Two main important topics exist in the knowledge area of software and platform security within cybersecurity, whether in the mobile, web, cloud or IoT ecosystem. They are i) malware analysis, detection, and containment and ii) vulnerability analysis, detection, prevention, exploitation, and patching. Despite the long-standing problem of malware detection, detecting malware is challenging as cybersecurity threats continue to find ways to fly and stay under the radar. Cybercriminals use polymorphic malware that allows threats to avoid detection by traditional antivirus software. There is the emerging threat of malware collusion which sidesteps current approaches that assumes that malware consists of a standalone application. The underground economy is flourishing with tools and services that allow malware developers to deploy highly evasive malware. The continued evolution and innovation of their evasion techniques results in a scenario where most malware is seen only once, as the number of threats increases exponentially.
State-of-the-art detection systems often become ineffective to the evolution of malware development and platform ecosystem such that they have reduced accuracy towards old threats, newer threats, or emerging kinds of malware[1-4]. Sustainable malware detection techniques are needed to help counter the concept drift problem[1], whereby a predictive model becomes less and less accurate as time passes because the features upon which it relies have become outdated. This problem is particularly important for security models due to the highly dynamic nature of malware. Approaches such as regularly updating the benchmarks to retest security tools with newer datasets put security researchers several steps behind malware developers. The volume of new malware strains makes the task of updating databases or retraining predictive models virtually impossible. According to AV-Test Institute, 560,000 new malicious programs are detected every day[1]. Webroot researchers[2] found out that 93% - 97% of all pieces of malware and potentially unwanted programs are polymorphic. The implication of these findings is two-fold - the new pieces of malware that are detected every day are constantly changing their identifiable features to evade detection. To cope with this evolution of malware, approaches towards malware analysis and detection engineering must be sustainable.
Project Description:
To build sustainable and durable models for malware analysis and detection engineering, it is crucial to identify concept drift as a means of bridging a fundamental research gap when dealing with evolving malicious software [1]. The key research goal of this proposal is to design and implement malware detection systems that are robust to malware evolution and platform ecosystem updates. The validation of such techniques for sustainable malware analysis and detection engineering will provide a toolkit for durable security solutions that are grounded in the use of features consistently separating malicious and benign applications, which measures the efficiency of high sustainability in applications classifiers as a crucial way to contain the current unending surge of malicious software in the application ecosystem.
RESEARCH OBJECTIVES:
- Designing novel methodologies for evolution-based behavioural profile modelling and characterization of malicious and benign applications for deeper analysis of their behaviours.
- Evolutionary feature engineering for discovering resilient features for concept drift in binary and multiclass classification.
- Development of metrics for the sustainability of malware detection.
- Development of sustainable learning models for classification systems that are resilient to malware evolution.?
- Demonstration of the classification approach for cyber threat intelligence with malware family classification, attribution, long-span malware detection and feature triage.
- Assessment of the performance of the sustainable model for resilience against evolving malicious software threat - evasion, obfuscation, adversarial attacks, malware coverage and platform evolution.
To achieve the objectives of the project, the case studies of malicious applications for evaluation are Android applications, Windows binaries, state-sponsored and fileless malware. The diversity of case studies is to present compelling evidence in favour of the generalizability and applicability of the proposed framework.
Project Key Words: Malware Analysis, Machine Learning, Malware Detection, Cybersecurity, Static Analysis, Dynamic Analysis, Reverse Engineering, Feature Engineering, Adversarial Behaviours, Attack Technologies.
Start Date: 01/10/22
Application Closing date: 28/02/22
For further information about eligibility criteria please refer to the DfE Postgraduate Studentship Terms and Conditions 2021-22 at https://go.qub.ac.uk/dfeterms
Applicants should apply electronically through the Queen’s online application portal at: https://dap.qub.ac.uk/portal/
Academic Requirements:
A minimum 2.1 honours degree or equivalent in Computer Science or Electrical and Electronic Engineering or relevant degree is required.
Funding Notes:
This three year studentship, for full-time PhD study, is potentially funded by the Department for the Economy (DfE) and commences on 1 October 2022. For UK domiciled students the value of an award includes the cost of approved tuition fees as well as maintenance support (Fees £4,500 pa and Stipend rate £15,609 pa - 2022-23 rates to be confirmed). To be considered eligible for a full DfE studentship award you must have been ordinarily resident in the United Kingdom for the full three year period before the first day of the first academic year of the course.
For candidates who do not meet the above residency requirements, a small number of international studentships may be available from the School. These are expected to be highly competitive, and a selection process will determine the strongest candidates across a range of School projects, who may then be offered funding for their chosen project.