polymorphic viruses or Trojans are an example of obfuscated malware [1]. Static feature‐based analysis seems to be effective and efficient, as it enables network detection when the algorithm is loaded into memory [5, 6]. However, when the malicious file or code is compressed or encrypted, it becomes more challenging to detect. As a result, dynamic feature analysis must first unpack or decrypt the CPU instructions before being executed. Dynamic analysis for detecting network malware may not be practical due to the rapidity of network traffic [1].

Malicious executables are classified into three types based on how malware is transmitted: viruses, Trojan horses, and worms [7]. They infect already‐running programs, causing them to become “infected” and spread to other programs when they are run. Worms, on the other hand, are standalone programs that propagate throughout a network, usually by taking advantage of bugs in the software that is operating on networked machines. Trojan horses disguise themselves as legitimate applications while carrying out harmful tasks. Malicious executables aren’t really usually easily categorized and can behave in a variety of ways. Virus detection tools, including McAfee Virus Scan are extensively used, and Dell suggests Norton Antivirus for any and all new computers [7]. Although the titles of these programs include the term “virus,” some also detect worms and Trojan horses. This approach of looking for recognized patterns of MC, called signature‐based detection, is effective in detecting previously known threats [8]. However, it is not always effective against new and unknown threats [9]. In response to these limitations, a new approach to virus detection called behavior‐based detection has emerged. Based on their behavior, this strategy employs artificial intelligence (AI) and deep learning (DL) algorithms to discover and categorize new and unknown risks [10].

Behavior‐based detection relies on monitoring the actions of a piece of software, looking for signs of malicious behavior [8]. If a piece of software is behaving in a way that is deemed suspicious, it can be classified as a potential threat and further analyzed. This approach is more proactive and effective against new and unknown threats than traditional signature‐based detection [11]. In recent years, AI and machine learning (ML) algorithms have become more sophisticated, making it possible to automatically detect malware in real‐time and without human intervention [12].

1.2 Malicious Code Classification System

A static analysis approach is proposed to automate the discovery and categorization of the type of file without executing it, using a MC classification model. The classification system takes all files, including MC, normal files, and source files, as input data. During the pre‐processing step, the portable executable (PE) information extraction module and the picture production module are used to produce input data that is used in the classification stage. In the subsequent classification step, a variety of algorithms, including convolutional neural network (CNN), random forest, gradient boosting, and decision tree algorithms, are used to decide if the input is malicious. The final classification of MC is achieved by integrating the results from each model. The classification outcomes are stored in a database that includes information about the data along with a single value indicating whether or not the data is harmful. The system uses a learning model that has been developed using different algorithms as a preparation step. The input file is processed and converted into input data for the model by extracting hash values, PE data, and performing image conversion.

Hash Extraction: The input data is first transformed into an eigenvalue from its hash value to determine if the input data is duplicated. In the database update step, the classification outcome of newly entered data is incorporated into the database, and duplicate data is updated using the extracted hash value as a primary key.

Data extraction from PE: The header and sections of the PE structure contain the necessary data for PE files to function correctly in Windows. The capability to identify installed dynamic link libraries (DLLs) as well as the functions they perform using the import address table (IAT) inside the PE Header enables the extraction of malignancy‐related data from PE structures without the need to execute MC. If the file contains a PE structure, the header and section portions may be used to extract 55 characteristics, including entropy and packers. The binary file’s packing information is located using the Yet Another Reverse Engineering Framework (YARA) rule configuration, using signatures to recognize and categorize MC types. The image creation module visualizes and converts the input file for CNN by transforming the input data into a one‐dimensional vector [13].

1.3 Literature Review

In the field of malware detection, two major techniques have been employed: static analysis and dynamic analysis. The application of ML methods has been proposed to improve the performance of malware detection. Schultz et al. [1] introduced a method of using ML to detect new malicious executables by using three distinct byte sequences, readable texts, and PE as static features. The method was tested on 4266 different files and achieved an accuracy of 97.11% using the Bayes algorithm for classification. Usukhbayar et al. [2] presented a framework that utilized three static features, including data from the PE Header, application programming interface (API) function calls made by DLLs, and DLLs. They chose the subset of characteristics using data mining techniques like information gain and tested three different classification methodologies: Svms, Naive Bayes (NB), and J48 where maximum accuracy was obtained by J48 at 98%. Tzu‐Yen Wang et al. [3] used data contained in the PE Headers to detect malware. Their dataset consisted of 9771 different programs, including backdoors, email worms, Trojan horses, and viruses. The accuracy rates for viruses, email worms, Trojan horses, and backdoors were 97.19%, 93.96%, 84.11%, and 89.54%, respectively, demonstrating high detection rates for email worms and viruses. With the advancement of dynamic malware analysis, researchers have shifted from static feature extraction to dynamic analysis. Tian et al’s use of Weka classifiers to extract dynamic characterestics (API call sequences) out of an executable file operating in a virtual environment to separate malware from trustworthy software and identify the malware family. The dataset included 1824 executables, and the accuracy was 97%. Wang et al. [5] also proposed the use of dynamic analysis for malware detection, using similarity matrices of dynamic extraction technologies on a dataset of 104 files. They achieved an accuracy of 93%. Santos et al. [14] proposed a hybrid strategy that combined the static and dynamic features of an executable file. By using a semi‐supervised learning method, in which only 50% of the training data was labeled, they achieved an accuracy of 88%. PE‐Miner was suggested by Shafiq et al. [13] as a technique for finding PE malware. They collected 189 characteristics first from PE file segments and used feature selection/reduction methods like principal component analysis (PCA) to choose the most pertinent features. The technique was evaluated using five supervised algorithms Ibk, J48, NB, RIPPER, and SMO on seven distinct types of dangerous executables. The identification of viruses produced the highest results (99% true positive rate and 0.5% false positive rate).

Lo, Pablo, and Carlos [8] investigated the bare minimum requirements for PE malware detection and concluded that by using an assembly classification schema, they could detect malware with 99% accuracy using nine features. However, their base feature pool was created using third‐party software, VirusTotal, and the system was not evaluated against various malware detection techniques. PE files are executable files that typically run on the Windows platform and have the .exe or .dll extension. The executable code text part, the data sections (.bss, .rdata, and.data), the resource section (.rsrc), the export section (.edata), and the import section are all portions that make up a PE file (.idata), among others. The PE file format is defined by Microsoft and is documented in the PE and common object file format (COFF) specifications, which can be found in the microsoft developer network (MSDN) library. The point of entry (the starting location of the script to be run), the number of sections, the size of the additional header, and other crucial details about the file are all contained in the PE file header. Information about each portion of the file is provided in the section table, including the name, virtual size, virtual address, and raw data size. The text section contains the executable code of the file, which is machine code that the computer can execute directly. The data sections contain initialized and uninitialized data used by the program. The resource section contains information about the resources used by the program, such as icons, bitmaps, and dialog boxes. The export section contains information about the functions and variables that are exported from the file, allowing other files to call them. Information on the variables and functions loaded from other files is provided in the import section, which is needed by the program. Overall, the PE file format provides a way for Windows to efficiently load and execute programs, making it an important component of the Windows operating system.

Table 1.1 Comparison of existing malware detection approaches.

Features

Kirin

STREAM

SmartDroid

AMDetector

Method used

BNF notation specifications Action strings and static permission labels are equivalent

Emulation of machine learning input using monkey

GUI‐based trigger circumstances Activity call graphs and function call graphs

Analysis of an attack tree hybrid

Advantages

Decent performance and ease of implementation

Suited for extensive research. Platform for distributed experimentation

While dynamic analysis looks at sensitive behaviors, static analysis pinpoints activity switch connections. There is a substantial amount of coding for the detection

Rules are arranged through the use of an attack tree to get precise and programmable outcomes. While dynamic analysis verifies the smaller rule set, static analysis looks for possible assaults. triggers depending on components

Drawbacks

Nine rules are not enough. The real behavior of an application cannot be adequately modeled by static authorization features

User interaction is not faithfully simulated by the Monkey tool. The classifiers produce a lot of false positive results

Other than activity, there is no trigger for components such as service and broadcast

Manually developed rules A detailed dynamic analysis takes a long time

Detection result

Ten of the 311 apps did not pass the rules. Five of them are considered dangerous, the other five are seen to be reasonable

Bayes net Logistic TPR: 81.25% 68.75% FPR: 31.03% 15.86%

A UI‐based trigger situation that triggers a behavior may be seen on SmartDroid. It is unable to expose trigger circumstances that are logic‐based or indirect, though

TPR: 88.14% FPR: 1.80% Accuracy: 96.57%

Table 1.1 compares four existing malware detection approaches, namely Kirin, STREAM, SmartDroid, and AMDetector. It includes information on the methods used, advantages, drawbacks, and detection results of each approach. The data shows varying levels of performance and limitations in the different approaches.

1.4 Malware Behavior Analysis

The categorization of malicious executable files can be based on a wide range of factors, including execution time, network activity, registry access frequency, number of accessed files, and more. However, the most promising approach is to categorize executable files based on an examination of their behavior. Such a classification will allow for the identification of classes linked to the fundamental concepts driving the functionality and intent of malicious software. To differentiate between these classes, clustering algorithms should feed data that accurately describes the behavior of executable files. It is recommended that this information be obtained by sequencing the calls to WinAPI functions. To analyze the behavior of each file, executables are run in a virtual environment, and the API call logs of each file are saved. These features are then combined after static and dynamic features have been extracted. ML classifiers use the integrated feature set as input to identify files as malicious or benign. The header and sections of the PE structure contain the data necessary for PE files to operate on Windows. The DLL that was loaded and the function being utilized may both be identified using the IAT within PE Header. Thus, information about malignancy may be obtained from PE components without the need to execute the MC [5]. If the information has a PE structure, the header and section parts of a file have been utilized to extract a total of 55 features, including entropy and packers. By using YARA rule setting, the file’s packing information can now be found within the binary file. The YARA rule comprises tools that categorize different kinds of malicious programs depending on their signatures and can identify them. The maliciousness of code can be categorized using conventional techniques if the patterns are compared and found to be malicious.

There have been various techniques proposed and implemented to prevent malicious program executions at the client side and on cloud hosts. In this section, we will review some of the most notable techniques and their limitations. Forest et al. [6] introduced a process‐level anomaly detection method for buffer overflow and symbolic link attacks. The authors differentiated typical and unusual features using brief System Call sequences produced by an active privileged process. Researchers examined the execution of procedure System Call sequences and identified typical behavior. Lee et al. [15] distinguished between typical and abnormal patterns in UNIX processes. Using a ML approach, they discovered abuses and intrusions in UNIX processes and demonstrated RIPPER, a rule‐based training technique, was used by them to analyze information obtained from UNIX sendmail software.

A technique for identifying intrusions based on invasive System Calls was put out by Warrender et al. [16] They captured the kernel’s System Call patterns and gained knowledge of over four distinct techniques for locating intrusions based on the System Call sequences, identifying privileged processes, and studying their normal behavior. An artificial neural system was utilized by Ghosh et al. [17] to learn the normal System Call pattern of UNIX program execution. They used the Defense Advanced Research Projects Agency (DARP) dataset to establish profiles for over 150 different programs and trained a neural network for each program to recognize unusual behavior. Liao et al. [18] developed a novel method for identifying typical program behavior by using the frequencies of System Calls and classifying it as ordinary or intrusive behavior using a K‐nearest neighbor (KNN) classifier. Qing et al. [10] based their method on rough set theory. They took the System Call sequences produced during a process’s regular executions and extracted rules with the smallest possible size to build a model of the process’s typical behavior. Then, based on the normal behavioral model of the constructed process, they employed a crude set concept algorithm to detect intrusions. Sun et al. [18] recommended Collabra, which provides a filtration layer within the cloud to protect the cloud and the hosts from illegal access. A technique for automated intrusion assessment in the cloud was put out by Arshad et al. [11]. They categorized all attacks based on three security attributes: availability, confidentiality, and integrity. They used supervised and unsupervised learning techniques to create training datasets and mapped System Calls to these three attributes based on the type of attack. However, a demonstration of the approach is missing.

Using frequent System Call sequences, Hai et al. [12] presented an automated method for cloud‐based intrusion detection. They used a Hidden Markov model (HMM) to detect potential threats and an automated mining algorithm to extract frequently occurring System Call sequences. This approach, however, demands continual learning and detection resources, and the rule extraction process is computationally challenging. Sebastian et al. [19] proposed a method of introspection for detecting kernel rootkits. Based on alterations to the system state, they were able to locate rootkits. The system state was examined using a bottom‐up methodology, starting from a binary representation down to the kernel object level. The authors were successful in identifying kernel rootkits using their method. However, the analysis and reporting are complex, and the method is not architecturally independent because it is based on the kernel level. Intrusion detection in cloud environments is a crucial aspect of ensuring the security of cloud‐based systems. The traditional approach to intrusion detection involves the use of System Calls and process states to gauge the similarity of the system to itself. However, this approach has several limitations and can be ineffective in detecting slow‐moving threats. In this context, measures for self‐similarity are used to identify abnormalities in Kwon et al.’s [20] proposed self‐similarity‐based strategy for intrusion detection within the cloud.

The self‐similarity measure is computed using cosine similarity, making it a system‐wide strategy. However, this approach is not always accurate enough to identify attacks that occur gradually. Kong et al. [21] proposed an alternative approach, Ad‐joint, which uses an Ad‐joint to monitor the kernel state of the protected system. This approach provides two layers of security but also increases the demand for additional resources. Despite the efforts made to date, several research gaps still exist in the field of intrusion detection in the cloud. For instance, previous techniques have not been effectively applied to newer systems such as the cloud, which requires a distributed architecture with synchronization, log collection, alerts, and response mechanisms. Additionally, the cost–benefit analysis of using the self‐similarity‐based approach in cloud infrastructure does not support the solution’s effectiveness in identifying anomalous programs.

When it comes to identifying malicious System Calls inside the host operating system, the conventional system call pattern method is difficult and inefficient. It permits the identification of suspect system call patterns without having to look at particular applications or processes. Its efficacy is however constrained by the fact that system call patterns that were recognized as unusual once the training could occasionally occur as part of a typical execution scenario.

By saving processing and data gathering resources, methods that use the rate in System Calls for unexpected behavior detection can achieve respectable efficiency. These techniques might not always catch assaults nevertheless, especially if the attacker uses the same frequency in system call sequences but in a different order to trick the detection system. Additionally, the research on such systems [22] indicated that virtual machine monitor (VMM) layer detection is hypervisor‐dependent, rendering distributed solutions susceptible to client‐side IDS instance failure [14]. Additionally, system‐wide intrusion detection systems are less effective than program‐wide intrusion detection systems and cannot detect slow‐moving threats, where the probability of unusual system call sequence behavior indicating an intrusion is low. Despite the advances in intrusion detection in the cloud, there is still a need for effective and efficient solutions that can address the limitations of the existing approaches. Further research is necessary to address the research gaps and improve the efficacy of intrusion detection in cloud environments.

1.5 Conventional Detection Systems

Malware scanners [23] are tools that attempt to identify malicious executable files by comparing them to a known set of patterns. They typically search through each line of code in the file, looking for a unique signature represented as a hash code or string. Extracting these signatures is a challenging and time‐consuming process, and modern malware can evade scanners by changing their patterns dynamically. To overcome this, scanners are developing more sophisticated algorithms that use ML, such as analyzing machine instructions or API calls [7, 22]. For instance, systems that use machine instructions train classifiers using features derived from op‐codes. These systems may use op‐code sequences to extract features such as frequency, histogram, and others. By examining op‐codes, they typically label any potentially malicious behavior in a cloud application as benign. This may not accurately reflect reality, as the behavior could be legitimate malicious access to databases, root filesystems, or networks in a certain situation. To confirm whether the file is safe, the suspect file is temporarily monitored and isolated in a simulated environment, and marked as safe if its behavior appears reasonable based on established metrics.

Intrusion detection systems are used to prevent external attacks on an organization’s computer networks. They categorize malicious communications by monitoring incoming packets for irregularities at the entrance to a local area network [24]. However, these systems often presume that the trusted perimeter is secure and may not detect malicious activity from insiders [23]. They operate similarly to malware scanners by detecting known rules or patterns, with sophisticated systems using ML to detect more advanced network attacks. They rely on inspecting packet headers and, in some cases, packet contents.

From a ML perspective, signature‐based mechanisms classify malicious feature vectors by comparing the current feature vector with a labeled set that has already been recorded [25]. As a result, they are ineffective against 0‐day attacks. Also, behavior‐based mechanisms can be adapted, as they estimate the most recent feature vectors and learn from a provided dataset. There have been many studies in the literature that use ML methods in malicious behavior recognition systems, with most of them focusing on network communications intrusion detection systems [22, 26]. Feature vectors are extracted from various sources, for instance, user command patterns, log entries, information about lower‐layer systems, and CPU and memory use [24]. ML‐based detection systems often employ attributes such as API calls and machine commands [10]. These systems classify malware into categories such as viruses, worms, backdoors, and Trojan horses.

In the domain of malware analysis, techniques are divided into two types: signature‐based and behavior‐based [27]. Signature‐based techniques search for unique patterns in malicious files, such as distinct raw byte patterns or regular expressions. In contrast, during code execution, behavior‐based techniques get particular feature values through runtime actions and logs.

1.6 Classifying Executables by Payload Function

In this research, the focus is on the classification of malicious executables based on their payload functions, rather than on their detection. The goal is to determine if classification techniques can determine the type of malicious executable, such as whether it opens a backdoor, is sent in bulk, or is an executable virus. This aspect of the research is particularly beneficial for computer forensics experts. The first step in the process is the identification and cataloging of the characteristics of malicious executable payloads. A challenge encountered in this process is that many executables fit into multiple categories, making them multi‐class examples, which is a common problem in document classification and bioinformatics. For instance, an executable may both log keystrokes and open a backdoor, making it fall into both the keylogger and backdoor categories.

One solution to this issue is to combine compound classes with simple classes, such as backdoor + keylogger. This can be achieved by using one‐versus‐all classification, where all executables are categorized into groups based on their capabilities. For example, all backdoor‐capable executables regardless of any additional features, including keylogging, would be put inside the backdoor class, whereas every other executable would be put inside a non‐backdoor class.

The following stage is to develop a detector for something like the backdoor category, and thereafter carry out the same procedure for the other classes. The total prediction of the program may be determined by applying every detector and reporting every classifier’s prediction. For instance, if the backdoor or keylogger detectors both identify hits, the executable’s overall forecast would’ve been backdoor + keylogger.

1.7 Result and Discussion

It has been observed that the detection methods used may have simply developed the ability to recognize some obfuscation techniques, such as runtime compression, but as long as these techniques are linked to malicious executables, this does not provide a serious problem. Alternative data extraction techniques were also investigated. One concept was to create an audit of machine instructions and execute the malicious exe files in a “sandbox.” However, this strategy was abandoned owing to a number of drawbacks, including a lack of auditing tools, challenges managing a large number of interactive programs, and an inability to identify malicious activity at the conclusion of lengthy programs. Additionally, some dangerous programs have the ability to recognize when they are running inside a virtual machine (VM) and then either stop running or avoid running destructive code.