Advances in artificial intelligence and internet of things technologies have rapidly increased the amount of data collected and generated in real time. The significance of cloud computing, which provides high-performance computation for storing and pr...
Advances in artificial intelligence and internet of things technologies have rapidly increased the amount of data collected and generated in real time. The significance of cloud computing, which provides high-performance computation for storing and processing vast amounts of data, is increasing in the era of the Fourth Industrial Revolution when the number of devices connecting to cloud servers is increasing exponentially.
Traditional cloud computing, which operates centrally, causes network congestion and lowers data transmission speeds with increases in data volumes. Furthermore, cloud servers have limited traffic-handling capacities, resulting in longer service response times or even service interruptions.
To address these transmission and processing delays, fog computing, which adds a fog layer to the existing cloud computing environment, has been introduced. Fog computing uses distributed processing to reduce the computing load on cloud servers and minimize network delays by shortening the distance of data transmission.
The cloud computing environment, which interacts with various devices, holds sensitive data such as financial and personal information. Consequently, individual devices become targets for various attacks aimed at exploiting their security vulnerabilities.
Although there have been studies on detecting malware originating from various devices to protect the cloud computing environment from cyber threats, these studies often focus on detection in a specific layer or use the same detection model across multiple layers. This approach makes it difficult to quickly and accurately detect variant and obfuscated malware.
Therefore, this study proposes an active triple malware detection (AcTiM) model, which performs malware detection in various ways across multiple layers to ensure a secure cloud computing environment with low false negatives. First, in the device layer, the AcTiM model rapidly detects known malware based on the hash of the executable file. Based on the results of the primary malware detection, executable files, classified as unknown or benign, are sent to the fog layer, where the AcTiM model determines whether the file is obfuscated based on its entropy. Subsequently, the model extracts five types of static features from non-obfuscated executable files using a static analysis and detects variant malware with similar structural patterns. Finally, the cloud layer performs dynamic analysis on the executable predicted as benign by the fog layer and the obfuscated executable to extract dynamic features related to the behavior of the executable, and detects the obfuscated malware based on them.
The performance of the AcTiM model in malware detection achieved an accuracy of 94.78%, a recall of 0.9794, precision of 0.9535, and an f1-score of 0.9663. The AcTiM model accurately detected both known and variant or obfuscated malware through a sequential detection process across 3-layer, demonstrating superior performance compared to existing malware detection models. Additionally, comparative analyses with various anti-virus engines have confirmed the AcTiM model's effectiveness and its ability to generalize across different types of malware.