Aynur KOÇAK, Esra SÖĞÜT, Mustafa ALKAN, O. Ayhan ERDEM

Makine Öğrenimi Metotları Kullanılarak Farklı Windows PE Kötü Amaçlı Yaçzılımların Tespiti

Siber saldırıların türleri ve uygulama alanları çeşitlenerek artmaktadır. Buna bağlı olarak, saldırıların etkileri de her an sürekli artmakta veya değişmektedir. Saldırılar içerisinde malware saldırıları da çeşitlenerek kendisine siber dünyada geniş bir yer edinmiştir. Farklı tekniklerin ve yöntemlerin de kullanılmasıyla malware saldırılarının hem tespiti hem de engellenmesi konularında sorunlar yaşanmaktadır. Bu sorunlar ise sistemlerin siber güvenliğinin tam olarak sağlanamamasına neden olmaktadır. Bu durumlardan dolayı çalışmada farklı malware saldırıları ele alınmış ve saldırıların Windows güvenliği üzerindeki etkileri incelenmiştir. AyEs adı verilen bir test yatağı hazırlanmıştır. Screenshot, vnc gibi kurban sistemi ele geçirmeyi veya bozmayı amaçlayan farklı saldırılar gerçekleştirilmiştir. Saldırılar sonucunda elde edilen sistem ağ paketleri dinlenerek AyEs veri seti oluşturulmuştur. Veri seti önişlemlerden geçirilerek analize uygun hale getirilmiştir. Malware saldırılarının tespiti için veri seti üzerinde Naive Bayes, J48, BayesNet, IBk, AdaBoost ve LogitBoost gibi makine öğrenmesi yöntemleri kullanılmıştır. Yapılan analizler sonucunda yüksek performans sağladığı görülen J48 ve IBk yöntemleri çalışmada önerilmiştir. Bu sayede, Windows sistemlerine yönelik olası saldırı durumlarına uygun olan tespit sistemlerinin kolaylıkla ve etkin şekilde uygulanması sağlanacaktır. Ayrıca saldırı tespitine ek olarak saldırı türü belirlenmesinde de etkin rol üstlenilecektir.

Anahtar Kelimeler:

Kötücül yazılım, test yatağı, Windows sistem, Veri seti, makine öğrenimi

Detection of Different Windows PE Malware Using Machine Learning Methods

The types and application areas of cyber attacks are increasing and diversifying. Accordingly, the effects of attacks are constantly increasing or changing every moment. Among the attacks, malware attacks also have diversified and gained a wide place in the cyber world. With the use of different techniques and methods, there are problems in detecting and preventing malware attacks. These problems cause the systems' cyber security not to be fully ensured. Due to these situations, different malware attacks are discussed in the study, and the effects of attacks on Windows security are examined. A test-bed called AyEs has been prepared. Different attacks have been carried out, such as screenshots, vnc, aimed at hijacking or corrupting the victim system. The AyEs dataset was created by listening to the system network packets obtained due to the attacks. The dataset was preprocessed and made suitable for analysis. Machine learning methods such as Naive Bayes, J48, BayesNet, IBk, AdaBoost and LogitBoost were used on the dataset to detect malware attacks. J48 and IBk methods, which were found to provide high performance as a result of the analyzes, were suggested in the study. In this way, detection systems suitable for possible attack situations against Windows systems will be implemented easily and effectively. In addition to attack detection, an active role will be assumed in determining the type of attack.

Keywords:

machine learning, Windows system, dataset, Malware, testbed,

PDF

___

[1] Mithal, T., Kshitij S., and Dushyant K. S., ”Case studies on intelligent approaches for static malware analysis”, Emerging Research in Computing, Information, Communication and Applications, Springer, Singapore, 555-567, (2016).
[2] Vatamanu, C., et al., ”A comparative study of malware detection techniques using machine learning methods”, Int. J. Comput. Electr. Autom. Control Inf. Eng., 555-567, (2016).
[3] Al-Janabi, M., and Altamimi, A. M., "A Comparative Analysis of Machine Learning Techniques for Classification and Detection of Malware," The 21st International Arab Conference on Information Technology, 1-9, (2020).
[4] Huang, X., Ma, L., Yang, W. et al., “A Method for Windows Malware Detection Based on Deep Learning”, J Sign Process Syst, 93, 265–273, (2021).
[5] Upadhayay, M., Sharma, A., Garg, G., and Arora, A., "RPNDroid: Android Malware Detection using Ranked Permissions and Network Traffic", The Fifth World Conference on Smart Trends in Systems Security and Sustainability, 19-24, (2021).
[6] Krcal, M., Svec, O., Balek, M., and Jasek, O,. “Deep convolutional malware classifiers can learn from raw executables and labels only”, International Conference on Learning Representations Workshop Track, (2018).
[7] Diaz, J. A., and Bandala, A., "Portable Executable Malware Classifier Using Long Short Term Memory and Sophos-ReversingLabs 20 Million Dataset", TENCON 2021 - 2021 IEEE Region 10 Conference, 881-884, (2021).
[8] KP. A. M., Chandran, S., Gressel, G., Arjun, T. U., and Pavithran, V., "Using Dtrace for Machine Learning Solutions in Malware Detection", The 11th International Conference on Computing, Communication and Networking Technologies, 1-7, IEEE, (2020).
[9] Irshad, A., Maurya, R., Dutta, M. K., Burget, R., and Uher, V., “Feature optimization for run time analysis of malware in windows operating system using machine learning approach”, The 42nd International Conference on Telecommunications and Signal Processing, 255-260, IEEE, (2019).
[10] Anderson, H., and Roth, P., “EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models”, 2018, ArXiv, abs/1804.04637.
[11] Internet: Wireshark, www.wireshark.org.
[12] Internet: “KDD Cup 1999 Data”, kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[13] Internet: “Weka 3: Machine Learning Software in Java”, https://www.cs.waikato.ac.nz/ml/weka/.
[14] Söğüt, E. & Erdem, O. A., Endüstriyel Kontrol Sistemlerine (SCADA) Yönelik Siber Terör Saldırı Analizi. Politeknik Dergisi, 23 (2), 557-566, (2020).
[15] Choudhary, S., and Sharma, A., "Malware Detection & Classification using Machine Learning", International Conference on Emerging Trends in Communication, Control and Computing, 1-4, (2020).
[16] Quinlan, J. R., “Induction of Decision Trees”, Machine learning, 1(1), 81-106, (1986).
[17] Kasım, Ö., “Malicious xss code detection with decision tree”. Journal of Polytechnic, 23 (1), 67-72, (2020).
[18] Türkoğlu, M., Polat, H., Koçak, C., and Polat, O., “Recognition of DDoS attacks on SD-VANET based on combination of hyperparameter optimization and feature selection”, Expert Systems with Applications, 203, (2022).
[19] Nahar, N., Ara, F., Neloy, M. A. I., Barua, V., Hossain, M. S., and Andersson, K., "A Comparative Analysis of the Ensemble Method for Liver Disease Prediction", The 2nd International Conference on Innovation in Engineering and Technology, 1-6, (2019).
[20] Koç, K. , Demirtaş, M. & Çetinbaş, İ., Parameter “Extraction of Photovoltaic Models by Honey Badger algorithm and Wild Horse Optimizer”. Journal of Polytechnic, (Erken Görünüm), (2023).
[21] Oduro, M. S., Yu, H., and Huang, H., "Predicting the Entrepreneurial Success of Crowdfunding Campaigns Using Model-Based Machine Learning Methods", The International Journal of Crowd Science, 6(1), 7-16, (2022).
[22] Hashim, A. S., Awadh, W. A., and Hamoud, A. K., “Student performance prediction model based on supervised machine learning algorithms”, IOP Conference Series: Materials Science and Engineering, 928(3), 032019, IOP Publishing, (2020).