Updated:

Aspects of Malware: Detection and Analysis Essay

Exclusively available on Available only on IvyPanda® Made by Human No AI

Introduction

Organizational culture has become more reliant on laptops and other technological gadgets. Every element of life for individuals, corporations, and governments is dependent on computer technology. Customers’ payment information is stored in business databases, but the data also contains other types of information that can be used for marketing purposes. Keeping track of a patient’s medical history helps hospitals assess the appropriate level of treatment and billing. It is impossible to tell what the government is gathering in its databases (Wazid et al., 2019).

Personal images and chats, as well as daily routines and financial information, may all be found in an individual phone’s database. Having so much stored data means that those who want to unlawfully access and acquire it have endless resources at their disposal. Attacks are typically carried out remotely, generally from a country other than the targeted one. Understanding the malware definition is necessary before any investigation can begin. Malware is classified depending on a variety of factors, including how it influences the system, how it distributes, how it performs, and the malicious software’s intended purpose. Malware detection and analysis enable organizations to identify and respond to malicious software attacks before they cause harm to their systems.

Malware

Many different types of harmful software fall under the umbrella word ‘malware’, including viruses, worms, Trojans, spyware, and others. Malware detection is challenging in part because of the sheer volume and variety of both known and new threats (Jahromi et al., 2020). Viruses, worms, and Trojan horses are all instances of malware. A device virus is a piece of code that infects other programs and then multiplies itself. The host of malware is software that the virus itself has infected (Pan et al., 2020).

The fact that viruses require their hosts to operate is a crucial warning. A virus cannot harm a computer unless it has an existing host application (Amer et al., 2020). For example, a virus might connect itself to a software utility such as a word processing program to get access to a computer system. The virus may then be activated by opening the word processing program, which could, for example, replicate itself and deactivate the computer system’s malware detectors.

A computer worm can replicate itself without the help of any other software since it can run its own code. Viruses require a host to spread, but worms do not need a host to inflict harm. Viruses and worms differ in their manner of transmission (Tajoddin et al., 2019). Viruses often proliferate by infecting applications and data on a single machine (Hein & Myo, 2018). As a result, worms propagate over network links with the purpose of infecting all of the computers linked to the network.

A Trojan horse is a malicious program that is placed in a system or application by its creator. Even while it appears to do something helpful, such as providing local weather information, the program or application may, in reality, be collecting and transferring the user’s keystrokes to a malicious server. It is sound knowledge that Trojan horses can obtain and transmit illegal data from their host computer systems (Venkatraman et al., 2019). Spyware may also be used to describe certain types of Trojan horses. This type of destructive action is not the only way malware installed by its inventor may do damage (Amer et al., 2021). In addition, the infection might be a ticking time bomb. For example, malware may generate this situation: “On March 20, 2023, the hacked system will be configured to reject all requests for services.”

It was not until 1982 that the first computer virus was discovered. Elk Cloner was built to ‘clone’ itself onto newly inserted hard drives infixed into the network to infect Apple’s operating system. A poem outlining how Elk Cloner duplicated itself over the victim’s computer would appear after the virus was activated. Malware made its debut on January 20, 1999, when the Happy99 worm swept throughout the globe. The malware propagated via email and infiltrated the Windows operating system undetected (Jeon et al., 2020).

In typical malware fashion, users were instructed to click on a Happy New Year-themed animated fireworks graphic in order to download a worm into their system’s Winsock. When researchers discovered that malware could be generated by someone with just basic computer skills using freely available tools transmitted over the Internet, they were dismayed (Hamed et al., 2020). This simplicity became a competence challenge for those who only want to be famous for generating malware.

The malware had been widely available by the turn of the millennium. In just 15 minutes following its release, the ‘I Love You’ worm, also known as ‘Love Letter,’ infected more than a million computers throughout the world. It has become a competition to develop the most successful detection and blockage mechanisms for malware in today’s computer environment (Moussaileb et al., 2021). Malware evolves at such a rapid pace that it no longer makes headlines until it causes significant damage to a company’s operations or the lives of its customers (Luo et al., 2021).

One of the most recent types of malware to spread is ransomware. Users are wedged out of their computers until a ransom has been paid in order to restore access. The Romantik Seehotel Jaegerwirt experience is an example of ransomware. When guests began complaining about being blocked out of their rooms one morning, the hotel realized it had fallen victim to ransomware. The introduction of new keycards had no effect (Kang et al., 2018). The hotel was sent an email asking them to pay a sum of money in bitcoins to get their room keys working again. The staff could not do much about it since they had a full occupancy, and guests needed to go into their rooms.

Malware Trends

Malware programmers are becoming ever more complex in an effort to remain undetected. Almost every known attacking approach has been included to make malware more difficult to protect against. It is common for malware authors to include many functions in a single malicious payload (Jerlin et al., 2018). Malware servers and clients’ components can also be used to deliver proxy activities through a machine that has been infected with malware (Yildiz & Doğru, 2019). The resource sections of Windows binaries can be used to include these extra components into Windows malware. Malware may opt to build its own installation directory deeply within the installing program’s hierarchy in an attempt to conceal itself from interested users. Antivirus software that has already been installed on a computer can be fooled using a variety of methods.

Adding hosts connected with antivirus updates to a system’s file is a simple but effective strategy. IP addresses and hostnames can be mapped to each other in a host database, which is an easy-to-read text file (Vinayakumar & Soman, 2018). So many carriage returns at the close of the host records are inserted before attaching malicious data in the belief that a casual observer would not navigate down long enough to detect the added entries (Jaramillo, 2018). It is possible to hide infection for lengthy periods by making antivirus updates fail. Malware producers are increasingly using rootkit approaches as a means of concealing the existence of their software.

Even if a system is rebooted, the majority of malware will continue to operate. Persistence can be obtained by introducing prompts to system startup routines that force the virus to run (Hampton et al., 2018). This has developed into making particular registry changes to get the same effect on Windows computers. Windows Explorer and Microsoft Internet Explorer extensions can be used to install malware components in the registry (Khan et al., 2019). In recent years, malware has begun to establish itself as an operating system (OS) plan or device driver so that users may activate malicious features at system startup and function at the kernel level.

De-Obfuscating Malware

Obfuscation is the act of altering something so that its actual purpose cannot be discovered. It is common for malware to employ obfuscation techniques to thwart the virus’s automatic and manual investigation (Noor et al., 2018). Obfuscation can be dealt with in two ways; one alternative is simply not to pay attention to it, which leaves the response team with no choice except to watch it in a carefully instrumented setting. Additionally, opposing obfuscation may be done in two ways: removing the obscuring encoding and then utilizing standard tools like disassemblers and debuggers to study the existing software.

Software makers are well aware that analysts would try to gain entry through any obfuscation; thus, they build their malware with characteristics that make de-obfuscation challenging. As long as the malware is running on a target CPU, de-obfuscation will never be rendered impossible since the virus will always be spotted using some set of hardware and software techniques. Packers are the generic term for tools used to disguise compiled binary code (Sasidharan & Thomas, 2021).

One method of obfuscating a binary plan is to compress the program, as compacted information tends to be significantly more random and undoubtedly does not represent machine language. The destination machine must be able to run the software if it is still legitimately executable for the platform (Souri et al., 2018). The most basic packers compress the code and data parts of a binary. Some of the more advanced packers are capable of compressing and encrypting the binary’s portions. Unpacking binary files may be done with a variety of tools.

Detection

Organizations will need a malware detector to apply various malware detection methods. The malware detector tries to keep the system safe by looking for suspicious activity. An antimalware program could or might not live on the machine it protects. Malware detection is carried out by the malicious software detector, which is an empirical way of testing the recognition capabilities of infection discovery systems. Two inputs are required for a malware detector, one of which is its knowledge of the harmful activity.

Based on its understanding of what is expected, anomaly-based detection recognizes an abnormal activity as such (Yang et al., 2020). The software being examined must also be provided as input for malware detection. For the malware detector to determine if a program is malicious or benign, it must first know what constitutes harmful activity, what comprises appropriate behavior, and the program itself.

Anomaly-based and signature-anchored identification approaches are the two main kinds of malware detection techniques. A program’s maliciousness can be determined using an anomaly-based detection approach, which relies on prior knowledge of what defines normal behavior. Specification-based detection is an anomaly-anchored detection variant. In order to determine the maliciousness of an application under investigation, a specification-based method uses some requirements or rule set of what is acceptable behavior. Anomalies and maliciousness are both associated with programs that defy the specification (Sihwail et al., 2018). A program’s maliciousness can be determined via signature-based detection by comparing it to a list of known threats. The success of a signature-based detection system relies on the categorization or signature of malicious conduct.

Static, dynamic, or hybrid identification methods can be used for each detection approach. Forms based on anomalies or signatures are differentiated by how they collect and analyze the data they use to identify malware (Witte, 2020). The static analysis examines the program’s syntax or structural features, both static and dynamic, to determine whether a program is harmful (Arif et al., 2021). Using just structural data such as a series of bytes in a static signature-based detection technique, for example, would not allow for dynamic analysis of the runtime pile of the program under inspection (PUI) to assess maliciousness. It is common for malware to be detected before the software starts. In contrast, a dynamic method aims to detect harmful activity during or after the execution of a program.

In most cases, anomaly-based detection entails two stages: the initial setup, which encompasses training and education, and ongoing monitoring. The detector tries to adapt to typical behavior throughout the training phase. During the training phase, the detector may notice the PUI’s behavior, the host’s conduct, or any mix of the two (Zhang et al., 2019a). Detecting zero-day threats is a fundamental benefit of anomaly detection. The high false alarm levels and the difficulty in selecting what characteristics should be taught during training are major drawbacks of this method.

Information obtained during the program’s implementation is utilized to spot malevolent program code in a dynamic anomaly-based approach. When the program under investigation is running, the detection phase checks for any discrepancies between what was grasped in the guidance phase and what is actually taking place. File structure features are employed in static anomaly-based detection to identify malicious code (Euh et al., 2020). An important benefit of static anomaly-based detection is that it can identify malware without allowing the virus-carrying application to run on the host system; this is a significant data security advantage.

The widespread use of Internet of Things (IoT) devices has resulted from their enhanced convenience and efficiency. Popular IoT gadgets include intelligent personal assistants such as Amazon Alexa and smart thermostats like Nest. The general population’s quick and extensive embrace of IoT devices has led to new security problems. These newly digitized gadgets are currently, and many more will undoubtedly become malware targets soon. An et al. (2018) intended to develop a model to differentiate easily between the regular functioning of an Amazon Alexa Virtual Assistant IoT device and the usage of OS system call data vs. the abnormal operation caused by malware infestations. Behavioral anomaly detection gathers characteristics from sequences of system calls for the anomaly detector. When a malicious process begins operating, its system call logs will likely not resemble any presently executing or previously performing benign traces.

A one-class support vector machine paired with the Cumulative Sum test or the Shiryaev-Roberts algorithm was used to express the effectiveness of an online anomaly detector in detecting malware incidences on Amazon Alexa voice-enabled IoT devices. Preliminary experimental findings indicate that the anomaly sensor can detect the existence of malicious software samples investigated in the research with a high degree of precision quickly, using just a small amount of training data. Regardless of the absence of ubiquitous malicious software for IoT devices, the predicted significant developments in the near future will undoubtedly draw a variety of malware attacks (An et al., 2018). Malware identification on IoT devices is not challenging due to their highly specific and, thus, predictable anticipated behavior, given massive training sets, extended testing vectors, and considerable computer capacity.

To address the issue of identifying unknown attacks, Saridou et al. (2022) state that binary visualization can be of significant assistance in developing a signature-free system. Image translation of byte-level data, or binary visualization, is an applicable technique for security applications interested in detecting malicious behavior. In reality, however, binary visualization has long been seen as having significant limits when dealing with massive amounts of data, making it an unlikely fit for the central component of an intrusion detection system (IDS). This is because converting the flow of bytes into an image format requires computing time. The procedure would be overburdened by artificial intelligence systems based on color tone changes meant for pattern identification. A fast binary visualization model may assign distinct color tones to a byte, enabling it to be affected by nearby unit standards while maintaining ideal locality-sensitive indexing.

To overcome this issue, Saridou et al. (2022) created several hardware specifications to test the chosen methods by executing the image conversion algorithms directly on the Graphics Processing Units (GPU). This was accomplished by upgrading the Signature Agnostic Malware Detection (SAGMAD) prototype to run parallel to Compute Unified Device Architecture in Python (PyCUDA) utilizing the High-Performance Computing (HPC) capabilities of the Greek Research and Technology Network (GRNET).

Saridou et al. (2022) utilized 5,000 infected and benign files of varying sizes for their experiment. The technique was evaluated on several platforms, encompassing GRNET’s High-Performance Computing services. In a desktop environment, bigger files might be converted in around 0.5 seconds due to further reductions in computing time. Existing computer learning-based detection systems that utilized conventional binary visualization were compared to their performance. SAGMAD obtained 92 percent exactness, 91 percent precision, 93 percent recall, and an F-score of approximately 92 percent when evaluated within prior binary visualization programs and using their parameterization method. The outcomes surpassed malicious software file-anchored studies and were comparable to network intrusion apps. The exhibited findings indicate that the technique is a potential mechanism for quick AI-based signature-free IDS.

Detection Capabilities

Treating compromised computers as a solitary entity is insufficient to combat malicious software effectively. Too frequently, companies make the mistake of seeing malware infestations as a sequence of discrete incidents (Naeem et al., 2020). The IT team simply cleans up or revives impacted hosts for every malicious application identified and continues ordinary operating activities. Malware authors are becoming more creative in their attacks, and this technique does not stay consistent with the ever-changing threat landscape (Karbab & Debbabi, 2019).

Even in a corporate context, combating attacks requires more than just finding malicious software on servers and computers; it also involves identifying and disrupting malware usage on the system. To enhance data security, organizations should uncover and limit malware propagation attempts before they cause great harm (Kouliaridis & Kambourakis, 2021). When thousands of workstations are connected in a loose network to fulfill a wide range of functions, malware events must be considered part of a broader security incident cycle. Plan, Resist, Detect, and Respond are the four main phases of the process.

Phase 1: Plan

Identifying and understanding the current threat landscape is the first step in securing one’s computing environment. When it comes to security incidents, they should also designate an incident response team and specify their roles and duties (Daoudi et al., 2022). Understanding the looming threat in the computer environment is the first step in designing a strategy for preventing, detecting, and responding to malware. This procedure entails assessing the likelihood of coming into contact with various types of infection vectors (Bernardi et al., 2019). For example, popular methods for malicious activity to infiltrate systems encompass flaws in client-side applications on computers, defects in system-accessible programs on data centers, and social engineering methods, which are sometimes components of malware-dispersal strategies. Removable devices, such as USB drives and weak passwords for system-entry accounts, are also included.

It is essential to know which malicious software vectors are highly prone to pose a threat and which technologies and processes may be used to prohibit infection from spreading through them to protect an organization. When creating anti-malware architecture, a number of questions must be answered. Subsequently, it is important to think about what malware may do after infecting an enterprise’s systems (Yadav, 2019).

Common malware features include retrieving updates and commands, stealing data such as credit card information, distributing it over networks, and spreading it to new computers. Malware cannot infringe data security if the response teams in an organization know how to make it challenging for its existence or continued operation (Firdaus et al., 2018). As part of the plan to identify and disrupt these actions, it is critical to include servers, networking equipment, and the network periphery.

Another critical factor to keep in mind is that not all information resources can be safeguarded with the same rigor due to budget constraints. Prioritizing possible malware targets across the firm, such as one’s personal information, is essential, keeping in mind the organization’s cost constraints (Syrris & Geneiatakis, 2021). As a result, the malware security policy should be created in this manner. Data that are vital for business operations must be prioritized when planning IT budgets. The response team should not forget to include procedures for malware detection and reaction to security events in the design, as well as preventative security controls (Sihwail et al., 2019). An organization’s security incident response is guided by the rules and procedures developed during the planning phase, which frequently include architectural blueprints and product recommendations.

Phase 2: Resist

It is necessary to install and manage an effective antivirus package, lock down the setup, and regulate what application is running after putting out a good plan. Safeguarding and restricting web surfing habits and limiting user access permission and privileges are important considerations in addition to restricting network access, both inbound and outgoing (Tahir, 2018). Furthermore, it is critical to apply security updates on a regular basis, enforce change management procedures, and spot, investigate, and respond to abnormalities (Ma et al., 2019). In the battle to remove malware, one might say that the outstanding defense is a well-executed offensive (Zhu et al., 2020). In other words, companies must take precautions against malicious software attacks before adopting the security rules defined during the planning stage of the process.

The action plan is generally well defined and easy to follow with malware. Typical activities include installing and updating an effective antivirus package, configuring the operating system, regulating what applications are running and permitted to execute, and restricting outgoing and incoming network access (Omer et al., 2021). It is also necessary to keep up with security updates deployments, enforce change management procedures, detect abnormalities as they arise, and limit user account access in order to decrease user privileges (Singh et al., 2019). Deploying these protections across thousands of systems is a considerable undertaking for most companies, even if it is only one computer.

A wide range of considerations is taken into account at the company level. Systems must deal with a wide range of business needs. Building a uniform set of security controls is difficult because of the wide range of customization and usage choices available to diverse users and departments (Zhang et al., 2019b). In big corporations, especially those that use laptops, the geographic spread of systems is a second issue to be considered (Namanya et al., 2020). Networks might be difficult to safeguard if the IT team is unable to reach them or if they access the system from a variety of places. Taking action across different systems is challenging, which brings the response team to their final consideration (Kabakus, 2019). Remotely operating thousands of networks raises measurability and logistical issues that are tough to subdue for a security administrator to manage a single server.

Deploying some type of corporate management scheme, such as an enterprise management system (EMS), is the answer to all underlying malware problems. It is feasible to resist security vulnerabilities at the system level by using EMS software to collect inventory data, remotely execute instructions, manage programs, and control configuration across several systems in a scalable way (Wang et al., 2019).

A few examples of commercial EMS software include ZENworks, Symantec Novell ZENworks, and Altiris. A good report is that numerous of the EMS features are already embedded into the Group Policy capability in Microsoft Active Directory deployments (Singh & Singh, 2021). It is important to remember that fighting malware necessitates action on both the system and network levels (Vinayakumar et al., 2019). As part of an enterprise’s overall security architecture, several network safety techniques can aid in the battle against malware.

It is vital to limit traffic from less reliable networks, such as the World Wide Web, to the more centralized repository to prevent malware from spreading. Controlling network connections and blocking access to dangerous IP addresses and subdomains prevents malware from exfiltrating data, updating itself, or communicating with the attacker (Arslan et al., 2019).

Network access control (NAC) solutions can be used to mitigate the dangers provided by highly susceptible or infected hosts by restricting the number of systems authorized to connect directly to the internal network (Kouliaridis et al., 2020). Additional security measures, such as data theft mitigation or comparable technologies, hinder the capacity of malicious software to convey sensitive details to an attacker. However, it is unrealistic to expect even the most advanced security measures to prevent all malware attacks (Suaboot et al., 2020). The impact of an attack is frequently determined by how quickly it can be discovered and remedied.

Phase 3: Detect

Detecting the infection is the only way to take action effectively. As long as the malware is detected, the response teams may prepare to fight, but they must first identify it to react successfully. As soon as they can locate it, it will be easier for them to respond and reduce the possible harm (Surendran et al., 2020). Consequently, they prevent the infection from spreading to more computers. Antivirus software is sometimes the only way to detect malware in organizations that lack advanced antimalware strategies (Carlin et al., 2019).

Antivirus software is a fantastic starting point but is not the only tool needed to protect systems against malware. Static signatures are no longer a viable way to detect malware, while behavioral and heuristic techniques, which are used to identify malicious programs, are still in need of development (Huang et al., 2021). An antivirus program alone is not sufficient since malware creators can often design their inventions to circumvent detection by antimalware software.

Organizations must use a range of methods to discover and trace malware in order to safeguard their systems more efficiently. In some instances, change detection technologies are used to uncover illegal alterations to the file arrangement and network tool configurations or to enlighten end-users on the means of identifying and reporting suspected malware events (Xiaofeng et al., 2019). Another method is instructing IT staff to conduct a preliminary investigation to determine whether a possibly infected system is compromised and to analyze security event logs for suspicious activity, such as unsuccessful login attempts (Feizollah et al., 2018). Detecting malware in incoming and outgoing network data is a common use of intrusion detection systems in many businesses (Yousefi-Azar et al., 2018). The Sguil and Argus programs can aid with this and other similar activities by examining NetFlow data for abnormalities in network connections or efforts to link to known malicious sites.

Domain name system (DNS) logs may be used to discover internal synchronizations that seek to resolve suspicious network field identities, which can then be blocked. To begin a malware investigation, a single system may be examined, allowing the network manager to identify symptoms of infection, referred to as pointers of compromise, which can be used to find malware somewhere else in the company’s workstations. This information might be used to examine the system traffic or the arrangement of several networks in the company to find other infected computers (Sihwail et al., 2021). YARA is a free program that may look for custom signs of compromise in a system and analyze the results (Amer & Zelinka, 2020). Tools like F-Response Enterprise, HBGary Responder, and Mandiant Intelligent Response, as well as EMS solutions can help with this task.

Phase 4: Respond

Change detection tools are recommended to find illegal alterations to the data structure, active network configuration, or application program. End users should be taught how to spot malware and file a complaint if they come across something suspicious (Demetrio et al., 2021a). Inbound and outgoing network traffic may be monitored for indicators of infection using intrusion detection systems. NetFlow data may be used to quickly identify suspicious traffic patterns or efforts to connect to verified malicious domains (Damaševičius et al., 2021).

Organizations should examine DNS logs to discover internal coordination that try to determine potential malware field identities. Reaction teams are likely to look for clues about attackers’ intent at this phase, which can help them plan their response. If the malware attack was opportunistic or was purposefully aimed at the organization, several questions might be posed during this investigation. There should also be an investigation into what type of attack was used, whether it was an insider or outsider, and whether the target was within or outside the company. As a result, it is necessary to determine if the attack was based on an access code, an open port, or whether it was reconnaissance.

According to the Computer Security Incident Handling Guide, containment, eradication, and recovery are the three main processes in reacting to proven malware incidents. Malware containment entails reducing the malicious software’s ability to propagate (Catak et al., 2020). As a precaution, response teams should deactivate any services that may be used to propagate malware in the absence of a fix for the vulnerability that is causing the infection until they have identified and remedied the problem. Malware artifacts must be removed, data restored from a backup, or the essential systems rebuilt (Darabian et al., 2020).

It is vital to get the impacted infrastructure up and running again to go back to normal after the event. It is common for the recovery process to require that the IT infrastructure of the company be continuously scrutinized for new signals of infection that had not previously shown any evidence of contamination. Affected computers or whole subnets may need to be disconnected from the network by the IT staff (Parildi et al., 2021). In the event of an emergency reboot or shutdown, the memory of the system must be saved for future reference. Before deleting any files from the infected machine, IT teams should ensure to create a reliable backup in case they require going back to it afterward in the analysis.

A company’s ability to identify and, at least partly, disable malware in the workstation can be aided by maintaining communication with the antivirus provider (SL et al., 2019). When a computer is infected with malware, the attacker can utilize it to install additional programs and carry out a wide range of criminal operations. The response team’s ability to eradicate malware without rebuilding or restoring the host is quite unusual (Rizvi et al., 2022). On the contrary, disabling malicious software can buy the company time throughout the response practice. The company should use this opportunity to secure systems, fix vulnerabilities, and modify critical IT network services.

Recovering from the disaster is about getting the damaged IT infrastructure back up and running as quickly as possible. Keeping a watch on the systems that have been restored or changed shows whether they still demonstrate indications of infectivity and determine what interim containment measures may be employed (Demetrio et al., 2021b). To recover from a malicious software event, non-IT collaborators such as brand management and official teams should work together to ensure that the organization’s constituents are protected from harm (Darshan et al., 2019).

There are times when a thorough assessment of an IT infrastructure is necessary to examine if new signals of infection have been discovered that were previously unnoticed. Retrospective analysis is essential after an event has been addressed so that the response team can better handle future conditions. As a result, the environment should be assessed and adjusted to determine whether it can be made more resistant to similar accidents. These measures conclude the security and incident management cycle and bring the response team back to the planning phase (Pajouh et al., 2018). Ultimately, how the company prepares and performs its accomplishments across all four stages of the protection event cycle will decide the effectiveness of its fight to defeat malicious software.

Malware Analysis

The study or process of establishing a specific malicious software sample’s functionality, source, and possible impacts, such as a worm, Trojan horse, virus, rootkit, or backdoor, is known as malware analysis. It has become increasingly important to analyze malware for response and enhanced digital security. Learning about the structure and operation of malware is essential to finding the access point and devising ways to prevent further invasions (Chakkaravarthy et al., 2019). Detecting, storing, and then analyzing the malware are all parts of the scope of digital forensics. Traditionally, malware analysis has been done by hand, which is laborious and time-consuming. Malware analysis was conventionally left to security software companies.

Vendors have always requested copies of any malware that is discovered. Many vendors now have a backlog of malicious software to sell because of the proliferation of malware-writing tools. A multitude of tasks is involved in malware analysis, each of which is completed in phases depending on the type of malicious software analysis used (Chakkaravarthy et al., 2019). The malware will be classified into static and dynamic categories by the examiners. In addition, there are various phases in the analysis of malicious software, including but not limited to Interactive Behavior Analysis, Fully-Automated Analysis, Manual Code Reversal, and Static Properties Analysis; these steps are all necessary.

Mechanizing tasks lie at the heart of the fully automated analysis-computing paradigm. Consequently, a completely automated program is the most effective method for malware analysis (Singh & Singh, 2018). These programs can swiftly determine what the virus might do and generate extensive reports if a computer is infected (Or-Meir et al., 2019). Reverse engineering involves the need for a debugger and disassembler, which can assist in memory forensics. Digital forensics can provide assistance at this point of the hierarchy as well.

Malware analysis is required in three common scenarios. Security incidents, malware research, and indicators of compromise are all included in this category (Vidyarthi et al., 2019). A response team may want to undertake malware analysis on every potential sample found during the assessment process if an organization realizes or suspects that malware has accessed its programs. Such an analysis aims to ascertain if malicious elements are present and their impact on the target company’s systems (Kara, 2019). An academic or a commercial researcher may undertake malware analysis with the purpose of learning how a computer virus works, as well as the most recent strategies utilized to generate it. Software product and solution vendors may perform bulk malware analysis to discover new indications of compromise; this data may then supply the security technology or solutions to enable businesses to protect themselves against malicious attacks effectively.

Static Analysis

Analyzing software in a static manner means accomplishing the task without actually running it. The static attributes of the infection are frequently the first thing an examiner looks at (Kumar et al., 2020). The response team analyzes malware’s static details without the virus operating. The embedded strings, header details, hashes, entrenched expertise, packer signatures, and metadata, including the establishment date, are instances of static characteristics (Higuera et al., 2020). Static aspects may be used to identify basic indications of compromise, providing for a deeper comprehension of the thinking process underlying the production of a particular type of malware.

Different formats of a program can be analyzed using static approaches. The binary form of a program can also be analyzed with static tools. Some information is lost when a program’s source code is converted into a binary executable. The task of deciphering the code becomes more difficult because of this approach (Ucci et al., 2019). The majority of the time, the process of analyzing a binary without running it is done manually. It is possible to extract valuable information, such as database systems and utilized functions, if the source code is accessible.

After program code has been converted into an executable binary, this information is discarded and cannot be recovered (Suryati & Budiono, 2020). Static malware analysis employs a variety of approaches, including file fingerprinting. In addition to checking the evident outward characteristics of a binary file, fingerprinting incorporates data-level actions such as creating a cryptographic hash to differentiate it from others and ensure that it has not been altered.

The metadata of a specific data type can be used to obtain extra, valuable information in the file format approach. The UNIX file type magic number is also included in the advancement (Lin et al., 2018). Many pieces of information, such as creation time, shipped and exported functions, strings, menus, and icons, may be gleaned from a Windows binary, which is normally in portable executable (PE) format. One or more antivirus scanners will likely discover the inspected binary if it is well-known malware (Rana et al., 2018). Using an antimalware scanner is tedious, but it is necessary for some situations.

However, a variety of techniques may be utilized to modify the packer detection strategy. In contemporary times, malware is sometimes disseminated in an obfuscated format, such as compressed or encrypted (Monnappa, 2018). Static analysis shows that the program has changed significantly after packing, making the logic and other information challenging to extract. As a result, no unpacker is universally accepted for static malware analysis, making this a great difficulty (Liu et al., 2022). Disassembly is performed using tools that can reverse machine code to programming language, such as IDA Pro. Static analysis often involves disassembling a particular binary (Pandey et al., 2020). An expert can then assess the program’s logic and purpose based on the rebuilt assembly code.

There are several benefits to using the static malware analysis method, but the most important one is the ability to examine a specific binary thoroughly. In other words, it can execute a malware sample in any feasible way (Duncan & Schreuders, 2019). Static analysis tends to be cheaper and more effective than dynamic analysis in most cases since the source code is not run. However, it might take a long time and necessitates special knowledge. This crucial stage is hindered since the response teams do not have access to the source code. Malware samples seldom have their source code publicly available (Sun et al., 2018). A binary representation of malware is the only type of static analysis approach suited for malware analysis. Consider, for instance, that the majority of malware incidences execute instructions from the IA32 programmable logic on the host computer. If the binary uses self-modifying code methods, disassembly results may be unclear.

Dynamic Analysis

The term ‘dynamic malware analysis’ refers to the practice of running a particular sample of malicious software while monitoring its activities to identify any dangerous activity. The investigation of malware in a controlled setting is known as dynamic or interactive behavior analysis (Yakura et al., 2019). Checked execution and monitoring are used to determine what kind of vicious behavior and intent the virus can exhibit- observing and tracking the malware’s actions while it unpacks its code. Dynamic analysis may not spot or analyze dormant code, and this has certain drawbacks (Pereberina et al., 2022). In this case, the virus may need to be launched numerous times; each time focused on a different program.

Dynamic malware analysis avoids the unpacking limitation of static analysis since it is conducted during runtime and the malware unpacks itself. Thus, it is straightforward to understand how a program is actually behaving. On the contrary, dormant code is the most significant negative (Leon et al., 2021). As a result, dynamic analysis lacks complete code coverage, as opposed to static analysis, which often monitors many execution paths. In addition, if the analytic environment is not appropriately separated or controlled, there is the risk of affecting other systems.

Malware samples might change their behavior or even cease running once they realize they are being analyzed in a safe setting. Using the difference between two locations as a starting point for dynamic malware analysis is one of the most used methods (Costin & Zaddach, 2018). After running a particular malware sample for a predetermined amount of time, the changes done to the system are compared to the state they started in. Comparison reports describe malware activity in this method.

Observation of runtime behavior is a second technique for dynamic malware analysis. Regshot is an example of a first technique that monitors harmful activity performed by the malicious program while it is running. The IT team in an organization should use Regshot to capture a registry snapshot before running the program (Kawakoya et al., 2019). In order to compare the two pictures, they will select the second shot option once the binary has been executed before clicking the comparison button. The team will then receive a text file with the results of the analysis, including which files were added and updated (Nunes et al., 2019). The most promising strategy at the moment is to watch an app’s runtime behavior. Sandboxing is used extensively in this process (Dahiya & Mahajan, 2019). Controlled runtime environments separated from the rest of the network are referred to as sandboxes, which are used to isolate harmful processes. A certain degree of virtualization is often used to accomplish this partitioning.

Tools

It is clear from an examination of the currently available tools that new ways are being developed to build novel support to improve the analysis and deconstruction of the malware. A sample’s behaviors are revealed in the analysis reports issued by the software (Kim et al., 2018). The response team can comprehend the selection quickly and thoroughly using these reports (Gandotra et al., 2019).

There are several types of forensics tools, including disk and data capturing and viewing applications; file and registry analysis tools; internet/ electronic mail and mobile device analysis tools; Mac OS analysis; and network forensics tools. Grept is a command-line program for UNIX, whereas FileAlyzer is a file analytical tool (Sicato et al., 2019). DA Pro refers to commercial tools for disassembly and debugging in the software industry. Antivirus software is used to identify and eliminate malware. Helix is a forensics-focused Linux distribution that runs on a virtual machine. Organizations’ IT teams should use the VMWare tool to build a sandbox in which they may run their applications.

Malware samples are run in a tightly regulated virtual environment that mimics a Windows operating system using the Norman Sandbox. An associated local area network and Internet access may be simulated with this setup (Kumar & Subbiah, 2022). The Norman Sandbox’s fundamental idea is to imitate all of the functionality required by an examined sample; this means that the simulated system must offer operating system-related capabilities like memory management and multithreading support (Chawla et al., 2021). The sample must appear to be working on an authentic system by including all necessary Application Programming Interfaces (APIs) (Pham et al., 2019). Obfuscated or packaged executables do not affect the analysis as the virus is run in a virtual environment. A major aim of Norman Sandbox is to identify worms and viruses that transmit over electronic mails or P2P platforms and to prevent them from spreading via network shares.

File system modifications may be discovered quickly and easily using the FileMon application. It will be possible to see and record the binary’s search activity (Pandey & Alsolami, 2020). This program makes much noise and detects hundreds of file modifications introduced by a Windows machine that seems to be inactive. This means that the response team should always clean the tool before starting the binary and then ‘stop capture’ for roughly 10 seconds after it has been launched.

JoeBox produces a log of the operations on the file system, database, and network while dynamically analyzing a possibly harmful sample. JoeBox was built from the ground up to run exclusively on real hardware, without the aid of virtualization or emulation (Camargo et al., 2022). The system is based on a client-server architecture in which a single controller session may coordinate several clients involved in the analysis. As a result, it is simple to raise the system’s overall throughput by increasing the number of analyzing clients. The controlling machine gathers all of the analytical data.

Environmental Requirement for Malware Analysis

Computers currently being utilized for routine activities cannot be used for malware investigation. It is recommended that the malware analysis be carried out in an IT forensics laboratory utilizing a computer-simulated environment (Marchetto, 2019). Setting up a VMware-based analytical lab is easy and allows for the quick addition, deletion, and duplication of virtual machines. System requirements include enough RAM and storage space for the real host and applications like VMware’s novel Virtual Machine Wizard.

To properly analyze malware, one must first realize that the vicious software is usually distributed over the Internet (García et al., 2018). As a result, an organization should refrain from providing a malicious application with the ability to proliferate over its local area network. This may be accomplished by configuring the virtual computer such that only authorized users can access the Internet. The Network setup options for each virtual machine should include a host-only adapter, a network address translation (NAT) adapter, and a bridged adapter.

Conclusion

In today’s world, malware analysis is vastly different from when the term was coined. The methods and technologies used to create, detect, and analyze malware have developed. Technology frequently works in a firing squad that goes around in circles. To put it another way, as technology advances and grows more complicated, so do the processes and tools used to identify malware. To remain relevant in a game with no end in sight, each participant must constantly improve their methods and equipment.

When a workstation or normal setting cannot be utilized to conduct malware analysis, it should be done in a lab for computer forensics using a virtual computer environment. This enables the response team to refrain from providing malicious software with the capability to spread over its local area network. Creating a VMware-based analytical lab is simple and permits for the quick addition, removal, and replication of virtual machines. Malware detection and analysis allow organizations recognize and respond to malicious software attacks before they harm their data and networks.

References

Amer, E., & Zelinka, I. (2020). Computers & Security, 92, 1-17. Web.

Amer, E., El-Sappagh, S., & Hu, J. W. (2020). Applied Sciences, 10(21), 7673-7680. Web.

Amer, E., Zelinka, I., & El-Sappagh, S. (2021). Computers & Security, 110, 1-10. Web.

An, N., Duff, A., Noorani, M., Weber, S., & Mancoridis, S. (2018). Malware anomaly detection on virtual assistants. 2018 13th International Conference on Malicious and Unwanted Software (MALWARE). IEEE. Web.

Arif, J. M., Ab Razak, M. F., Mat, S. R. T., Awang, S., Ismail, N. S. N., & Firdaus, A. (2021). Journal of Information Security and Applications, 61, 1-10. Web.

Arslan, R. S., Doğru, İ. A., & Barişçi, N. (2019). International Journal of Software Engineering and Knowledge Engineering, 29(1), 43-61. Web.

Bernardi, M. L., Cimitile, M., Distante, D., Martinelli, F., & Mercaldo, F. (2019). International Journal of Information Security, 18(3), 257-284. Web.

Camargo, O. A. M., Duarte, J. C., dos Santos, A. F. P., & Borges, C. A. (2022). Revista de InformáticaTeórica e Aplicada, 29(2), 84-94. Web.

Carlin, D., O’Kane, P., & Sezer, S. (2019). Computers & Security, 85, 138-155. Web.

Catak, F. O., Yazı, A. F., Elezaj, O., & Ahmed, J. (2020). PeerJ Computer Science, 6, 285-297. Web.

Chakkaravarthy, S. S., Sangeetha, D., & Vaidehi, V. (2019). Computer Science Review, 32, 1-23. Web.

Chawla, N., Kumar, H., & Mukhopadhyay, S. (2021). IEEE Transactions on Information Forensics and Security, 16, 3426-3441. Web.

Costin, A., & Zaddach, J. (2018). Iot malware: Comprehensive survey, analysis framework and case studies. BlackHat USA, 1(1), 1-9.

Dahiya, N., & Mahajan, S. (2019). A comparative study of various existing malware analysis methods. International Journal of Networking and Virtual Organizations, 21(2), 268-276.

Damaševičius, R., Venčkauskas, A., Toldinas, J., & Grigaliūnas, Š. (2021). Electronics, 10(4), 485-496. Web.

Daoudi, N., Allix, K., Bissyandé, T. F., & Klein, J. (2022). ACM Transactions on Privacy and Security, 25(2), 1-28. Web.

Darabian, H., Dehghantanha, A., Hashemi, S., Taheri, M., Azmoodeh, A., Homayoun, S., Choo, K., & Parizi, R. M. (2020). World Wide Web, 23(2), 1241-1260. Web.

Darshan, S. L., & Jaidhar, C. D. (2019). Journal of Computer Virology and Hacking Techniques, 15(2), 127-146. Web.

Demetrio, L., Biggio, B., Lagorio, G., Roli, F., & Armando, A. (2021a). . IEEE Transactions on Information Forensics and Security, 16, 3469-3478. Web.

Demetrio, L., Coull, S. E., Biggio, B., Lagorio, G., Armando, A., & Roli, F. (2021b). ACM Transactions on Privacy and Security (TOPS), 24(4), 1-31. Web.

Duncan, R., & Schreuders, Z. C. (2019). Journal of Computer Virology and Hacking Techniques, 15(1), 39-60. Web.

Euh, S., Lee, H., Kim, D., & Hwang, D. (2020). IEEE Access, 8, 76796-76808. Web.

Feizollah, A., Anuar, N. B., & Salleh, R. (2018). Advanced Science Letters, 24(2), 929-932. Web.

Firdaus, A., Anuar, N. B., Karim, A., & Razak, M. F. A. (2018). Frontiers of Information Technology & Electronic Engineering, 19(6), 712-736. Web.

Gandotra, E., Bansal, D., & Sofat, S. (2019). Malware intelligence: Beyond malware analysis. International Journal of Advanced Intelligence Paradigms, 13(2), 80-100.

García, L. E. H. A., & Bermejo, R. A. (2018). A method for malware analysis by virtual machine introspection technique. Research in Computing Science, 147(12), 11-20.

Hamed, Z. A., Ahmed, I. M., & Ameen, S. Y. (2020). Protecting windows OS against local threats without using antivirus. Relation, 29(12), 64-70.

Hampton, N., Baig, Z., & Zeadally, S. (2018). Journal of Information Security and Applications, 40, 44-51. Web.

Hein, M., & Myo, M. (2018). Permission-based feature selection for android malware detection and analysis. International Journal of Computer Applications, 181(19), 29-39.

Higuera, J., Aramburu, C., Higuera, J. R., Urban, M. A., & Montalvo, J. A. (2020). Applied Sciences, 10(4), 1360-1373. Web.

Huang, X., Ma, L., Yang, W., & Zhong, Y. (2021). Journal of Signal Processing Systems, 93(2), 265-273. Web.

Jahromi, A. N., Hashemi, S., Dehghantanha, A., Parizi, R. M., & Choo, K. K. R. (2020). IEEE Transactions on Emerging Topics in Computational Intelligence, 4(5), 630-640. Web.

Jaramillo, L. (2018). Journal of Information Systems Engineering & Management, 3(3), 19-25. Web.

Jeon, J., Park, J. H., & Jeong, Y. S. (2020). IEEE Access, 8, 96899-96911. Web.

Jerlin, M. A., & Marimuthu, K. (2018). Journal of Applied Security Research, 13(1), 45-62. Web.

Kabakus, A. T. (2019). Information Technology and Control, 48(2), 235-249. Web.

Kang, S., Kim, S., Park, M., & Kim, J. (2018). Journal of the Korea Institute of Information Security & Cryptology, 28(3), 591-603. Web.

Kara, I. (2019). Computer Fraud & Security, 2019(6), 11-19. Web.

Karbab, E. B., & Debbabi, M. (2019). Digital Investigation, 28, S77-S87. Web.

Kawakoya, Y., Shioji, E., Iwamura, M., & Miyoshi, J. (2019). Journal of Information Processing, 27, 297-314. Web.

Khan, R. U., Zhang, X., & Kumar, R. (2019). Journal of Computer Virology and Hacking Techniques, 15(1), 29-37. Web.

Kim, K. S., Shin, H. J., & Kim, H. S. (2018). A bit vector based binary code comparison method for static malware analysis. The Computer Journal, 13(5), 545-554. Web.

Kouliaridis, V., & Kambourakis, G. (2021). Information, 12(5), 185-195. Web.

Kouliaridis, V., Kambourakis, G., Geneiatakis, D., & Potha, N. (2020). Symmetry, 12(7), 1128-1135. Web.

Kumar, R., & Subbiah, G. (2022). Sensors, 22(7), 2798-2812. Web.

Kumar, R., Alenezi, M., Ansari, M. T. J., Gupta, B. K., Agrawal, A., & Khan, R. A. (2020). International Journal of Intelligent Engineering and Systems, 13(6), 94-109. Web.

Leon, R. S., Kiperberg, M., Zabag, A. A. L., & Zaidenberg, N. J. (2021). Cybersecurity, 4(1), 1-14. Web.

Lin, C. H., Pao, H. K., & Liao, J. W. (2018). Computers & Security, 73, 359-373. Web.

Liu, S., Feng, P., Wang, S., Sun, K., & Cao, J. (2022). . Computers & Security, 115, 1-10. Web.

Luo, X., Li, J., Wang, W., Gao, Y., & Zhao, W. (2021). Digital Communications and Networks, 7(4), 570-579. Web.

Ma, Z., Ge, H., Liu, Y., Zhao, M., & Ma, J. (2019). IEEE Access, 7, 21235-21245. Web.

Marchetto, V. (2019). An investigation of cryptojacking: Malware analysis and defense strategies. Journal of Strategic Innovation and Sustainability, 14(1), 66-80.

Monnappa, K. A. (2018). Learning malware analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware. Packt Publishing Ltd.

Moussaileb, R., Cuppens, N., Lanet, J. L., & Bouder, H. L. (2021). ACM Computing Surveys (CSUR), 54(6), 1-36. Web.

Naeem, H., Ullah, F., Naeem, M. R., Khalid, S., Vasan, D., Jabbar, S., & Saeed, S. (2020). Ad Hoc Networks, 105, 1-12. Web.

Namanya, A. P., Awan, I. U., Disso, J. P., & Younas, M. (2020). Future Generation Computer Systems, 110, 824-832. Web.

Noor, M., Abbas, H., & Shahid, W. B. (2018). Journal of Network and Computer Applications, 103, 249-261. Web.

Nunes, M., Burnap, P., Rana, O., Reinecke, P., & Lloyd, K. (2019). . Journal of Information Security and Applications, 48, 1-11. Web.

Omer, M. A., Zeebaree, S. R., Sadeeq, M. A., Salim, B. W., Mohsin, S. X., Rashid, Z. N., & Haji, L. M. (2021). Asian Journal of Research in Computer Science, 59-69. Web.

Or-Meir, O., Nissim, N., Elovici, Y., & Rokach, L. (2019). ACM Computing Surveys (CSUR), 52(5), 1-48. Web.

Pajouh, H. H., Dehghantanha, A., Khayami, R., & Choo, K. K. R. (2018). Journal of Computer Virology and Hacking Techniques, 14(3), 213-223. Web.

Pan, Y., Ge, X., Fang, C., & Fan, Y. (2020). IEEE Access, 8, 116363-116379. Web.

Pandey, A. K., & Alsolami, F. (2020). Malware analysis in web application security: An investigation and suggestion. International Journal of Advanced Computer Science and Applications, 11(7), 1-13.

Pandey, A. K., Tripathi, A., Alenezi, M., & Khan, A. K. (2020). A framework for producing effective and efficient secure code through malware analysis. International Journal of Advanced Computer Science and Applications, 11(2), 497-503.

Parildi, E. S., Hatzinakos, D., & Lawryshyn, Y. (2021). Neural Computing and Applications, 33(18), 11963-11983. Web.

Pereberina, A., Kostyushko, A., & Tormasov, A. (2022). Journal of Computer Virology and Hacking Techniques, 1, 1-11. Web.

Pham, D. P., Vu, D. L., & Massacci, F. (2019). Journal of Computer Virology and Hacking Techniques, 15(4), 249-257. Web.

Rana, M. S., & Sung, A. H. (2018). Malware analysis on Android using supervised machine learning techniques. International Journal of Computer and Communication Engineering, 7(4), 178-186.

Rizvi, S. K. J., Aslam, W., Shahzad, M., Saleem, S., & Fraz, M. M. (2022). Complex & Intelligent Systems, 8(1), 673-685. Web.

Saridou, B., Rose, J. R., Shiaeles, S., & Papadopoulos, B. (2022). Electronics, 11(7), 1-26. Web.

Sasidharan, S. K., & Thomas, C. (2021). Pervasive and Mobile Computing, 72, 1-13. Web.

Sicato, J. C., Sharma, P. K., Loia, V., & Park, J. H. (2019). Applied Sciences, 9(13), 2763-2776. Web.

Sihwail, R., Omar, K., & Ariffin, K. A. Z. (2021). Computers, Materials and Continua, 67(2), 2301-2320. Web.

Sihwail, R., Omar, K., & Ariffin, K. Z. (2018). A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. International Journal on Advanced Science, Engineering and Information Technology, 8(4), 1662-1671.

Sihwail, R., Omar, K., Ariffin, K. A., & Al Afghani, S. (2019). Applied Sciences, 9(18), 3680-3690. Web.

Singh, A. K., Jaidhar, C. D., & Kumara, M. A. (2019). Journal of Computer Virology and Hacking Techniques, 15(3), 209-218. Web.

Singh, J., & Singh, J. (2018). Challenge of malware analysis: Malware obfuscation techniques. International Journal of Information Security Science, 7(3), 100-110.

Singh, J., & Singh, J. (2021). Journal of Systems Architecture, 112, 1-18. Web.

SL, S. D., & Jaidhar, C. D. (2019). IEEE Transactions on Emerging Topics in Computing, 9(2), 1057-1069. Web.

Souri, A., & Hosseini, R. (2018). Human-centric Computing and Information Sciences, 8(1), 1-22. Web.

Suaboot, J., Tari, Z., Mahmood, A., Zomaya, A. Y., & Li, W. (2020). Computers & Security, 92, 1-17. Web.

Sun, B., Fujino, A., Mori, T., Ban, T., Takahashi, T., & Inoue, D. (2018). IEICE Transactions on Information and Systems, 101(11), 2622-2632. Web.

Surendran, R., Thomas, T., & Emmanuel, S. (2020). . Journal of Information Security and Applications, 54, 1-12. Web.

Suryati, O. T., & Budiono, A. (2020). International Journal of Advances in Data and Information Systems, 1(1), 1-8. Web.

Syrris, V., & Geneiatakis, D. (2021). Journal of Information Security and Applications, 59, 1-12. Web.

Tahir, R. (2018). International Journal of Education and Management Engineering, 8(2), 20-30. Web.

Tajoddin, A., & Abadi, M. (2019). Applied Intelligence, 49(7), 2641-2658. Web.

Ucci, D., Aniello, L., & Baldoni, R. (2019). Survey of machine learning techniques for malware analysis. Computers & Security, 81, 123-147. Web.

Venkatraman, S., Alazab, M., & Vinayakumar, R. (2019). Journal of Information Security and Applications, 47, 377-389. Web.

Vidyarthi, D., Kumar, C. R. S., Rakshit, S., & Chansarkar, S. (2019). International Journal of Computer Science Issues (IJCSI), 16(3), 10-17. Web.

Vinayakumar, R., & Soman, K. P. (2018). ICT Express, 4(4), 255-258. Web.

Vinayakumar, R., Alazab, M., Soman, K. P., Poornachandran, P., & Venkatraman, S. (2019). IEEE Access, 7, 46717-46738. Web.

Wang, S., Chen, Z., Yan, Q., Yang, B., Peng, L., & Jia, Z. (2019). Journal of Network and Computer Applications, 133, 15-25. Web.

Wazid, M., Das, A. K., Rodrigues, J. J., Shetty, S., & Park, Y. (2019). IEEE Access, 7, 182459-182476. Web.

Witte, T. N. (2020). Phantom malware: Conceal malicious actions from malware detection techniques by imitating user activity. IEEE Access, 8, 164428-164452. Web.

Xiaofeng, L., Fangshuo, J., Xiao, Z., Shengwei, Y., Jing, S., & Lio, P. (2019). Computer Networks, 157, 99-111. Web.

Yadav, R. M. (2019). Computers & Security, 83, 14-21. Web.

Yakura, H., Shinozaki, S., Nishimura, R., Oyama, Y., & Sakuma, J. (2019). Computers & Security, 87, 1-15. Web.

Yang, S., Li, S., Chen, W., & Liu, Y. (2020). IEEE Access, 8, 208120-208135. Web.

Yildiz, O., & Doğru, I. A. (2019). International Journal of Software Engineering and Knowledge Engineering, 29(02), 245-262. Web.

Yousefi-Azar, M., Hamey, L. G., Varadharajan, V., & Chen, S. (2018). IEEE Access, 6, 49418-49431. Web.

Zhang, H., Luo, S., Zhang, Y., & Pan, L. (2019a). IEEE Access, 7, 69246-69256. Web.

Zhang, Y., Ren, W., Zhu, T., & Ren, Y. (2019b). Future Generation Computer Systems, 95, 548-559. Web.

Zhu, H., Li, Y., Li, R., Li, J., You, Z., & Song, H. (2020). IEEE Transactions on Network Science and Engineering, 8(2), 984-994. Web.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2023, September 26). Aspects of Malware: Detection and Analysis. https://ivypanda.com/essays/aspects-of-malware-detection-and-analysis/

Work Cited

"Aspects of Malware: Detection and Analysis." IvyPanda, 26 Sept. 2023, ivypanda.com/essays/aspects-of-malware-detection-and-analysis/.

References

IvyPanda. (2023) 'Aspects of Malware: Detection and Analysis'. 26 September.

References

IvyPanda. 2023. "Aspects of Malware: Detection and Analysis." September 26, 2023. https://ivypanda.com/essays/aspects-of-malware-detection-and-analysis/.

1. IvyPanda. "Aspects of Malware: Detection and Analysis." September 26, 2023. https://ivypanda.com/essays/aspects-of-malware-detection-and-analysis/.


Bibliography


IvyPanda. "Aspects of Malware: Detection and Analysis." September 26, 2023. https://ivypanda.com/essays/aspects-of-malware-detection-and-analysis/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
1 / 1