When Nakamoto proposed blockchain for the realization of Bitcoin in his 2008 publication, could he have known that it would facilitate quick and accurate detection of malware? Perhaps he knew; perhaps he did not. But whatever the case, blockchain has become not only the fundamental technology for cryptocurrencies but one whose application has expanded into other fields. Due to its decentralization, persistence, anonymity and auditability, blockchain is fast becoming a reliable technology for detecting malware quickly and accurately.
In addition to being a programming threat vector, malware continues to evolve with technological innovation. It has continued to put cybersecurity analysts on edge because in many cases, it is very difficult to detect. In fact, there is always a new malware that will elude the traditional detection methods, and have cybersecurity analysts search desperately for an effective method for detecting it. Moreover, as malware continues to target IoT equipment, its detection couldn’t be a more major concern.
What are the drawbacks of traditional malware detection methods?
Signature-based method of malware detection matches the signature of a malware to a database of known malware signatures. The signature of a malware are the features of the malware that have been encoded in a hash value (or a sequence of bytes). When the signature of the file under inspection matches the signature of any known and classified malware in the database, the file is declared a malware. However, this method is incapable of detecting a new malware, one that has not been witnessed or classified in the past.
Behavior-based method of malware detection inspects the behavior of a file in order to classify it as malware or not. It checks the system resources, connection access and other programs that the file under inspection employs. While the file is running, a behavior-based method of malware detection checks the system calls that the file makes for malicious activities. Although a behavior-based method is good at detecting polymorphic malware (one that keeps generating variants), they are fond of producing high false positive ratio (FPR) since a benign file is capable of making similar system calls like a malware.
Heuristic method of malware detection uses machine language instruction and API call sequence issued to operating systems to detect a malware. It uses machine learning and data mining techniques to gather information on the behavior of a file. As a result, it is effective at detecting new malware, identifying the behavior of a malware in a specific environment, and protecting against polymorphic malware attacks. However, just like behavior-based method of malware detection, heuristic method of malware detection has the propensity of producing high FPR.
How does blockchain minimize the rate of FPR in malware detection?
Blockchain has birthed a new innovative method of malware detection that is based on community sharing of suspected malware files signatures. This novel blockchain method allows the users in a blockchain network to share signatures of suspected files among one another in order to rapidly respond to increasing malware threats.
Jingjing et al demonstrated this method of malware detection when they used Consortium Blockchain for Malware Detection and Evidence Extraction (CB-MDEE) to detect and classify malware for mobile devices. The system consisted of a public blockchain (PB) and a consortium blockchain (CB). Users on the public blockchain used a multi-feature model created from sensitive behavior graphs and installation packages to detect and classify malware. The users stored the classified malware on the public blockchain for subsequent malware detection and classification.
The information on different malware that is stored on the public blockchain enabled the members on the consortium blockchain to create a fact-base for updating the database of malware signatures. Subsequently, the signature of any suspected malware file could be compared to the database for malicious possibility. During the experiment, the CB-MDEE achieved a classification accuracy of 94% for android malware.
Another demonstration of the blockchain method of malware detection was by Roman et al. In an experiment, they proposed a similar system similar to that of Jingjing et al, only that in this case the system could classify and manage cybersecurity incident reports using blockchain technology. The system allowed cybersecurity experts to enter cybersecurity incident reports. Thereafter, the system classified and returned past similar incident reports. Due to the fact that the system was automatic in classifying and managing reports, it enabled cybersecurity experts to adopt suitable countermeasures very quickly.
In the experiment to validate the effectiveness of the system, 5,850 training documentations and 584 test documents were used: A true positive rate of 0.991 and a false positive rate of only 0.059 were achieved. The result showed that blockchain has a huge promise for accurate malware detection.
How can voting reduce FPR in the blockchain method of malware detection?
Imagine if users on a blockchain have different malware detection systems—for example, behavior-based or heuristic methods of malware detection. Now imagine if the users can share their detection results as votes on the blockchain for future use. This will allow them to detect and eliminate malware very easily and quickly by combining the results from their own malware detection system with the votes of other users that are stored on the blockchain.
The goal is to have on a blockchain network users who use either behavior-based or heuristic methods of malware detection. When any of the users downloads an executable suspected malware file, they first use either of the known methods of malware detection to evaluate the file for malicious possibility. After that the user sends the hash value of the suspected malware file to the blockchain network for documentation.
When another user downloads the same file elsewhere, they can first check whether the file hash value already exists on the blockchain as suspected malware file identity. If the hash value does exist, the user can use their own behavior-based or heuristic methods of malware detection to evaluate the file for malicious characteristics. The user then sends the results—whether malicious or benign—as a vote to the blockchain network. Based on the votes and the user’s own malware assessment, the user can decide whether to keep or remove the suspected file.
To demonstrate this, Fuji et al, in an experiment, assumed that the users on a blockchain network installed either heuristic or behavior-based malware detection systems in order to guarantee the accuracy of the hash value of any executable file and the vote thereof. They used Ethereum blockchain for the simulation. However, they also established that this novel way of detecting malware could be executed on any blockchain that allows smart contracts. The system that Fuji et al proposed achieved an improved true positive rate and low false positive rate compared to previous similar systems.
Fig. 1. Flowchart of Vote-based Blockchain malware detection system
Due to the decentralization of a blockchain network, users can share suspected malware signatures among one another without the intervention of any central organization, like antivirus vendors. In addition to that, users can update themselves in real time on the latest malware in town. Thanks to the auditability of a blockchain network, users can at last stay ahead of any malware threat.