Automatic extraction and integration of behavioural indicators of malware for protection of cyber–physical networks

Conventional isolated cyber–physical systems (CPS) based industrial networks are increasingly being integrated with modern corporate information technology (IT) network. Therefore, cyber-attacks on CPS are increasing enormously and this could result in a massive damage to the machines themselves or the humans who interact with them. Malware has been one of the major source of attacks and threats to the CPS networks and computer systems. The high growth and the variety of malware variants such as Internet worms, Trojan horses and computer viruses requires periodic update of the database. Traditional malware system fulfil this requirement by manual effort from the experts though signature generation. However manual update could result into potential drawback for integrity and availability of services provided by CPS systems and protection in real-time. Machine learning technique is a natural choice to address the malware challenge for CPSs, since it can easily model and discover the underlying patterns from large-scale data sets. This paper introduces intelligent models and algorithms that can extract behavioural features and inherent attack patterns from the existing malware data, then integrates the behavioural indicators into the detection system. The main contribution of the paper is that the proposed models do not require periodic manual effort to update the database of the detection engine. We have introduced semi-supervised models using unsupervised learning including independent component analysis (ICA), global K-means clustering and multivariate exponentially weighted moving average (MEWMA) for extracting behavioural indicators which clusters the malware. Then the extracted geometric information of the clusters and hoteling T2 of the behavioural indicators from MEWMA are incorporated into the database of existing detection system which are used with support vector machine (SVM) based supervised system. This enables the detection system to update the dynamic behavioural patterns of new malware automatically. The performances of developed semi-supervised models have been verified using malware data for both static and dynamic characteristics of malware. The summary of our experimental results demonstrate that the combination of unsupervised and supervised learning can successfully extracts behavioural indicators automatically from new malware. Performance comparison from experimental results summarize that the semi-supervised models can detect more accurately than the existing supervised models where accuracies are increased up to 100% for SVM and random forest based semi-supervised models.