|
Cybersecurity is facing more hurdles than ever before, even though we can develop the latest technologies to help keep our systems and networks more secure, yet we see rising cyberattacks and security breaches. Among these threats the most dreadful is malware. In 2019, the total malware detection amounted to 903.14 million programs, while last year, 856.62 million new malware programs were developed. Malware is the most dreadful of all the threats today in the cyber-universe. For delivering adequate computer systems protection and antimalware solutions, anti-malware software should be capable of detecting a very wide range of existing malicious programs. It should be able to detect new modifications of known malware samples or new zero-day malicious programs from a recent new malware generation. We have seen Blockchain technology do well in the financial sector and now it has shown its worth in different fields and is entering into the network layer, the storage layer, the support layer, and the application layer. A mobile application is scanned through two stages, first being the security module of an app store that checks the normal behavior of any applications. Once an application is okay after the initial check, users are allowed for app download and installation. After the installation, a third-party software scans the application for possible threats. The problem lies with the initial detection through app stores as they are not as effective as they claim and third-party software is rendered helpless as users grant various permissions to the applications as soon as they are installed. We are exploring a blockchain-based framework for malware detection at the initial stage proposed through a model Blockchain-based Framework for Malware Detection:The structure of the framework consists of two internal and external private blockchains forming a dual private blockchain. The Internal Private Blockchain (IPB) includes all the components that can help to develop and extend a dedicated private blockchain for each available mobile application. Internal Private Blockchain (IPB):Each application is tracked by a dedicated internal private blockchain(DIPB), that follows useful information regarding application behavioral history, static information based on Feature extractor components can help in gathering valuable information. FE(Feature Extractors) are components that can extract features providing valuable information during the application's lifecycle and adds relative blocks to the dedicated privet blockchains accordingly. It is important to understand the usage of private blockchains instead of a network of multiple blockchains. Dedicated private blockchains can reduce the complexity of the framework as there are several applications in the marketplace and a network of blockchains would have been huge and complex.   As can be seen in the above figure, each Feature Extractor(FE) is provided full access to DIPB(Dedicated Internal Private Blockchain) through a bi-directional connection, while other Internal Private Blockchains have read-only access with a one-directional connection. Static Feature Extractors:Features are extracted from the application files, which are archive type files packaged and bundled in suites like in Android we find file packaged in.APK files are similar to.JAR files. Android developers leverage these suites to store codes and resources for the application. These suites of files contain every information that is useful for tracking an application's behavior. An OPCode Sequence FE is Used to extract a sequence of an opcode from APK file to provide opcode analysis for Detection Engines (DE). Similarly, the Permission FE component is used for the detection of permissions requested at the runtime, API calls FE component for use of APIs and Commands FE component for detection of references to system commands. Dynamic Extractors:These components help to perform a dynamic analysis of the runtime behavior of the applications to extract behavioral features. It can detect malware applications by monitoring the runtime behavior of an app to extract useful behavioral features. System Call FE:It tracks system calls to control the process, reducing bugs and fixes. System calls like file access, network communication, inter-process communication or privilege escalation is the most common calling traces that are used for dynamic analysis. Memory and CPU FE:Based on the above proposed model a total of 53 features can be extracted and analyzed. out of which 5 are CPU related and 48 features are Memory related. These features provide relative information towards CPU behavior and Memory usage during the runtime of applications for any particular system call. Blocks by accessing the information through FE components facilitate third party software to contribute to scanning applications while it also provides a boost to anti-malware vendors to develop more accurate detection methods to stay in the market. External Private Blockchain:For each application containing the scanning information of different versions like malice scores assigned by each detection engine to each version of an application, there is a Dedicated External Private Blockchain(DEPB). The data that is stored in the DEPB shows history and summaries of DE(Detection Engines) scanning results for each application. DEs helps separate detection mechanisms by using special means and AI algorithms for separating the malware samples from good samples. AI(Artificial Intelligence)-Based DE:This DE leverages machine learning and Artificial Intelligence for the detection of unknown and new malicious applications. There are various types of algorithms and machine learning techniques to segregate malicious samples from the good ones. Signature-based DEs:It is a method to segregate the malware samples through one or more than one tokens or signature. This DE simply checks for a hashcode in the Apk file to determine whether a testing sample is malicious or not. Consortium Blockchain(CB) DE:This is a DE that derives its detection through the malicious scores of internal private blockchains such as DIPB and Scanned results of DEPB. The final decision on the malware sample is made by a Determinant Agent that considers the features extracted through both the DIPB and DEPB.
|
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
