ArticlePDF Available

Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines


Abstract and Figures

Spyware is the most complex, obfuscated and targeted class of malware, which has grown dramatically in recent years. Spyware is designed for secret, long-term and persistent missions. The present paper provides a novel method for detection, tracking and confronting the stealth and obfuscated spyware and ransomware including keyloggers, screen recorders, and blockers. The proposed method of this paper is based on a dynamic behavioral analysis through deep and transparent hooking of kernel-level routines. We used Linear Regression, JRIP and J48 decision tree algorithms as a classifier to recognize three classes of malware. This paper presents the main architectural plan of an anti-spyware application to track spyware footprints in order to detect and force terminate running processes, eliminate executable files and restrict network communications. The Efficiency of the proposed method was evaluated from the viewpoint of accuracy in detecting real-world samples of spyware by ROC curve analysis and from the viewpoint of success rate to confront effectively with active spyware. Our proposed method was able recognize spyware with an accuracy of about 93% and an error rate near 7%. In addition, the proposed system can disinfect an operating system from infection by spyware with a hit rate of about 82%.
Content may be subject to copyright.
Received November 12, 2018, accepted November 27, 2018, date of publication December 7, 2018,
date of current version December 31, 2018.
Digital Object Identifier 10.1109/ACCESS.2018.2884964
Detection and Elimination of Spyware and
Ransomware by Intercepting Kernel-Level
System Routines
1Department of Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran 1477893855, Iran
2Department of Computer Science, University of Human Development, Sulaimaniyah 0778-6, Iraq
3International Campus, Iran University of Medical Sciences, Tehran 1449614535, Iran
Corresponding author: Mehdi Hosseinzadeh (
ABSTRACT Spyware is the most complex, obfuscated, and targeted class of malware, which has grown
dramatically in recent years. Spyware is designed for secret, long-term, and persistent missions. This paper
provides a novel method for detection, tracking, and confronting the stealth and obfuscated spyware and
ransomware, including keyloggers, screen recorders, and blockers. The proposed method of this paper is
based on a dynamic behavioral analysis through deep and transparent hooking of kernel-level routines.
We used linear regression, JRIP, and J48 decision tree algorithms as a classifier to recognize three classes
of malware. This paper presents the main architectural plan of an anti-spyware application to track spyware
footprints in order to detect and force terminate running processes, eliminate executable files, and restrict
network communications. The efficiency of the proposed method was evaluated from the viewpoint of
accuracy in detecting real-world samples of spyware by ROC curve analysis and from the viewpoint of
success rate to confront effectively with active spyware. Our proposed method was able to recognize spyware
with an accuracy of about 93% and an error rate near 7%. In addition, the proposed system can disinfect an
operating system from infection by spyware with a hit rate of about 82%.
INDEX TERMS Malware analysis, spyware detection, stealth, obfuscation, data mining.
Rapid development and prevalence of Internet systems are
causes of growth in cybercrimes such as hacking, phishing,
identity theft and malware propagation [1]. It is also note-
worthy that criminals are moving faster than the development
of the technologies that ensure security [2]. Malware is a
software designed for malicious goals such as stealing vital
data and executing destructive binaries. Therefore, malware
compromises the availability, confidentiality, and integrity
of a victim’s system. Malware is software such as a Tro-
jan, viruse, worm, backdoor, rootkit, botnet or spyware that
intrudes a system without the consent of its owner [3].
The growth rate of malware has drastically increased in
recent years. According to [4], 670 million malware samples
were detected by McAfee Labs in 2017. A report by Kasper-
sky Lab in [5] indicates that the number of new malware files
detected by its products in 2016 increased to 323,000 per
day. This is while similar amount was only 13,000 in 2015.
According to [6], the total number of malware discovered
in 2016 showed a growth of 36% compared to the year 2014.
The reason for the high rate of malware generation is obfusca-
tion and polymorphic engines. Moreover, the newly produced
malware is getting more complex, targeted and shrewd.
Malware is designed for different types of Operating Sys-
tems (OS) such as Windows, Android, Mac, and iOS. Hence,
it can be categorized based on the design platform. In recent
years, with the significant increase in the popularity of smart-
phones, Android OS has become one of the world’s most
popular smartphone platforms [7], [8]. Android malware
attacks are therefore increasing rapidly. Android was the
target of 97% of global mobile malware in 2013. In 2016,
the number of Trojans contained in Android adware increased
to nearly 700,000 [8]. Although malware on other plat-
forms such as Android and Mac has been growing, malware
designed specifically for the Microsoft Windows family of
operating systems accounts for over 90% of all malware [9].
Figure 1 indicates the growth of malware for different oper-
ating systems between 2009 and 2018 [10]. It is evident that
VOLUME 6, 2018
2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
Personal use is also permitted, but republication/redistribution requires IEEE permission.
See for more information.
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
FIGURE 1. A comparison of malware growth for different operating
systems during the last 10 years (T is thousand and M is million).
the amount of Windows malware was 24 times higher than
that of Android malware in 2018.
Spyware is a latent malicious executable that collects
important and valuable data such as passwords and financial
information without the permission of the owners and sends
them to the attacker. Spyware is one of the most dangerous
and mysterious classes of malware designed for secrecy and
durability. Attackers install spyware binary files on the com-
promised machine to steal valuable information in silence;
then they can establish a long-term connection based on the
covert channel to the victim’s machine in order to launch an
Advanced Persistent Threat (APT) attack [11].
Malicious programmers have introduced code obfuscation,
dynamic code loading [12] and metamorphic engine –which
is self-mutating and consequently, changes its fingerprint
automatically on every execution in order to bypass tradi-
tional scanners that work based on string and fingerprint
matching [13]. Therefore, traditional signature-based meth-
ods and generic classifiers such as the method in [14] become
less potent in detecting metamorphic malware and novel
patterns of malware attacks [15] specifically in the spyware
class. Hence, the behavior analysis of malware is needed to
detect malignancy. Traditionally, malware analyses have been
a tedious and time-intensive manual process because they
are needed for timely zero-day discoveries [16]. Analysis of
very large volumes of malware samples is only possible via
automated dynamic analysis. Therefore, malware analyzers
search for automation processes of malware analysis.
It is noticeable that according to a Symantec report [17],
the number of zero-day vulnerabilities discovered in 2015 has
increased to 125% compared to the year before. These vul-
nerabilities are very valuable for spyware to design a pattern
of attack while remaining anonymous. Hence, spyware is the
most complex and obfuscated class of malware. In addition,
it is almost impossible to recognize all novel stealth spyware
with a generic malware classifier. Therefore, a particular
classifier for detection of stealth and obfuscated spyware was
intended in our study.
The rest of this paper is organized as follows. Spyware
attack techniques are introduced in Section 2. The proposed
method for detection and tracking is explained in Section 3.
The architectural plan of our proposed anti-spyware appli-
cation and the proposed method for disinfection of malware
are described in Section 4. Finally, Section 5 indicates and
analyzes the results of the evaluation of the proposed system.
Spyware is divided based on the performance mechanism
and the type of hijacked information. Keyloggers and screen
recorders are the most dangerous and mostly used kinds of
spyware. As mentioned before, stealth and durability are
the two most important non-functional attributes (quality
attributes) in the architecture of the mentioned malware.
In order to hijack information, spyware needs hooking OS
facilities, especially system functions (APIs).1The aim of
hooking is to act as a mediator between the OS resources
and incoming requests from the user or installed applica-
tions on the victim system. Therefore, it is able to log and
hijack incoming information. Most of the malware can send
the hijacked information into pre-determined destinations
and Command and Control (C&C) center through network
Ransomware is another class of malware studied in this
paper. Ransomware is applied as malware because of its
malignant behavior, which forces victims to take undesired
and compulsory actions like extortion of money. A com-
mon category of this class of malware is blockers. In this
study, we concentrated on keyloggers, screen recorders, and
Keyloggers are smart malicious binaries that take an action
to record keys that the user presses when the system is
active or at sensitive times. For example, when the user
wants to enter his/her email password in the internet browser,
do online shopping, or write a document in a text editor. Spy-
ware can distinguish valuable times by calling FindWindow
and GetWindow system functions to get the name of run-
ning windows [18]. Another method is to use Process32First
and Process32Next system functions for searching among
active processes of the OS to find special process names
such as ‘iexplore’ [19]. This tactic gives rise to a decrease
in the size of hijacked information by filtering insignifi-
cant information. This tactic has another obvious advantage:
when hijacked information is sent via the network connection
to C&C, decreasing the size of the sent information can
shorten the sending time, especially when spyware is using a
low-bandwidth covert channel such as timing-base channels.
1Application Programing Interface
78322 VOLUME 6, 2018
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
In addition, decreasing the size of the hijacked informa-
tion and limiting activation time of the spyware extremely
decrease the probability of anomaly patterns recognition
at network traffic or malicious behavior of the OS by
surveillance tools like Antivirus and SIEM.2Profound data
mining on a large number of keyloggers shows that these
malware take an action to hook NTUserGetASyncKeyState
and NTUserGetKeyState form the System Service Descriptor
Table (SSDT( shadow in order to meet their purpose that
is discovering what keys are pressed. The above-mentioned
functions deliver received states from the upper APIs at the
user-level to drivers that manage the keyboard. The aim of
a keylogger is to act as a mediator between these system
functions and user requests they come to know through dis-
covering the pressed keys. This is done by reading the values
of the mentioned function parameters and recording them in
a log file.
Screen recorders are another common subclass of spyware.
They take screenshots from victim user activities. A screen
recorder needs to stay hidden very well. By running different
types of spyware in analyzer environments equipped with
monitoring tools (e.g. cuckoo sandbox and APIMon) we
could derive their system calls. Although some types of spy-
ware try to hide their APIs through obfuscation techniques,
especially dynamic programming, we keep the analyzer envi-
ronment transparent by embedding monitoring facilities at
the lowest possible level of the OS and altitude of the
Input/Output (I/O) stack.
A screen recorder sends its requests in the form of a handle
to GetWindowDC API from the User32.dll library in order
to image a window screen or desktop screen. The mentioned
function returns all contents of the desired window includ-
ing the menus and labels in the form of a Device Context
(DC) structure as return values. The return values of this
function are passed, as input arguments, to another system
function, i.e. BitBlt, which belongs to the GDI32.dll library.
The output of the recent function is an image of the input DC.
Other parameters of this function determine characteristics
of the output image such as length and width [20]. The
structure of system functions GetWindowDC and BitBlt are as
HDC GetWindowDC BOOL BitBlt(
(_In_ HDC hdcDest,
_In_ HWND hWnd _In_ int nXDest,
);_In_ int nYDest,
_In_ int nWidth,
_In_ int nHeight,
_In_ HDC hdcSrc,
_In_ int nXSrc,
_In_ int nYSrc,
_In_ DWORD dwRop);
2Security Information and Event Management
Furthermore, GetWindow and FindWindow system func-
tions are necessary for this spyware. Screen recorders create
a handle for imaging by searching the name of a window with
the mentioned system functions. The aim of this action is to
restrict the imaging to special windows such as an internet
browser; for this reason, some security applications name
their windows randomly in order that malware cannot search
Static behavioral analysis of several samples of blockers
shows that most of them are filter drivers placed in altitudes
higher than those of the OS keyboard and mouse original
drivers in the space of I/O stack. Then, using Windows Fil-
tering Platform (WFP) facilities, this malware takes action
to capture the sent IRPs3into hardware and drop them [18].
Therefore, the connection between the OS and the key-
board/mouse is interrupted.
Another mechanism used in blockers is to hook the Send-
Input system function from the User32.dll library at Ring
(3) [18] or its equivalent function at Ring (0) from the OS
NTUserSendInput. In this way, incoming requests to the men-
tioned functions receive no response and pressed keys by the
user do not influence the OS. The results of our experiments
showed that hooking of the NTUserSendInput function at the
kernel-level was more common in blockers. This is because
unhooking a blocked API at the kernel-level is tremendously
harder than at the user-level and sometimes it is irrevocable.
Blockers show a message that binds the victim to pay
expenses to open his/her system. In this respect, they are
placed in the ransomware class. Another category of ran-
somware encrypts important low size files such as docx, pdf,
pptx, xlsx and accdb documents with encryption algorithms.
The victim is then obliged to pay in order to provide the
key for decryption. This category of ransomware is known
as Cryptors.
Some methods have been introduced in recent years for
recognition of malware based on the static or dynamic behav-
ior analysis that they use such as API calls, opcodes, register
values and other features for behavioral modeling.
Islam et al. [21] proposed a new method for classification
of malware based on integrated static and dynamic features.
The authors extracted some features through a static analysis
by unpacking malware manually and some other features
through a dynamic analysis by execution of the malware,
which unpacks itself. They claimed that their method had an
error rate of less than 2.7%.
Gupta and Kumar [22] proposed a novel method to detect
the execution of the malicious application in a cloud envi-
ronment. This method uses a sequence of system calls for
making a signature to distinguish malicious behaviors during
the execution of unknown applications. The accuracy of this
3Input/Output Request Packet
VOLUME 6, 2018 78323
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
method has been evaluated to be about 98% by using a dataset
collected from email traffic of the University of New Mexico
in private cloud resources.
Wang et al. [23] presented a new method to classify mal-
ware based on a social network analysis. Jang’s method fea-
tures derived from the graph structure of system calls. They
used social network properties as applied to the call graph,
such as the degree of centrality, the degree of distribution,
density, component ratio and coefficient of clustering. A sys-
tem call graph consists of system calls found in the execution
of individual malware families to explore the distinguishing
features of various malware families.
Wang and Wang [24] introduced a new classifier based
on the Support Vector Machine (SVM) algorithm to solve
the problem of classification accuracy regarding unspecified
malware. Malware detection depends on correct extraction
and completeness of training signatures. This model is able
to classify 60 families of real malware automatically. The
overall detection accuracy of this model was estimated to be
more than 85% for unspecific malware.
Das et al. [25] proposed an approach for online mal-
ware detection using hardware-enhanced architecture by a
combination of processor and FPGA.4The authors used a
frequency-centric model for feature construction using sys-
tem call patterns of unknown malware and benign samples.
They claimed that their model could detect 46% of malware
within the first 30% of its execution and 97% of malware
during a complete execution.
Liu et al. [26] proposed a machine learning based mal-
ware detection method. The authors used n-gram of opcode
as grayscale images for feature selection and Shared Near-
est Neighbor (SNN) as a clustering algorithm to classify
unknown malware. They used a dataset with 20,000 samples
of malware and benign files to evaluate their model. The
results of the evaluation showed a best accuracy of 98.9%
for classification of the unknown malware and successfully
detected 86.7% of novel malware.
Lin et al. [27] proposed a new mechanism to overcome
challenges of time-consuming of dynamic analyses. They
used a modified Xen hypervisor, which could generate a
virtual clock source according to a predefined speed ratio.
This ability helped accelerate the running of the sandbox
on the modified hypervisor. An evaluation by the authors
indicated that performance increased up to 42%.
There is an important issue with extracting the name of
APIs in most of the behavioral analysis methods. Some
methods focus on the static analysis of Portable Executable
(PE) structure to extract API names from the Import Address
Table (IAT), but these methods are very vulnerable in con-
fronting with obfuscation and metamorphism techniques
such as IAT encryption, IAT smashing and dynamic program-
ming. Some others use hooking to extract APIs during the
execution of malware, which could evade from the mentioned
4Field-Programmable Gate Array
FIGURE 2. The process of interaction between the HW, OS and
applications and proper location for hooking.
obfuscation techniques, but correct hooking is a serious chal-
lenge itself.
Hooking is a technique to capture application interactions
with the OS. This process initiates with the formation of
agents between the OS and an application. The purpose of the
application request seizure is mainly to obtain information,
theft or reject the application request [19]. This technique
is used by malware to destroy the OS facilities or informa-
tion theft of another application. It is also used by security
applications to make self-defense system, analyze malware
by sniffing API calls and protection of the OS [28].
It is possible to capture a request based on six different
kinds of hooking in the user and kernel space of the OS.
Figure 2 shows the way of interaction between the OS, hard-
ware equipment and an application at a user/kernel-level and
indicates all kinds of hooking [28].
The depth of hooking is very important because the ana-
lyzer always needs to control the analysis process, at least
at a layer lower than the spyware. There is a direct relation
between the depth of hooking and the accuracy of the analy-
sis process. This issue is indicated in Equation 1 [28]. For
instance, if an analyzer installs its hooks at the user-level,
it will lose the possibility of the analysis of active spyware
in the kernel space. Or if the analyzer installs its hooks by
changing the SSDT table addresses, it never observes spy-
ware which executes its malicious behavior by direct sending
IRPs to the device manager.
Depth Level(Analyzer )Depth Level(Spyware)(1)
78324 VOLUME 6, 2018
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
FIGURE 3. A comparison of the number of extracted APIs in different
kinds of analysis.
In a deep analysis of some intelligent samples of spyware,
we could understand that a static analysis is not enough
to extract APIs because we found very critical APIs by a
dynamic analysis when malware was under the supervision
of a sandbox never seen in a static analysis. As mentioned
before, the supervision depth in a dynamic analysis is a vital
factor. Some of the sandboxes using user-level hooking tech-
niques to extract APIs were not able to see the interactions
of spyware in the kernel space, because spyware uses kernel-
level APIs, in this case, the sandbox needs to use kernel-level
hooks or hardware based emulation. For example, a processor
emulation is able to see the interactions of active spyware in
the kernel and can log the APIs. Figure 3 shows a comparison
between the number of APIs extracted in a static analysis,
user-level dynamic analysis and kernel-level dynamic analy-
sis, which is categorized by seven sources of behavior in the
OS. This result is very important because it indicates that the
spyware tries to hide its critical APIs that it uses to call the
kernel modules and to modify the system objects in them. By
this, the spyware intends to mislead the analyzers.
The method used in the implementation of monitoring
facilities for correct extraction of APIs is the most decisive
factor in the detection of stealth and obfuscated spyware.
The proposed method of this study is presented in two sec-
tions. The first section describes the way of spyware detec-
tions and the second section explains how to eliminate the
detected pre-activated spyware. This class of malware has the
maximum ability of stealth. Thus, it is more difficult to detect
them rather than other classes of malware. In the proposed
method of this study, the dynamic behavior of the spyware
and blockers forms a basis for detection. Dynamic behav-
ioral analysis methods are used because the new malware is
equipped with various kinds of obfuscation techniques and
metamorphic engines to deceive static behavioral analyses.
Obfuscation techniques such as Random Hash Table, Control
Flow Graph (CFG) smashing, IAT evacuation, and string
encryption cause the signature-based and static behavioral
analysis methods to have less potential in the analysis of
obfuscated malware. Furthermore, malicious programmers
use anti-reverse engineering techniques to prevent disassem-
bling of their executable files like [29], which make serious
problems for a static analysis. Hence, recently, more attention
has been paid to analyze the dynamic behavior of malware.
And most of the novel methods for malware detection, such
as [21], [22], [25], and [27] are based on dynamic behavioral
analyses. Although, some claim that it is possible to deceive a
dynamic behavioral analysis, for example by shadow attacks
in [30], dynamic behavioral analyses are still the most effec-
tive method.
Our proposed method considers the interaction of malware
with the OS to model the behavior. It can recognize the nature
of spyware based on such interactions. This is possible by
using kernel drivers in the implementation of the proposed
method. The reason for using the kernel drivers is confronting
with active spyware, which needs to avoid limitations of
the User Access Control (UAC) in a user space and nullify
defensive equipment of the spyware.
In the proposed method, first a monitoring driver loads
the SSDT and SSDT Shadow table directly from the owner
modules (ntoskrnl.exe and win32k.exe). It is important to
load the mentioned table directly rather than using preloaded
tables in the main memory to detect the spyware. SSDT
and SSDT shadow tables maintain the address of kernel-
level win32 APIs. The OS uses the mentioned tables to map
user-level APIs onto the equivalent APIs in the kernel [18],
[19]. The original address for each row of the table, which
indicates the location of the relevant API in main memory,
is calculated. It is necessary to mention that both SSDT and
SSDT Shadow tables are a subset of the Service Description
Table (SDT). Data structures of the mentioned tables were
figured out from [31] and presented below.
typedef struct typedefstruct
{ {
PULONG ntoskrnl;
ULONG win32k;
ParamTableBase; notUsed1;
To detect keyloggers, the loaded driver in the memory kernel
space calculates the original address for each API basis on the
VOLUME 6, 2018 78325
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
version of the OS by using Equation 2.
OriginalAdd.=ServiceTableBase +SysEnterAdd.×4
In the above equation, the original address of each API
(each row of the SSDT) is obtained by the adding the address
of the related service (API) toward the table basis and four
times of the SysEnter command address. SysEnter command
maps the user-level APIs onto kernel-level APIs in the NT5
family of Windows operating systems [19]. After calculation
of the original addresses, we should compare them with avail-
able addresses in the current SSDT table (the table available
in the memory of the system). The reason for this comparison
is to find discrepancies among addresses in order to determine
APIs hooked by spyware.
Any contradiction between the main address and the
current address for NTUserGetKeyState and NTUserGetA-
SyncKeyState functions of the SSDT shadow table is enough
to confirm the presence of a keylogger in the system. The
algorithm for detection of keyloggers is a follows.
1. Load SSDT and the SSDT Shadow tables from the
ntoskrnl.dll and win32k.exe modules directly.
2. Define the structure of the SDT table (parent of SSDT/
SSDT Shadow).
3. Define the structure of SSDT and SSDT Shadow table.
4. Calculate the original address for each API (rows of
SSDT/ SSDT Shadow).
5. Read the current address for each API in SSDT and SSDT
shadow previously loaded by the OS at startup time.
6. Compare the original and current address for NTUser-
GetKeyState and NTUserGetASyncKeyState APIs.
7. Any difference between addresses will indicate existence
of a hook and thus infection by a keylogger.
This malicious behavior was detected and classified by
training a dynamic behavioral model based on the Linear
Regression classification algorithm. The model can be for-
mulated as Equation 3.
M=A×XA+B×XB+C×XC+. . . (3)
In the above formula, Mis the index of keylogging mali-
cious behavior. A, B, Care the indices of APIs that the spyware
calls for hooking the mentioned rows of the SSDT shadow
table sorted according to the sequence of call times and
XA,XB,XCare repetition frequencies of the APIs.
In the proposed method to detect screen recorders, a driver
in the kernel space hears all incoming requests by installing
a hook on the GetWindowsDC and BitBlt system functions.
Then, by considering five behavioral features, i.e. the fre-
quency of repetition, uniqueness of applicant process, exis-
tence of sequence between the incoming requests, state of
applicant process and value of parameters in the system
5New Technology
FIGURE 4. The proposed algorithm to detect screen recorders.
calls, we could determine the behavior of screen recording
and malicious spying intent. By performing data mining on
more than 5000 real-world samples of spyware collected from
[32], [33] during 2013-2018, we could derive several rules to
detect and classify screen recording behaviors. These rules
were produced in Weka 2.7.9 using the JRIP algorithm in a
7-Folds cross-validation training model and represented as
a decision tree via the J48 algorithm. Figure 4 shows the
proposed method for detection of screen recorders.
It is noteworthy that our proposed method faced a major
challenge in hooking the SSDT shadow tables. The problem
was to find the address of that table in the main memory.
The SSDT shadow table loads in different addresses for
each version of Windows OS and it is limited to read-only
access [18]. We used the Windbg debugger to find the address
of SSDT/SSDT Shadow table in each version of Windows
The proposed algorithm for detection of blockers is similar
to the one proposed for keyloggers (Linear Regression was
used). However, the difference is in the presence of a hook
on the NTUserSendInput system function. If the mentioned
function is hooked, the existence of a blocker in the sys-
tem will be definite. Hence, the trained model classified the
blockers by recognizing the malicious behavior of hooking-
related row of the SSDT shadow table. The manufacturer has
not documented the mentioned function because of its high
The second section of the proposed method engages in track-
ing and confronting the detected spyware. Confronting pro-
cess is performed in two stages. In the first step, tracker
modules try to determine the footprints of the active spyware
on the system. In the next step, the confronting modules try
to stop the spyware activities and eliminate its executable.
The architectural plan of the proposed method is composed
of tracking and disinfection subsystems, which is illustrated
in Figure 5.
It is the duty of the tracking subsystem to determine the
process ID (PID) of the spyware and its executable paths on
the hard disk as soon as the spyware is detected, and disin-
fection subsystem confronts the tracked spyware in order to
78326 VOLUME 6, 2018
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
FIGURE 5. The architectural plan of the proposed anti-spyware.
terminate the process and eliminate the executable files. The
tracking subsystem is composed of three modules: Process
Tracker Module (PTM), Executable Tracker Module (ETM)
and Network Sniffer Module (NSM). They track processes,
executable paths and network interactions, respectively. The
confronting subsystem uses the Force Terminator Module
(FTM) to force terminate the process. An Independent File
Eliminator (IFE) is used for the independent and decisive
elimination of executable files. It is also equipped with an
embedded firewall to block the network communications. All
of the mentioned components are managed by the comman-
der module, which is an application at the user-level and able
to interact with the administrator of the system.
After malware is detected, its existence is declared to the
tracker modules of the tracking subsystem. In this subsystem,
first a tracking command is delivered to the PTM. The task of
this module is to find the spyware’s PID by calling the PSGet-
ProcessID function at the OS kernel-level. The obtained PID
is delivered to ETM, which is the second tracker module in the
tracking subsystem. This module is a filter driver in the OS
kernel. Using the PSGetProcessImageFileName system func-
tion, the module gets access to enter the memory allocated to
the spyware process and then it can derive the executable path
among data structures in the main module of memory. At the
same time that the second module of the tracking subsystem is
tracking the malware executable file, the third module (NSM)
receives the spyware’s PID and begins to sniff the network
Most of the spyware need to define a socket by a com-
bination of the IP/Port address and type of protocol to
send stolen data to the related C&Cs. This is possible by
using WSASocket and Socket API calls to create the socket.
Then it sends and receives data using the Send, SendTo,
WSASendAPIs [20]. All of the mentioned APIs are placed
in the WSock32.dll library. The structures of the mentioned
APIs are given below.
_In_int af ,
_In_int type,
int connec(
_In_const struct
sockaddr name,
_In_int namelen
Int send(
_In_const char
buf ,
_In_int len,
_In_int flags
In the proposed system, we can access the stolen data by
capturing the second parameter of the Send system function
(buf). Furthermore, it is possible to change the stored data in
a buffer in order to deliver fake data to the spyware and change
the IP or domain address of the first parameter (SOCKET s) in
order to lure the spyware to an analyzer sinkhole or honeypot.
Moreover, the tracker subsystem logs all network interactions
and sorts them using their timestamps to complete network
forensic processes and detection of an intruder.
When the tracking process is completed, the second module
of the tracking subsystem (ETM) delivers a distinctive exe-
cutable file path with a PID to the confronting subsystem in
order to perform the confront process. The proposed system
can detect, track and confront with several pieces of malware
at the same time.
In the confronting subsystem, first the FTM receives the tar-
get’s PID and terminates it by force. This module is a kernel
driver, which uses no limitation advantages of the OS for
the kernel space. This module calls the ZwTerminatorProcess
VOLUME 6, 2018 78327
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
FIGURE 6. Collaboration between the tracking and disinfection
kernel routine to terminate a malware process regardless of
limitations of UAC and Kernel Path Protection (KPP) [19].
This routine is also able to pass the defensive facilities of
malware. It is very important to mention that the termination
process does not perform in real-time because the spyware
process should be in running state in order to track and
locate the executable path file. Hence, the termination process
begins with a suitable delay after detection of spyware.
After the forced termination of the malware process, the result
of the operation is passed to the second module in the dis-
infection subsystem (IFE). Then it eliminates target exe-
cutable spyware file independent of system functions at the
user-level. The independence of the user-level system func-
tions gives rise to release from the system limitation in
order to eliminate the protected files because of all malware,
especially spyware, which needs high durability. It bans the
elimination of their executable files. Figure 6 shows the
architecture and data flow between the tracker and disinfector
The only remained challenge is the existence of an active
handle to the spyware files that was detected and terminated
by the owner process of that handle in the previous step of the
proposed method. IFE is a kernel filter driver, and if it fails
to remove executable files from hard disk, it will try to send
the IRP to hard disk directly in order to remove the malware
files independent of the OS. Hence, the IFE module has the
ability to tolerate one failure.
The noticeable issue is the altitude and Group Order (GO)
of the filter driver. The method proposed in this paper loads
a filter driver in at the lowest possible altitude higher than
the original file system driver with the highest possible group
order in the I/O stack space, which can give the best results in
detecting and confronting the stealth spyware. Reference [28,
Fig. 7 and eq. 4] shows best location for the ETM and IFE in
the I/O stack.
FilterDriverAlt.(ETM /IFE )<FilterDriverAlt.(spyware)
FilterDriverGO(ETM/IFE )FilterDriverGO(spyware)(4)
The network limiter module is a small firewall embedded in
the disinfection subsystem. We defined necessary rules for
configuring network interface card and possibility to block
the suspicious IP, URL addresses and ports. NSM can send
FIGURE 7. Proper altitude and group order for the ETM and IFE modules.
an order to active proper rules to block the spyware interac-
tions by reading and interpreting the logged data of spyware
activities. Correct, opportune and on-time configuration of
the firewall is very important, because the user information is
not stolen from the starting time of confronting the spyware
process to its completion. Hence, if confronting process fails
in the forced termination or in executable file elimination,
the user information cannot be stolen and the occurred fault in
the confronting subsystem will be tolerated. Another advan-
tage is in confronting smart spyware with melt-ability, which
can receive commands from the C&C center and commit
suicide or change their behavior. Thus, the presence of the
firewall is essential to prevent the spyware from suicide.
One of the main challenges in the implementation of the
proposed system was the connection among drivers in the
kernel space and their security, especially confidentiality and
integrity of the messages exchanged between kernel drivers
and control center at the user-level because we loaded drivers
with top-most privileges in the OS kernel.
The main methods of connection between a kernel driver
and user application are shared memory, file mapping,
pipelines and message queue. The pipelines are the most
suitable method for the proposed system because of their
security and speed of communication. Pipelines are divided
into two main classes, i.e. named pipelines and unnamed
pipelines. Unnamed pipelines are used to connect locally on
a system and only at the user-level, but named pipelines are
used to connect applications on several machines within a
network or used to connect applications at the user-level and
kernel-level [34], [35]. Therefore, we need to use a named
pipeline. A connection via a pipeline is possible by defin-
ing symbolic links in source and destination drivers. These
symbolic links are made by the system functions IoCreate-
UnprotectedSymbolicLink and IoCreateSymbolicLink at the
78328 VOLUME 6, 2018
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
kernel-level. The difference between these two functions is
that the symbolic links made by IoCraeteSymbolicLink are
usable only at kernel-level drivers and they are hidden for
applications at the user-level. Symbolic links are made by
IoCreateUnprotectedSymbolicLink and used by applications
at the user-level. Since the design of the proposed method for
detecting, tracking and confronting specific malware requires
drivers in the kernel space with the highest access level to
OS, it should eliminate any misusing of these drivers. Two
security layers are designed in the architectural plan of the
proposed system. The sender driver uses the RSA6algorithm
to make a digital signature and the other side receiver driver
validates the originality of signature of coming packets. This
originality means that the request belongs to the commander
module at the architecture of the proposed system. Moreover,
all packets are encrypted by the mentioned algorithm and key
distribution is considered to avoid any Man-in-the-Middle
(MITM) or Cross-Site Request Forgery (CSRF) attack.
Advantages and contributions of our proposed method are
listed below:
XUsing a specific and accurate classifier to recognize the
classes of spyware and ransomware rather than a generic
XA deep and transparent hooking system able to detect
novel obfuscated and stealth spyware.
XDisinfection of the malware by an effective method (not
mere detection).
XExplaining the details and way of implementation for the
proposed method and presenting the main architecture of
a reliable anti-spyware to detect, disable and disinfect the
XCompetent evaluation using real-world samples of the
In this section, we evaluate the accuracy rate of the pro-
posed method in detection and elimination of spyware based
on confronting real-world samples. Then we will analyze
and interpret the evaluation results. In order to do the tests,
the proposed method was implemented in an antispyware
application. C++ was employed to implement the kernel
drivers and was used for the Graphical User Interface
In order to evaluate the classification quality of the proposed
method, a test dataset consisting of 4951 real-world samples
of spyware collected from [32], [33] during the five recent
years (between 2013-2018) and 3025 benign executable files
was performed. The test dataset was completely separated
from the training data and consisted of three classes of mal-
ware i.e. keyloggers, screen recorders, and blockers as well as
one class of benign files. The benign class was collected from
OS files, trusted application binaries, and some video game
6Rivest-Shamir-Adleman public-key cryptosystems
FIGURE 8. Dataset used in testing the model.
FIGURE 9. The results of the classification.
binaries. Figure 8 shows the percentage of the participants for
each class of the dataset.
The samples in the test dataset were classified by the
proposed method. The results for each class are presented
in Figure 9.
It is necessary to mention that some malware can have sev-
eral malicious behaviors at the same time, specifically in spy-
ware. In the proposed method, the behavior detected earlier
was a basis for classification. The cause of running malware
was a detection free from any use of signatures and just based
on a dynamic behavioral analysis and confronting it.
The figure indicates the number of samples classified cor-
rectly or incorrectly per class. Moreover, the figure shows the
number of activated malware pieces successfully eliminated
from the OS as well the number of samples that the proposed
method was not able to detect.
In order to calculate of detection rate (accuracy) and miss-
classification (error) rate of the proposed method, Equation
VOLUME 6, 2018 78329
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
5 was used.
Accuracy =TP +TN
TP +TN +FP +FN (5)
In the above equation, TP (True Positive) is the number
of spyware samples, which are correctly detected as spyware
and TN (True Negative) is the number of benign files, which
are correctly detected as benign. FP (False Positive) indicates
the number of benign files mistakenly detected as malware
while FN (False Negative) indicates the number of malware
samples mistakenly detected as benign. Accuracy is defined
as the ratio of sum of TP and TN to the sum of all samples
while the error rate is the ratio of sum of FP and FN to all
samples. These metrics were calculated for all four classes in
the test data.
Hit/Miss rate of disinfection is defined as the num-
ber of successful/failed reactions of the proposed system
in the forced termination of spyware process, elimina-
tion/quarantine of executable files and restriction of network
connections ratio to all of the active spyware. The hit rate of
disinfection was calculated through Equation 6.
Hit Rate =Terminated Eliminated Net.Restricted
Total Detected Spyware (6)
In the above equation, the hit rate of the proposed method
in malware disinfection is defined as the ratio of number
of malware samples whose processes are terminated, their
executable files are successfully deleted from the hard disk,
and their network connections (if any) are disconnected to the
total number of detected samples.
All the mentioned metrics including the accuracy and error
rates of detection, and hit/miss rates of elimination for each
class were calculated separately using the mentioned equa-
tions and the results are shown in Figure 10. It is noteworthy
that the metrics related to malware elimination i.e. hit/miss
rate were calculated only for three malware classes with the
benign class excluded.
In Figure 10, the averages of the existing metrics calculated
based on Equation 7 are shown on the Average column group.
Where, Nis the number of evaluated classes and Wis
the weight of each class, which is the ratio of the number
of records in a class to the total number of records in the
dataset. The above equation was used for calculation of the
accuracy, error, hit and miss rates. As indicated in Figure 10,
the proposed method was able to detect the spyware with an
average accuracy of 92.32% and eliminate them with a hit
rate of 81.28%.
Then, in order to compare the accuracy rate of the proposed
method in detection of the classes in the dataset, a Receiver
Operating Characteristic (ROC) curve was used. In this curve,
the abscissa indicates the True Positive Rate (TPR) and the
ordinate shows is the False Positive Rate (FPR). TPR is the
ratio of TP to the sum of TP and FN and FPR is the ratio of
FIGURE 10. The results of the evaluation of the proposed system in
detection and elimination of spyware.
FIGURE 11. The ROC curve of the proposed method.
FP to the sum of FP and TN. The ROC curve for each class
is shown in Figure 11.
As Figure 11 shows, the ROC analysis demonstrates the
accuracy of the proposed method in classifying keyloggers is
better than other classes of spyware.
This evaluation was conducted to determine the utilization
and optimization levels of the proposed anti-spyware appli-
cation in the OS resources usage. A test was performed
according to the following scenario.
All samples of spyware were run one by one on a Virtual
Machine (VM) with two cores of CPU of a maximum speed
of 2.4 GHz, 2 GB of memory and the x86 version of Windows
8 as the OS. The VM was equipped with the proposed anti-
spyware application. CPU and memory usage of the anti-
spyware during 60 minutes of the scan and confront process
are shown in Figure 12.
78330 VOLUME 6, 2018
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
FIGURE 12. CPU and memory usage of the anti-spyware.
As it is evident from Figure 12, the CPU usage by the
proposed anti-spyware application for detecting and con-
fronting active malware was always less than 30% with an
average percentage of 18.09. The average memory usage by
the application was 10.62%.
It is necessary to mention that a dynamic behavioral analy-
sis requires execution of every sample of malware separately.
Hence, a secure environment like a VM or sandbox is essen-
tial for the risk-free running of the malware [19]. This use
of virtualization tools could ensure the security and isolation
of the target system while maintaining the spyware on the
target system’s visibility and transparency. We performed our
experiments on an ideal scale so that generalization to greater
scales was possible.
As mentioned in this paper, malware growth has been rapidly
increasing in recent years, specifically for the Windows plat-
forms. Spyware was one of the most dangerous, mysterious
and shrewd class of malware designed for stealth and long-
term missions in order to locate and steal vital information.
Keyloggers, screen recorders, and blockers are great common
subclasses of spyware and ransomware, which were investi-
gated in this paper. In this paper, we proposed a novel and
efficient method based on the dynamic behavior analysis to
recognize the process and executable files of the spyware
and perform a real-time action to confront them through
deep and transparent hooking of kernel-level system calls.
The proposed method was trained based on three machine
learning algorithms. Furthermore, we presented details of the
implementation of the proposed method including the main
architecture of the anti-spyware system. Finally, real-world
samples of the spyware collected from credible references
were used to evaluate the accuracy of the proposed method
in classifying spyware and its effectiveness in disinfection of
the malware. The results indicated that the accuracy of the
proposed method in detection and elimination of keyloggers
was better than other classes of malware.
[1] T. Huang and Y. Zhao, ‘‘Revolution of securities law in the Internet age:
A review on equity crowd-funding,’’ Comput. Law Secur. Rev., vol. 33,
no. 6, pp. 802–810, 2017.
[2] G. L. White, ‘‘Education and prevention relationships on security incidents
for home computers,’J. Comput. Inf. Syst., vol. 55, no. 3, pp. 29–37, 2015.
[3] L. Boero, M. Cello, M. Marchese, E. Mariconti, T. Naqash, and
S. Zappatore, ‘‘Statistical fingerprint-based intrusion detection
system (SF-IDS),’Int. J. Commun. Syst., vol. 30, no. 10, p. e3225,
[4] J. Yan, Y. Qi, and Q. Rao, ‘‘Detecting malware with an ensemble
method based on deep neural network,’Secur. Commun. Netw., vol. 2018,
Mar. 2018, Art. no. 7247095, doi: 10.1155/2018/7247095.
[5] Kaspersky Lab Report. Accessed: 2017. [Online]. Available: https://usa.
[6] N. Khan, J. Abdullah, and A. S. Khan, ‘‘Defending malicious script attacks
using machine learning classifiers,’Wireless Commun. Mobile Comput.,
vol. 2017, Feb. 2017, Art. no. 5360472, doi: 10.1155/2017/5360472.
[7] S. Arshad, M. A. Shah, A. Wahid, A. Mehmood, H. Song, and
H. Yu, ‘‘SAMADroid: A novel 3-level hybrid malware detection model for
Android operating system,’IEEE Access, vol. 6, pp. 4321–4339, 2018.
[8] Y. Du, J. Wang, and Q. Li, ‘‘An Android malware detection approach using
community structures of weighted function call graphs,’IEEE Access,
vol. 5, pp. 17478–17486, 2017.
[9] E. M. Rudd, A. Rozsa, M. Günther, and T. E. Boult, ‘‘A survey of stealth
malware attacks, mitigation measures, and steps toward autonomous
open world solutions,’IEEE Commun. Surveys Tuts., vol. 19, no. 2,
pp. 1145–1172, 2nd Quart., 2017.
[10] AV-Test IT Security Insstitute. Accessed: 2018. [Online]. Available:
[11] G. Zhao, K. Xu, L. Xu, and B. Wu, ‘‘Detecting APT malware infec-
tions based on malicious DNS and traffic analysis,’IEEE Access, vol. 3,
pp. 1132–1142, 2015.
[12] S. Sun, X. Fu, H. Ruan, X. Du, B. Luo, and M. Guizani, ‘‘Real-time behav-
ior analysis and identification for Android application,’IEEE Access,
vol. 6, pp. 38041–38051, 2018.
[13] I. Ismail, M. N. Marsono, B. M. Khammas, and S. M. Nor, ‘‘Incorporating
known malware signatures to classify new malware variants in network
traffic,’Int. J. Netw. Manage., vol. 25, no. 6, pp. 471–489, 2016.
[14] S. S. M. Chow, L. C. K. Hui, S. M. Yiu, K. P. Chow, and R. W. C. Lui,
‘‘A generic anti-spyware solution by access control list at kernel level,’
J. Syst. Softw., vol. 75, nos. 1–2, pp. 227–234, 2005.
[15] D. Carlin, A. Cowan, P. O’Kane, and S. Sezer, ‘‘The effects of traditional
anti-virus labels on malware detection using dynamic runtime opcodes,’
IEEE Access, vol. 5, pp. 17742–17752, 2017.
[16] S. Y. Yerima, S. Sezer, and I. Muttik, ‘‘High accuracy Android mal-
ware detection using ensemble learning,’IET Inf. Secur., vol. 9, no. 6,
pp. 313–320, 2015.
[17] Symantec. Internet Security Threat Report 2016. Accessed: 2016.
[Online]. Available:
[18] A. G. Ourimi, ‘‘Propose an optimal and transparent framework for auto-
matic malware analysis,’’ M.S. thesis, Dept. Comput. Eng., Iran Univ. Sci.
Technol., Tehran, Iran, 2014.
[19] A. M. Lajevardi, ‘‘Design and implementation of a behavior-based method
for malware detection,’’ M.S. thesis, Dept. Comput. Eng., Iran Univ. Sci.
Technol., Tehran, Iran, 2013.
[20] C. Petzold, Programming Windows, 6th ed. New York, NY, USA:
Microsoft Press, 2013, pp. 489–493 and 1083–1093.
[21] R. Islam, R. Tian, L. M. Batten, and S. Versteeg, ‘‘Classification of malware
based on integrated static and dynamic features,’J. Netw. Comput. Appl.,
vol. 36, no. 2, pp. 646–656, 2013.
[22] S. Gupta and P. Kumar, ‘‘An immediate system call sequence based
approach for detecting malicious program executions in cloud environ-
ment,’Wireless Pers. Commun., vol. 81, no. 1, pp. 405–425, 2014.
[23] J.-W. Jang, J. Woo, A. Mohaisen, J. Yun, and H. K. Kim, ‘‘Mal-
netminer: Malware classification approach based on social network anal-
ysis of system call graph,’Math. Problems Eng., vol. 2015, Aug. 2015,
Art. no. 769624, doi: 10.1155/2015/769624.
[24] P. Wang and Y.-S. Wang, ‘‘Malware behavioural detection and vaccine
development by using a support vector model classifier,’’ J. Comput. Syst.
Sci., vol. 81, no. 6, pp. 1012–1026, 2015.
[25] S. Das, Y. Liu, W. Zhang, and M. Chandramohan, ‘‘Semantics-based
online malware detection: Towards efficient real-time protection against
malware,’IEEE Trans. Inf. Forensics Secur., vol. 11, no. 2, pp. 289–302,
Feb. 2016.
VOLUME 6, 2018 78331
D. Javaheri et al.: Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines
[26] L. Liu, B.-S. Wang, B. Yu, and Q.-X. Zhong, ‘‘Automatic malware clas-
sification and new malware detection using machine learning,’’ Frontiers
Inf. Technol. Electron. Eng., vol. 18, no. 9, pp. 1336–1347, 2017.
[27] C.-H. Lin, H.-K. Pao, and J.-W. Liao, ‘‘Efficient dynamic malware anal-
ysis using virtual time control mechanics,’Comput. Secur., vol. 73,
pp. 359–373, Mar. 2017, doi: 10.1016/j.cose.2017.11.010.
[28] D. Javaheri and M. Hosseinzadeh, ‘‘A framework for recognition and
confronting of obfuscated malwares based on memory dumping and filter
drivers,’’ Wireless Pers. Commun., vol. 98, no. 1, pp. 119–137, 2018.
[29] M. Madou, B. Anckaert, P. Moseley, S. Debray, B. De Sutter, and
K. De Bosschere, ‘‘Software protection through dynamic code mutation,’’
in Proc. 6th Int. Workshop Inf. Secur. Appl., Jeju Island, South Korea, 2005,
pp. 194–206.
[30] W. Ma, P. Duan, S. Liu, G. Gu, and J.-C. Liu, ‘‘Shadow attacks: Automati-
cally evading system-call-behavior based malware detection,’’ J. Comput.
Virology, vol. 8, pp. 1–13, May 2012.
[31] B. Schreiber, Undocumented Windows 2000 Secrets: A Programmer’s
Cookbook. Boston, MA, USA: Addison-Wesley, 2001, pp. 99–100.
[32] Virus Sign Malware Data Base. Accessed: 2016. [Online]. Available:
[33] Adminus Malware Database. Accessed 2018. [Online]. Available:
[34] P. Silberschatz, B. Galvin, and G. Gagne, Operating System Concepts,
9th ed. Hoboken, NJ, USA: Wiley, 2013, pp. 587–588 and 613–614.
[35] A. S. Tanenbaum and H. Bos, Modern Operating Systems, 4th ed.
Upper Saddle River, NJ, USA: Pearson Hall, 2015, pp. 119–120.
DANIAL JAVAHERI received the B.Sc. and
M.Sc. (Hons.) degrees in computer engineering
from Islamic Azad University (IAU), Borujerd,
in 2012 and 2014, respectively, and the Ph.D.
degree with a total average of 19.88 in computer
engineering-software systems from the Science
and Research Branch, Islamic Azad University,
Tehran, Iran. For several years, he has researched
software security, network forensic, and malware
analysis. He teaches computer engineering courses
at IAU as a lecturer. In 2015, he joined the Cyber Security Research Center,
IAU, as a Software Security Specialist, and he succeeded to release several
publications including journal and conference papers and a book in the field
of network security and malware analysis. He has received two prizes from
the Iran’s National Elites Foundation 2018.
degree in computer hardware engineering from the
Islamic Azad University, Dezful, Iran, in 2003,
the M.Sc. and Ph.D. degrees in computer sys-
tem architecture from the Science and Research
Branch, Islamic Azad University, Tehran, Iran,
in 2005 and 2008, respectively. He is currently
an Associate Professor with the Iran University
of Medical Sciences, Tehran, Iran. His research
interests are information technology, data mining,
big data analytics, e-commerce, e-marketing, and social networks.
AMIR MASOUD RAHMANI received the B.Sc.
degree in computer engineering from Amir Kabir
University, Tehran, in 1996, the M.Sc. degree in
computer engineering from the Sharif University
of Technology, Tehran, in 1998, and the Ph.D.
degree in computer engineering from Islamic Azad
University (IAU), Tehran, in 2005. He is currently
a Professor with the Department of Computer
Engineering, IAU. He is the author/co-author of
more than 190 publications in technical journals
and conferences. His research interests are in the areas of distributed systems,
ad hoc, wireless networks, and evolutionary computing.
78332 VOLUME 6, 2018
... Previous techniques have been based on either static or dynamic approaches including methods such as Application Programming Interface (API) hooking [4,5,6,7,8,9,11,17,18], patching the OS service dispatcher [4,16], discovering API calling sequences [2,14,15,16,17] O.S. Kernel System Service Dispatcher Table (SSDT) patching [3,4,5,6,14] and Intel Pin [10]. Some unorthodox methods such as malware detection via image code have also been presented in the past [12]. ...
... Previous techniques have been based on either static or dynamic approaches including methods such as Application Programming Interface (API) hooking [4,5,6,7,8,9,11,17,18], patching the OS service dispatcher [4,16], discovering API calling sequences [2,14,15,16,17] O.S. Kernel System Service Dispatcher Table (SSDT) patching [3,4,5,6,14] and Intel Pin [10]. Some unorthodox methods such as malware detection via image code have also been presented in the past [12]. ...
Most modern-day malware detection methods and algorithms are based on prior knowledge of malware specifications. Discovering new malwares by solely relying on computer based automatic solutions with no human intervention currently appears out of reach. Many malwares never decode harmful parts of their code until the triggering of a specific event. Others detect virtual machine or sandbox environments and hide their true nature. Detecting these kinds of malwares-specifically multi evented ones-are nearly impossible for fully automatic detection methods. Previous research found that about 75% of malwares studied did not react in a fully automatic environment without user intervention thus being undetectable. This paper introduces a near automated solution to detect malwares quickly by relying on a supervision and control method based on user level capabilities of the operating system. Improving on previous methods, this research can replace the need for debugging new malwares in almost all aspects. This solution forces malwares in automated environments to activate and be discoverable. Researcher intervention during malware code execution along with the malware’s intent over calling sensitive operating system functions and parameters aid this process. Since operating system functions are virtualized malwares are incapable of physically harming the system during execution. The solution reached 98% overall accuracy in conjunction with reducing code size by 80% in comparison with similar techniques, improving simplicity and reliability.
... Spyware: Spyware software that collects data without the consent or knowledge of the computer user. Spyware is used to violate the privacy of personal information by recording the keys that the user presses on the keyboard, keeping track of the web pages viewed, scanning the data on the hard disk, and monitoring the searches made on the Internet [72]. As a result, illegal actions such as stealing people's email and bank passwords or creating "personal advertising" pop-ups, spam, and consuming network and system resources of the computer reduce the viewing speed of web pages or cause a general slowdown of the computer. ...
Full-text available
Internet usage has grown exponentially, with individuals and companies performing multiple daily transactions in cyberspace rather than in the real world. The coronavirus (COVID-19) pandemic has accelerated this process. As a result of the widespread usage of the digital environment, traditional crimes have also shifted to the digital space. Emerging technologies such as cloud computing, the Internet of Things (IoT), social media, wireless communication, and cryptocurrencies are raising security concerns in cyberspace. Recently, cyber criminals have started to use cyber attacks as a service to automate attacks and leverage their impact. Attackers exploit vulnerabilities that exist in hardware, software, and communication layers. Various types of cyber attacks include distributed denial of service (DDoS), phishing, man-in-the-middle, password, remote, privilege escalation, and malware. Due to new-generation attacks and evasion techniques, traditional protection systems such as firewalls, intrusion detection systems, antivirus software, access control lists, etc., are no longer effective in detecting these sophisticated attacks. Therefore, there is an urgent need to find innovative and more feasible solutions to prevent cyber attacks. The paper first extensively explains the main reasons for cyber attacks. Then, it reviews the most recent attacks, attack patterns, and detection techniques. Thirdly, the article discusses contemporary technical and nontechnical solutions for recognizing attacks in advance. Using trending technologies such as machine learning, deep learning, cloud platforms, big data, and blockchain can be a promising solution for current and future cyber attacks. These technological solutions may assist in detecting malware, intrusion detection, spam identification, DNS attack classification, fraud detection, recognizing hidden channels, and distinguishing advanced persistent threats. However, some promising solutions, especially machine learning and deep learning, are not resistant to evasion techniques, which must be considered when proposing solutions against intelligent cyber attacks.
... Casus yazılımlar: Parolalar ve finansal bilgiler gibi önemli ve değerli verileri sahiplerinin izni olmadan toplayan ve bunları saldırgana gönderen gizli bir kötü amaçlı yazılımdır. Casus yazılımlar, gizlilik ve dayanıklılık için tasarlanmış en tehlikeli ve gizemli kötü amaçlı yazılım sınıflarından biridir (Javaheri et al., 2018). ...
Full-text available
Günümüzde teknoloji sağlık sektöründe yaygın olarak kullanılmakta ve teknolojide yaşanan gelişmeler sağlık hizmeti sunucularına ve hastalara sayısız kolaylık sağlayarak; insan hayatını koruma, uzatma, kurtarma ve iyileştirme imkânı sunabilmektedir. Ancak sağlık hizmetlerinin klinik verilerden, klinik referanslardan, yayınlardan, web ve sosyal ağlardan, akışlı verilerden, genomik verilerden, işletme, organizasyonel ve harici verilerden elde edilen zengin içerikli büyük veriye sahip bir sektör olması ve teknolojinin her alanda kullanılması sağlık sektörünü siber saldırıların hedefi haline getirmektedir. Siber saldırı, kötü niyetli kişi veya gruplar tarafından çeşitli amaçlar doğrultusunda sistemin açıklarını kullanarak ya da çeşitli yazılımlardan faydalanarak kurumların sistemlerine girilmesi, bilgilerin elde edilmesi, değiştirilmesi, bozulması, hizmetin engellenmesi, cihazların işlevsiz hale getirilmesi gibi işlemlerin tümü olarak tanımlanmaktadır (Aydın, 2022). Siber saldırıların çeşitleri ve uygulamaları her geçen gün değişmekte ve yakın gelecekte daha yıkıcı etkilerle kendini göstereceği düşünülmektedir (Hatipoğlu & Tunacan, 2021). Siber saldırıların artışı sağlık sektörü için özellikle de hastaneler için büyüyen bir tehdittir. Sağlık sektörünün, sahip olduğu bu verileri korumaya yönelik çalışmalarda diğer sektörlere göre geride kaldığı ve siber güvenlik konusunda henüz yeterli bir aşamaya gelmediği görülmektedir (Kruse et al., 2017). Yaşanan bu siber saldırılar finansal kayıplara, itibar kaybına, hasta güveninin azalmasına, sağlık hizmeti sunumunun engellenmesine ve hatta ölümlere neden olabileceğinden sağlık kuruşları iş süreçlerinin kesintiye uğramasını göze alamaz (Coventry & Branley, 2018; Kruse et al., 2017). Bu nedenle siber güvenlik konusunda gerekli tedbirlerin alınması, yatırımların yapılması ve bu süreçlerin özenle yürütülmesi önemlilik arz etmektedir. Buradan hareketle çalışmanın amacı sağlık sektöründe yaşanan siber saldırılara ve bunların oluşturduğu zararlara dikkat çekmek, siber güvenliğe ilişkin farkındalık oluşturmaktır. Bu amaçla konu ile ilgili pubmed, google scholar, doaj, ieee xplore digital library, sciencedirect, researchgate gibi veri tabanlarında yer alan çalışmalar, kitap kaynakları, kurum raporları ve internet haberleri incelenmiştir.
... Recent advances in wireless technologies, easy access to radio interfaces, and other equipment such as positioning systems, sensors, and microcomputers, lead to the production of smart and small flying vehicles, especially unmanned aerial vehicles (UAVs) that form a new network called a flying ad hoc network (FANET) [28,31]. In general, a flying ad hoc network consists of a group of UAVs that cooperate with each other and communicate without any infrastructure to perform a specific task without human intervention [32,33]. In FANETs, all UAVs can establish UAV-to-UAV communication and only a small number of UAVs can communicate with the ground station (GS) [34,35]. ...
Full-text available
In recent years, flying ad hoc networks have attracted the attention of many researchers in industry and universities due to easy deployment, proper operational costs, and diverse applications. Designing an efficient routing protocol is challenging due to unique characteristics of these networks such as very fast motion of nodes, frequent changes of topology, and low density. Routing protocols determine how to provide communications between drones in a wireless ad hoc network. Today, reinforcement learning (RL) provides powerful solutions to solve the existing problems in the routing protocols, and designs autonomous, adaptive, and self-learning routing protocols. The main purpose of these routing protocols is to ensure a stable routing solution with low delay and minimum energy consumption. In this paper, the reinforcement learning-based routing methods in FANET are surveyed and studied. Initially, reinforcement learning, the Markov decision process (MDP), and reinforcement learning algorithms are briefly described. Then, flying ad hoc networks, various types of drones, and their applications, are introduced. Furthermore, the routing process and its challenges are briefly explained in FANET. Then, a classification of reinforcement learning-based routing protocols is suggested for the flying ad hoc networks. This classification categorizes routing protocols based on the learning algorithm, the routing algorithm, and the data dissemination process. Finally, we present the existing opportunities and challenges in this field to provide a detailed and accurate view for researchers to be aware of the future research directions in order to improve the existing reinforcement learning-based routing algorithms.
Full-text available
Air pollution has changed ecosystem and atmosphere. It is dangerous for environment, human health, and other living creatures. This contamination is due to various industrial and chemical pollutants, which reduce air, water, and soil quality. Therefore, air quality monitoring is essential. Flying ad hoc networks (FANETs) are an effective solution for intelligent air quality monitoring and evaluation. A FANET-based air quality monitoring system uses unmanned aerial vehicles (UAVs) to measure air pollutants. Therefore, these systems have particular features, such as the movement of UAVs in three-dimensional area, high dynamism, quick topological changes, constrained resources, and low density of UAVs in the network. Therefore, the routing issue is a fundamental challenge in these systems. In this paper, we introduce a Q-learning-based routing method called QFAN for intelligent air quality monitoring systems. The proposed method consists of two parts: route discovery and route maintenance. In the part one, a Q-learning-based route discovery mechanism is designed. Also, we propose a filtering parameter to filter some UAVs in the network and restrict the search space. In the route maintenance phase, QFAN seeks to detect and correct the paths near to breakdown. Moreover, QFAN can quickly identify and replace the failed paths. Finally, QFAN is simulated using NS2 to assess its performance. The simulation results show that QFAN surpasses other routing approaches with regard to end-to-end delay, packet delivery ratio, energy consumption, and network lifetime. However, communication overhead has been increased slightly in QFAN.
“Crypto ransomware is defined as malware that blocks the user file’s access by encrypting them and demands them with a ransom for obtaining the decryption key”. This causes some major threats in many of the companies. Therefore, the detection of ransomware is needful for reducing the workloads of the analysts and also for finding the variations in unknown samples. The adopted scheme encompasses 3 phases: (i) feature extraction, (ii) feature selection and (iii) classification. Initially, the sequential frequent patterns are extracted using the apriori framework. However, the major challenge in this extracted sequential pattern is the curse of dimensionality. To overcome this, the selection of optimal features is very important, which is done as the second stage. In this, the optimization concept is evolved for the optimal selection of these extracted sequential patterns. Furthermore, the optimal patterns are given for classification, where DBN is deployed. Particularly, for the selection of the optimal sequential pattern, this work proposes a new crow search with adaptive awareness probability (CS-AAP) model. In the end, analysis is performed to authorize the supremacy of the developed scheme.
A methodological approach that allows automating and systematizing the manifestations of the effect of information security from leaks through technical transmission channels was proposed. The probabilistic model of threat execution has been supplemented. It makes it possible, on the basis of the proposed software (SW), to involve several experts to assess the relevance of threats of information leakage through technical channels for information transfer (TCIT) in the context of dynamic improvement of technical means of intelligence (TMI). The developed software in combination with software designed to assess the risks of information loss will allow a comprehensive assessment of the degree of security of TCIT companies. The developed software helps to reduce the cost of conducting highly specialized research in matters related to assessing the relevance of the threats of leakage of information on TCIT in the context of dynamic improvement of the TMI.KeywordsInformation leaksThreat assessmentCalculations automationTechnical channels of information transferInformation security
The emergence of networking systems and quick deployment of applications cause huge increase in cybercrimes which involves various applications like phishing, hacking, and malware propagation. However, the Ransomware techniques utilize certain device which may lead to undesirable properties which might shrink the paying‐victim pool. This paper devises a new method, namely Water Moth Flame optimization (WMFO) and deep recurrent neural network (Deep RNN) for determining Ransomware. Here, Deep RNN training is done with WMFO, and is developed by combining Moth Flame optimization (MFO) and Water wave optimization (WWO). Moreover, features are mined with opcodes and by finding term frequency‐inverse document frequency (TF‐IDF) amongst individual features. Moreover, Probabilistic Principal Component Analysis (PPCA) is adapted to choose significant features. These features are adapted in Deep RNN for classification, wherein the proposed WMFO is employed to produce optimum weights. The WMFO offered enhanced performance with elevated accuracy of 95.025%, sensitivity of 95%, and specificity of 96%.
Full-text available
The number of applications based on the Android platform is increasing rapidly now. However, as the supervision and review of Android applications are inadequate, a reasonable chance exists that users will download malware. This malware can lead to information leakage, monetary loss, and other damages. At present, a variety of applications exist for detecting malware, but most of these applications cannot show specific malicious behaviors. Moreover, the operation of this detection software is based on the database of viruses, and thus, it cannot identify unknown malware. To solve these problems, we implemented a system to detect the behaviors of Android applications and identify known or unknown malware. Our system can monitor specified applications utilizing loading a kernel module. After the detection process, the related documents are uploaded to the server, and the dynamic behaviors are reconstructed. As a result, a behavior diagram is generated. In addition, if the user needs to know whether the application is malware, the related Android package is sent to the server and analyzed. Then, the server calculates the results and the results are returned to the client.
Full-text available
Malware detection plays a crucial role in computer security. Recent researches mainly use machine learning based methods heavily relying on domain knowledge for manually extracting malicious features. In this paper, we propose MalNet, a novel malware detection method that learns features automatically from the raw data. Concretely, we first generate a grayscale image from malware file, meanwhile extracting its opcode sequences with the decompilation tool IDA. Then MalNet uses CNN and LSTM networks to learn from grayscale image and opcode sequence, respectively, and takes a stacking ensemble for malware classification. We perform experiments on more than 40,000 samples including 20,650 benign files collected from online software providers and 21,736 malwares provided by Microsoft. The evaluation result shows that MalNet achieves 99.88% validation accuracy for malware detection. In addition, we also take malware family classification experiment on 9 malware families to compare MalNet with other related works, in which MalNet outperforms most of related works with 99.36% detection accuracy and achieves a considerable speed-up on detecting efficiency comparing with two state-of-the-art results on Microsoft malware dataset.
Full-text available
The arms race between distributors of malware and those seeking to provide defenses has so far favored the former. Signature detection methods have been unable to cope with the onslaught of new binaries aided by rapidly developing obfuscation techniques. Recent research has focused on the analysis of low-level opcodes, both static and dynamic, as a way to detect malware. Although sometimes successful at detecting malware, static analysis still fails to unravel obfuscated code, whereas dynamic analysis can allow researchers to investigate the revealed code at runtime. Research in the field has been limited by the underpinning datasets; old and inadequately sampled malware can lessen the extrapolation potential of such datasets. The main contribution of this paper is the creation of a new parsed runtime trace dataset of over 100,000 labeled samples, which will address these shortcomings, and we offer the dataset itself for use by the wider research community. This dataset underpins examination of the run traces using classifiers on count-based and sequence-based data. We find that malware detection rates are lessened when samples are labeled with traditional AV labels. Neither count-based nor sequencebased algorithms can sufficiently distinguish between AV label classes. Detection increases when malware is re-classed with labels yielded from unsupervised learning. With sequenced-based learning, detection exceeds that of labeling as simply ‘malware’ alone. This approach may yield future work where triaging of malware can be more effective.
Full-text available
In this paper obfuscation techniques used by novel malwares presented and compared. IAT smashing, string encryption and dynamic programing are explained in static methods and hooking at user and kernel level of OS with DLL injection, modifying of SSDT and IDT table addresses, filter IRPs, and possessor emulation are techniques in dynamic methods. This paper suggest Approach for passing through malware obfuscation techniques. In order that it can analyze malware behaviors. Our methods in proposed approach are detection presence time of a malware at user and kernel level of OS, dumping of malware executable memory at correct time and precise hook installing. Main purpose of this paper is establishment of an efficient platform to analyze behavior and detect novel malwares that by use of metamorphic engine, packer and protector tools take action for obfuscation and metamorphosis of themself. At final, this paper use a dataset embeds different kind of obfuscated and metamorphic malwares in order to prove usefulness of its methods experiments. Show that proposed methods can confront most malware obfuscation techniques. It evaluated success rate to unpacking, obfuscated malwares and it shows 85% success rate to recognize kernel level malwares.
Full-text available
With the development of code obfuscation and application repackaging technologies, an increasing number of structural information-based methods have been proposed for malware detection. Although many offer improved detection accuracy via a similarity comparison of specific graphs, they still face limitations in terms of computation time and the need for manual operation. In this paper, we present a new malware detection method that automatically divides a function call graph into community structures. The features of these community structures can then be used to detect malware. Our method reduces the computation time by improving the Girvan-Newman (GN) algorithm and using machine learning classification instead of a similarity comparison of subgraphs. To evaluate our method, 5040 malware samples and 8750 benign samples were collected as an experimental dataset. The evaluation results show that the detection accuracy of our method is higher than that of three well-known anti-virus software and two previous control flow graph-based methods for many malware families. The runtime performance of our method exhibits a clear improvement over the GN algorithm for community structure generation.
Full-text available
The web application has become a primary target for cyber criminals by injecting malware especially JavaScript to perform malicious activities for impersonation. Thus, it becomes an imperative to detect such malicious code in real time before any malicious activity is performed. This study proposes an efficient method of detecting previously unknown malicious java scripts using an interceptor at the client side by classifying the key features of the malicious code. Feature subset was obtained by using wrapper method for dimensionality reduction. Supervised machine learning classifiers were used on the dataset for achieving high accuracy. Experimental results show that our method can efficiently classify malicious code from benign code with promising results.
For the last few years, Android is known to be the most widely used operating system and this rapidly increasing popularity has attracted the malware developer’s attention. Android allows downloading and installation of apps from other unofficial market places. This gives malware developers an opportunity to put repackaged malicious applications in third-party app-stores and attack the Android devices. A large number of malware analysis and detection systems have been developed which uses static analysis, dynamic analysis or hybrid analysis to keep Android devices secure from malware. However, the existing research clearly lags in detecting malware efficiently and accurately. For accurate malware detection, multilayer analysis is required which consumes large amount of hardware resources of resource constrained mobile devices. This research proposes an efficient and accurate solution to this problem, named SAMADroid, which is a novel 3-level hybrid malware detection model for Android operating systems. The research contribution includes multiple folds. Firstly, many of the existing Android malware detection techniques are thoroughly investigated and categorized on the basis of their detection methods. Also, their benefits along with limitations are deduced. A novel 3-level hybrid malware detection model for Android operating systems is developed, that can provide high detection accuracy by combining the benefits of the three different levels: i) Static and Dynamic Analysis; ii) Local and Remote Host; iii) Machine Learning Intelligence. Experimental results show that SAMADroid achieves high malware detection accuracy by ensuring the efficiency in terms of power and storage consumption.
Efficient detection of stealthy malware attacks in suspicious files is very challenging as dynamic malware analysis is time consuming. This paper proposes a virtual time control mechanics-based method to overcome the challenge. The proposed method utilizes a modified Xen hypervisor, in which a virtual clock source is generated according to a predefined speed ratio, such that sandbox systems running on the modified hypervisor can be accelerated. Thus, it does not modify operating system kernels nor intercept system function calls, and is therefore compatible with various operating systems. Further, it utilizes an entropy-based measure that adjusts its execution time according to various malware inputs as an early termination criterion. The results of experiments conducted to verify the efficacy of the proposed method indicate that it speeds up the system timer and significantly increases the logged record size by up to 42% or obtains the same log size within a shorter period compared with conventional sandboxes. Thus, the proposed virtual time control mechanics-based method efficiently detects nontrivial anomalous codes that may be neglected by conventional sandboxing techniques.
The explosive growth of malware variants poses a major threat to information security. Traditional anti-virus systems based on signatures fail to classify unknown malware into their corresponding families and to detect new kinds of malware programs. Therefore, we propose a machine learning based malware analysis system, which is composed of three modules: data processing, decision making, and new malware detection. The data processing module deals with gray-scale images, Opcode n-gram, and import functions, which are employed to extract the features of the malware. The decision-making module uses the features to classify the malware and to identify suspicious malware. Finally, the detection module uses the shared nearest neighbor (SNN) clustering algorithm to discover new malware families. Our approach is evaluated on more than 20 000 malware instances, which were collected by Kingsoft, ESET NOD32, and Anubis. The results show that our system can effectively classify the unknown malware with a best accuracy of 98.9%, and successfully detects 86.7% of the new malware.
Along with the development and prevalence of Internet technology, a new financing model – equity crowd-funding – has been rising rapidly in recent years. Against this background, it becomes an important global topic in the field of securities law about how to balance both policy agendas of investor protection and capital formation. By referring to the JOBS Act in the US as a typical example, it is suggested in this article that modern securities law is making an active response to the demand of equity crowd-funding development. Besides expanding the application space of small issues exemption rules, securities law is also going beyond the traditional conceptual division between public and private offerings by introducing a brand-new system of equity crowd-funding exemption.