Abstract Recently, many cases on malware attack had been reported and again it cause a lot of negatives impact

such as loss of money, freeze on company operation and decrease the productivity to many of the organization. Trojan is one of the example of the malicious code which originally created to attempt an attack to any services and devices. On 24th December 2012, Trojan called as Zeus involved with numerous DDoS attempt and attack to Ascent Builder which cause loss more than $900,000 USD. Prior to the study conducted, Trojan horse had been chosen as the domain for this research paper. In depth study and investigation of the Trojan horse classification, not much research related with Trojan horse has been done. Therefore, in this research paper, a new Trojan horse classification is presented by using ontology approach. This research later used as a basis to build a new model to detect Trojan horse efficiently. The method proposed are the static and dynamic analysis which used to understand the behavior or the Trojan then continue with ontology approach to classify the dataset and transformed it into an understandable data.

1.0 INTRODUCTION 1.1 BACKGROUND Trojan is one of the malicious code that attempt an attack to users computer for more than a decade. It first appear to be useful software but will actually do damage once installed or run on your computer. The statistics taken from Cyber Security 2013 from January to October (Figure 1) shows that there are three type of major security incident are often reported which are fraud with 47.2% followed by intrusion 27.2% and malicious code 17.1% over 9369 reported incident. From the study by Ponemon Institute (2013) it provide an estimation of the economic impact of cybercrime which the average cost to resolve a single attack might total more than $1million USD. The Trojan can control the victims devices such as computer and tablet remotely and steal any confidential information such as username and password, credit card number and file deletion from it (Mangrae, 2006). In contrast with the worm, virus and other malicious code, it has the ability to steal victims information without being noticed and it does not replicate itself (Saudi, 2008). Furthermore, as times goes by, the Trojan is keep changing and updating itself regularly, make it harder to detect it present even with the anti-viruses. A good security strategy is needed to prevent and defence this problem. This security strategy that embraces incident response and technologically sound security measures including, but not limited to Trojan threats (Saudi and Jomhari 2006, Hawkins et al, 2000). For this research, ontology approach is applied to conduct the Trojan horse classification and analysis. Ontology approach is used to extract dataset and transform it into an understandable format.

9.20%

GENERAL INCIDENT CLASSIFICATION STATISTICS (JAN - OCT) 2013 (MYCERT)

0.20% 0.50% 17.10% 0.60% 40.70% 27.20% 4.30% 0.20%
Content Related Cyber Harrassment Denial of Service Fraud Instrusion

Figure 1: General Incident Classification Statistics (Jan Oct) 2013

1.2 MOTIVATIONS In conducting this research, there are two main motivations which are: I. The difficulties of the researcher to get clean dataset for their research analysis. Ontology is an approach that being applied to classify this dataset. The expected outcome is Trojan classification using and ontology approach. II. To a clean big data, it consume a lot of time to process it. There are various techniques can be used to clean up dataset, but which one is the easiest and less time consuming? Many of the researcher stopped to do the research in this field since it is actually time consuming and require many man power to do it (Witten, et al, 2005). To clean up the dataset, the researcher need to test each sample one by one. 1.3 PROBLEM STATEMENT The number of Trojan is growing as the technology growth. It became worse when those Trojan nowadays keep on updating and changing which make it difficult to detect with the antivirus. On 24 December 2012 an anonymous cyber crooks attempt an attack using Distributed Denial of Service (DDoS) to an account belonging to Ascent Builder with netting thieves more than $900,000 USD. In this case, Trojan called as Zeus has been involved with numerous DDoS attack. This Trojan is commonly used among the cybercriminals and the most prolific malware used in financial cyber attacks. By this infection of Trojan, the creator had successfully caused chaos, where a lots of money loss. The urge of this research is due to the Trojan bad implication and lack of clean dataset of Trojan that freely available that can be used for further analysis. 1.4 RESEARCH QUESTION In between conducting this research, there are questions need to be answered which lead to the successful of this research. The research questions are: 1) Is how the raw data is transformed into an understandable format? 2) What is the approach can be used to transform the Trojan dataset? 3) What are the procedures involved to provide clean Trojan dataset?

1.5 OBJECTIVES The objectives of this research are: 1) To investigate and evaluate the work related with Trojan data transformation. 2) To design a new Trojan classification using an ontology approach. 3) To evaluate the transformed dataset. 1.6 SCOPE AND LIMITATION This research is using only Trojan horse dataset on Windows platform. There are more or less 1,987 samples of Trojan data. This research is focusing on ontology approach which is used to classify those dataset. 1.7 ORGANIZATION OF THE RESEARCH REPORT This thesis is organized into five related chapters: Chapter 1: This chapter explains the research background, problem statement, research motivation, research objectives, research question, research scope and limitation, significant of the research and research schedule and expected outcome. Chapter 2: This chapter summarizes the review on other paper, article and book which are related with this research. It discusses the Trojan horse study which consist the definition, Trojan horse architecture and classification. Ontology approach and KDD approach also being discuss in this topic. Chapter 3: This chapter discusses about the methodology used to achieve the objectives. How the data is being analyzed using the integration of static and dynamic analysis, and ontology methodology for data transformation. Chapter 4: This chapter discusses the expected outcome from the experiment analysis being discussed. It also describe in detailed how ontology approach being conducted to classify the Trojan horses. Different testing techniques is compared with the ontology to prove the effectiveness of the ontology itself in Trojan transformation.

Chapter 5: This chapter summarizes the research. It explain about the research contributions, and future work on this research. 2.0 LITERATURE REVIEW 2.1 OVERVIEW The uses of transformation malware dataset nowadays are very important in security field especially in network security. This useful information will very helpful for future research and for data analysis. This can only be achieving by performing the data set transformation. This section combines several aspects of the research study. For this research the scope of malware dataset is the Trojan horse. This chapter include to review on fundamental knowledge of Trojan horse and ontology approach. The first section will discuss on Trojan itself, the classification and architecture, type of detection technique and the differences of Trojan over the other malicious code. The second section will discuss on ontology which include the type of ontology exist in world of computing. Lastly, the previous works that are related to this research being review in order to guide and less the gaps found in those precious pieces of research. 2.2 DEFINITION OF TROJAN HORSE Trojan horse is one of the most serious and dangerous threats found in the world of computing especially in computer security. It spread widely and vigorously as long as the technology grow. It becoming more serious as today, the Trojan keep on changing and updating itself regularly make it harder to detect it present. This Trojan get its name originated from history which comes from the Greeks mythologies. It is the history where The Greeks had entered and destroyed the city of Troy. Trojan is the one who allowing the Greek army to sneak through a high gate using the wooden horse and this attack had destroyed the city of Troy. There are a lot of definition of Trojan that stated by the academician. In computer world, Trojan horses is defined as a computer programs that presented as useful in order to induce the user to install and run them, but also have some hidden malicious goals,

such as enabling remote access and control with the aim of gaining full or partial access to the infected system (Liu et al, 2010). Other than that, others had defined Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless program or data in such a way that it can get control and do is chosen form of damage, such as ruining or erasing data on the hard drive (Alsadoon et al, 2011). Continuously, once a Trojan horse has been installed on a victim computer it is possible to the hacker to access it remotely and execute program as command. Based on the latest research, Trojan is defined as a program or file appears as a useful and harmless, but in fact, after urging the user to install it on their computer, it begins to carry out malicious acts like enable the hacker to control the victims computer remotely and steal data (Areej, 2013). Based on these studies, this research defines Trojan as malicious code in form of program or file which is harmful and dangerous as the victims install it in their devices. It will carry out malicious activities such as stealing and destroy the data from the hard drive, direct access to the private information and enable the hacker to remotely control the device. It do not replicate itself which this make it different from other malicious code. 2.2.1 TROJAN CLASSIFICATION AND ARCHITECTURE Most of the normal people will assume those of the malicious code such as Trojan, worm, adware, spy ware, and many more as a virus. In real computing world Trojan are not the same as other malicious code. It is created with it specific function to achieve its goals. Therefore, it is important to know the specific differences between those malicious code such as virus, Trojan, worm, adware and spyware so the correct detection technique can be applied based on their characteristics. Classification is one of the most crucial processes that must be place in order to ensure the effectiveness of the detection process (Siti Suraya, 2013). Generally malicious code can be classified based on the characteristics such as infection target and technique and other different characteristics (Babak et al, 2011). Plus, an effective classification algorithm or technique can improved the accuracy of malicious code detection (Nguyen
6

et al, 2012). Basically, in general, there are a lot of different type of Trojan which carried out different goals and target. But most Trojan obviously cannot replicate itself, thus make it different from other malicious code. Worms is one example of threat in network security. Based on (Saudi, 2011) worm is defined as a malicious program that can replicate itself, moving from one computer to another or can propagate via a network without human intervention or an owners consent. For other researcher, worm defined as an autonomous, self-replicating threats that do not infect or alter computer programs in the same way as viruses; with different objective (Hughes et al, 2007). The worms also defined as a malicious code that usually spreads by exploiting vulnerabilities in the network services (Farrukh, 2013). 2.3 DEFINITION OF ONTOLOGY Ontology is one of the approach being using nowadays in extracting data. Ontologies is defined as knowledge representation frameworks that allow us to express knowledge in an explicit and expressive way using well-defined semantics (Daconta et al, 2003). Then, (McMullen et al, 2005) defined as how sentences are created by combining words together to give meaning. Ontology can provide this functionality by linking concepts together using relationships, which in turn be processed to produce meaningful data. On the other hand, it is a formal, explicit specification of shared conceptualization (Gruber, 1993). Ontology can be thought of as semantic primitives that specify a particular domain of knowledge (Saudi, 2008). An ontology is an inventory of the kinds of entities that exist in a domain, their silent properties, and the salient relationships that can hold between them (Benjamin et al, 1995). Ontology is method that focuses on extracting the essential nature of the concepts in any domain and representing it in a structured manner. For example, to illustrate this in natural language, an ontology triple (car, has, wheel) formalizes the sentence (a) car has wheel(s). In the ontological form, the concepts car and wheel are linked using the has property. By connecting concepts with properties and instances (examples), we are provided with a knowledge map of a given domain.

2.3.1 TYPE OF ONTOLOGY AND ITS BENEFITS According to (Nguyen, 2010) ontology can be characterized according to their granularity, formality, generality and computational capability. Granularity an ontology can defined as either coarse-grained or fix-grained (Broekstra et al, 2002). In term of generality, ontologies may be classified as being top-level ontologies, mid-level ontologies, task ontologies, domain ontologies and application ontologies. In terms of computational capability, ontologies may be classified as being heavy-weight or lightweight. Ontologies can also be classified according to their expressiveness. For example, ontologies may be controlled vocabularies, glossaries, thesauri, formal instances relations ontologies, frames ontologies, value restriction ontologies and general logical constraints ontologies (Broekstra et al, 2002). However, for ontologies to be processable by computer, they must be represented in a computer readable language such as Web Ontology Language (OWL) and F-logic. Ontological analysis clarifies the structure of knowledge. According to

(Chandrasekaran et al, 1999) Ontology gives benefits in which it is a heart of any system of knowledge representation for that domain. Other than that, the ontology enable knowledge sharing and captures the intrinsic conceptual structure of the domain. Related to this research paper, the ontology is applied to extract big data of Trojan and transformed it into knowledge that could be share to others. 2.4 RELATED RESEARCH Many research on malware had been carried out since 10 years ago. One of them is Trojan which the study was started by (Thimbleby et al. 1998). It then followed with more studies which more focus on Trojans Hardware taxonomy and Trojans hardware detection instead. Now, the study on Trojan had been continue and different approach was applied to bring the new Trojan data transformation. There are many study related to Trojan data transformation. Based on (Liu et al, 2010) proposed a study on malware detection using machine learning method. In this study, they choose Trojan as the domain in Windows platform. This study concluded that the accuracy of classification may increase when more relevant features are used in the
8

process. However, the more features are selected, the more time building classification cost thus, make the Trojan detection respond slowly in real time. They also make a comparison classification accuracy on the same training dataset with different test dataset. The result shows that the Trojan horse collected from real network environment is limited. (Saudi, 2011) presented an improvement detecting method based on STAKCERT KDD process. This study use worms as the domain. The data pattern extraction is achieved by using data mining. For this research, it implemented an algorithm k-means for clustering and SMO for worm classification. This research had made an enhancement on KDD data pre-processing and pattern extraction process. Plus, statistical methods comprising Chi-square and symmetric measure and security metric are also introduced. This approach out performs the existing work by (Dai et al, 2009) with 98.13% overall accuracy. (Ren & Qian, 2013) presented SPID- based method of Trojan horse detection. It focusing on how to identify various Trojan efficiently and accurately. SPID is use to analyses the common protocol, generating a model to identify Trojan. The result from their study shows that the optimized combination of attribute meters have a high efficiency to identify Trojan based on keeping SPID detection accuracy. During the research, they found out that this technique is a web-based, real-time detection technology. Using the network characteristics attributes meters to generate protocol model library and statistical based to identify Trojan has a high recognition rate and a wide range of adaptability. (Huang et al, 2010) this study proposes an ontology-based intelligent system for malware behavior analysis. The Taiwan Malware Analysis Net (TWMAN) were represented to analyses the malware behavior and as ontology agent. The malware behavioral analysis collects the malware behavioral information to build malware behavioral ontology and malware behavioral rules. The results from the system logs show that the TWMAN can work effectively to protect he computer from the attack of computer viruses and Trojan based on the malware behavioral analysis.

Based on previous work, this research will introduce a new Trojan classification based on ontology approach and compare the classification on the same training dataset but with a different test dataset approach. 3.0 RESEARCH METHODOLOGY 3.1 OVERVIEW This section explains the research methodology used including the detailed explanations of what approach have been used to collect and analyses the data. This section also explain on how the research will be conducted including the domain, tools, and laboratory environment used and how the result from this research being tested and verified. The systematics research methodology will produce a high quality of research findings. 3.2 RESEARCH DESIGN Figure 2 shows the full frame of the research design that will applied in this study.
Set up laboratory environment Dataset from VX Heavens is downloaded Tools are installed

Trojan classification is obtained

Data transformation is conducted (ontology approach

Dataset analysis

A new format of dataset is gained

The result is tested

Valid?

Published to other researchers

Invalid? Do the correction

Figure 2: Research methodology Design for Trojan Transformation using Ontology

10

3.3 SETUP LABORATORY ENVIRONMENT In order to do this research, a controlled laboratory environment is proposed as illustrated in Figure 3. This laboratory will be setup with two computers which are installed with VMWare. The lab I build up separated from the production network. No outgoing network is allowed for this architecture. The reason why this controlled lab architecture was used are; firstly, any Trojan horse infection, propagation, operating algorithm, activation and payload can be monitored without any constraint in terms of network connectivity. Secondly, the lab is portable where it is easy to be moved. Lastly, the controlled lab environment would less the harm since the lab was separated from the operational network.

Window 7, monitoring

Window 7, VMWare
Figure 3: Lab Architecture

Window 7, VMWare

11

3.4 LOADING SPECIMEN For this experiment Trojan is the domain. The dataset is downloaded from the VXHeaven (2013) website. All Trojan and variants were downloaded to be tested. However for this experiment, only the Trojan from windows platform is being chosen. Windows platform is chosen due to more attacks and vulnerabilities exploited in windows platform discovered. In addition, the amounts of Trojans that attack on other platform are fewer than windows. Windows is more exposed for being under attack of worms, viruses and Trojan. The problem are windows is poorly coded. Therefore, a lot of Trojan appeared form windows. There are several reasons why this research chooses to gather dataset form VXHeavens source. Firstly, many researcher have used this source of data for their testing. For example research from (Stibor, 2010), (Saudi et al, 2011) and (Siti Suraya, 2013). Secondly, the variants are important than the quantity of the dataset and lastly, due to the scope of this research, where only focusses on windows Trojan plus it is one of the largest Trojan databases freely available from the internet 3.5 SETUP TOOLS For this experiment, almost 80% of the software used in this testing is an open source or available on a free basis. The following in Table 1 is the listing tools used in this lab.
Table 1: Tools and their functionalities.

Function Scan tools

Tools AVG antivirus

Purpose of action To prepare the scan tool to detect various forms of malicious code including those with newer

signatures. String research tool Stirng.exe sysinternal) (from To display and extract suspicious set of ASCII characters included in a file
12

Unpack tool

Proc dump 4.01 Unpack tool UPX tool VMWare Station Work

To

decompress

and

unpack the Trojan code.

Virtual PC

To allow multiple operating system to run on a single computer.

TCP view

TCP view

TCPView is a Windows program that will show detailed listing of all TCP and UDP end points on system, including the local and remote addresses and sate of TCP connections.

Disassembler/Debug Tool

OllyDbg

To perform detailed code analysis.

Process Monitoring

Preview v3.7.3.1

To identify the resources used by all running

processes, including DLLs and registry keys. Process explorer provides a wealth of useful information

regarding how the Trojan was impacting upon the victim computer. Database MS Access To store the transformed dataset. Automated analysis Cuckoo To analyze Trojan horses behavior and documented it.

13

Ontology approach

protg

To

classify

the

Trojan

using ontology approach

3.6 DATASET ANALYSIS Basically, the dataset for this experiment will go through certain processes which illustrate as Figure 4:
Input dataset

Data processing using Standard Operating Procedure (SOP)

Cleaning data to remove noise and duplication.

Extraction and Classification of dataset

Data transformation using ontology approach

Post processing

Clustering Classification

Output = knowledge

Figure 4: Trojan Dataset Analysis Process

3.6.1 DATA PROCESSING In data processing, there are two ways of analysis which are static and dynamic analysis. The raw Trojan horse dataset that downloaded from the VXHeavens source needed to be transformed into format that will easily be used for subsequent analysis. Therefore, the dataset will go through Standard Operating Procedure (SOP) to clean the data and to remove any noise and duplication of data.

14

a) Static Analysis The mechanism of the static analysis is by looking at the files associated with the Trojan in the computer without running the program. Figure 5 illustrated the stage of static analysis.

Start Static Analysis

Run Antivirus

Detect?

No

Use tools to uncompressing malicious code

Yes String Analysis

Identify Language Script

Disassemble code

Static Analysis Finish

Figure 5: Static analysis

Anti-virus check: Once the dataset has been loaded into the testing computers, the file type or compression type is identified. Then, the anti-virus that has been installed inside the testing computer is run. For this experiment the AVG antivirus is choose to fulfill the work where it able to detect the Trojan or not. If yes, the name of the Trojan horse is checked and being analyzes using anti-virus website for further information.
15

String analysis: String tool called Strings.exe (from Sysintermal) is used to extract string from the Trojan horse codes. String analysis: String tool called String.exe (from sysintermal) is used to extract strings from the Trojan horse codes. This is helpful in identifying the Trojan horse characteristics. Looking for script: Based on the string extracted from the Trojan horse codes the common scripting or programming languages have been identified. Table 2 can be used as guidance.
Table 2: Trojan horse Script Analysis Guidance

Programming

and Identifying characteristics Inside the File

Files common Suffix

Scripting Language Perl Bourne Start with line !#usr/bin/perl Shell Start with line !#/bin/sh

.pl.perl .sh

Scripting Language C C++ C programming language .c

Can be standalone program or many files .cpp referenced within the language.

Java Assembly Language

Contain java source code. Close to binary machine code

.java,.j, .ljav .asi

Active Server Page Can be built using Visual Basic, Jscript or Perl. .asp (ASP) Can combine HTML, scripts, Active-X server components. JavaScript Includes the world javascript or JavaScript,, .js, .html, .htm especially in the form <Script language JavaScript> Visual Basic Script Includes the word VBScript, or character vb .vbs, (VBScript) scattered throughout the file .htm .html,

Disassemble code: Disassemble and debugger which are called as OllyDbg and Ida Pro, were used to transfer a raw binary executable into assembly language and to disassemble and debug the codes.
16

b) Dynamic analysis Dynamic analysis include executing Trojan horse dataset in the controlled lab and carefully watch their behavior and actions. All steps involved are illustrated in Figure 6.

Start Dynamic Analysis

Monitoring File Activities

Monitoring Processes

Monitoring Network Activities

Monitoring Registry Access

Dynamic Analysis Finish

Figure 6: Dynamic Analysis

Monitoring file activities: most Trojan horse reads from or writes to the file system. It might try to write files, altering existed programs, adding new files or append itself to the file system. Monitor process: Preview v3.7.3.1 is a tool that is used to monitor any program, files registry keys and all the DLLs in the victims computer. Automatic analysis (malware sandbox): Sandbox is a mechanism to analyze the untrusted files or program in a system. It is an alternative to analyze for the binary file.
17

3.6.2 EXTRACTION AND CLASSIFICATION OF DATASET For data extracting and classification, ontology approach is used. Ontologies are knowledge representation frameworks that allow us to express knowledge in an explicit and expressive way using well-defined semantics. This process aimed to extract dataset by clustering and classifying them according to their characteristics and behaviors. The process of defining concept in ontology is also called categorization, which involves taking closely related term and grouping the Trojan as concepts or categories [Saudi, 2008]. a) Ontology Model The design propose for this study is to present a new Trojan classification model using ontology. This study represents a novel structure of the domain ontology including a domain layer, a category layer, and behavior layer.
Behavior layer Domain layer Category layer

Domain = Trojan

Figure 7: Ontology Model

b) OWL-based Trojan Behavioral Ontology Owl-based Trojan behavioral ontology uses protg to build the ontology and describes the ontology of Trojan behavioral.

18

3.6.3 POST PROCESSING This level will continue the data processing by interpreted the pattern from all those data that already extracted using ontology approach. The data will be transformed into useful information or known as knowledge. Those data then will be stored in the database. 3.7 TESTING To verify and validate the proposed Trojan data transformation and Trojan classification, all the result report from the static and dynamic analysis is compared and verified with the automated analysis (cuckoo) result report. This process is done manually. As along this research, all the data will be extracted using ontology and being tested. After all data analysis which consist three important stages, which are data processing, extracting data, and post processing, this new result will be tested. Those data will be run many times using ontology coding to obtain many result. Those results then are compared to find the validity and the highest percentage of the frequency occurrence of Trojan behavior and characteristics. The last result is gain then stored in the database. 4.0 EXPECTED OUTCOME This section will discuss on expected outcome for this research. In this research, it is expected: 1) A new Trojan classification is formed using an ontology approach. The uses of ontology approach, a new Trojan classification is produced. The ontology model structure include domain layer, category layer, and behavior layer were extracted using the Owl-based Trojan behavioral Ontology. The protg is use to build to describes the ontology of Trojan behavioral. 2) A repository of clean dataset is formed by end of this research. To produce a new Trojan classification, the domain dataset have to go through Standard Operating Process (SOP). SOP include static and dynamic analysis will clean the dataset by removing all the noises and duplication of data. Thus, a repository of clean dataset is produced by end of this research.
19

5.0 CONCLUSION In the world of computer security, malware threat problem cannot be neglect. Their different capabilities which always updated make it more difficult to detect it existent. This proposal presented a Trojan data transformation which using ontology approach. The domain use in this research is Trojan horse in windows platform. The research will be conducted in controlled laboratory environment. The big dataset that downloaded from the VXHeaven then being clean up by using SOP technique. The clean dataset then being used for Trojan classification using ontology approach. By following the development processes of this study, the ontology approach can be expanded to solve more complex problems. There are research on Trojan classification and detection technique had been conducted to confront the Trojan horse attacks and this research is part of it. This Trojan data transformation can be used as a reference for other researcher in the world to construct a better Trojan detection model either to use the same approach or to do with different approach.

20

REFERENCES:
Malaysia Cyber Security, 2013. Malaysian Computer Emergency Response Team, Available from: http://www.mycert.org.my/en/services/statistic/mycert/2013/main/detail/914/index.html. (Accessed on 11th December 2013). Mangatae, Aelphases. (2006) Trojan White Paper [igniteds.NET], Available from: http://igniteds. (Accessed October 2013). Hawkins,S., C. Yen,D. and C. Chou,D. (2000). Awareness and challenges of Internet security, Information Management & Computer Security, Vol. 8: 3,131 143. Saudi,M.M.and Jomhari,N.(2006). Knowledge structure on virus for user education. 2006. International Conference on Computational Intelligence and Security, 1515 - 1518. Witten, I. H., & Frank, E. (2005). Data Mining: practical machine learning tools and techniques. Morgan Kaufmann. Pierluigi Paganini, 1st November (2013). Impact of Cybercrime. Available from

www.infosecinstitute.com/2013-impact-cybercrime. (Accessed 29th November 2013). Farrukh S., M. Ali Akhbar, Muddassar F., (2013). The Droid Knight: a Silent Guardian for the Android Kernel, Hunting for Rogue Smartphone Malware Applications. Areej M. A., Saudi M. M., Bachok M. T., and Zul H. A., (2013). An Efficient Trojan Classification (ETC), IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3. Mohd Saudi, Madihah. (2011). A New Model for Worms Detection and Responds (electronic version). Babak, R., Maslin, B., and Suhaimi, I. (2011). Evolution of Computer Virus Concealment and AntiVirus Techniques: A IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013 Issues, 8(1). Nguyen, V. T., Kha, V. V., and Anh, A. P. (2012). Research Some Algorithm in Machine Learning and Artificial Immune System, Apply to Set Up A Virus Detection System. International Journal of Computer Science Issues, 9(4). Suraya S. O., Saudi M. M. Zul H. A. (2013). Standard Operating Procedures (SOP) to build up Malware Dataset. Daconta, M.C., Obrst, L.J., Smith, K.T. (2003). The Semantic Web. Wiley Publishing Inc, Indianapolis Indiana. McMullen, D., Holohan, E., Melia, M., Pahl, C. (2005). Knowledge-driven Learning Technology Systems. 6th Annual Irish Educational Technology Users Conference, EdTech2005, ILTA

21

Gruber, T.R., (1993). A translation approach to portable ontology specifications, Knowledge Acquisition, vol 5, 199-220. Benjamin, P., C. Menzel, R.J. Mayer (1995). Towards a method for acquiring CIM ontologies, International Journal of computer Integrated Manufacturing, 8 (3), 225-234. Azni A. H., Saudi M. M., Azreen A., Emran M. T. and Yamani M. I. I., (2008). An Efficient Network Security System through an Ontology Approach, IEEE Xplore 978-1-4244-3397-1 Broekstra, J., Kampman, A. and Harmelen, van F. 2002. Sesame: A generic architecture for storing and querying RDF and RDF schema. In Proceedings of the 1st International Semantic Web Conference, Lecture Notes in Computer Science, Vol. 2342, pp. 54{68, Springer. Van Nguyen, 2010. Command Control Communications and Intelligence Division. DSTO-TH-1002. Al-Saadoon, G, Al-Bayatti, H, 2011. A Comparison of Trojanhorse Virus Behavior in Linux and Windows OperatingSystems, World of Computer Science and InformationTechnology jornal, Vol. (1), No. 3, 56-62. Liu,y., Zhang,l. Liang,j. Qu,s. Ni,z. 2010. Detecting Trojanhorses based on system behavior using machine learning method, 2010 Machine Learning and Cybernetics conferenceIEEE, vol (2): 855 860. Dai,J., Guha,R. and Lee,J., Efficient Virus Detection Using Dynamic Instruction Sequences, Journal of Computers, Vol 4, No 5, 2009, pp. 405-414. Xun-yi Ren and Guui-bing Qian, 2013. SPID-based Method of Trojan Horse Detection. International Conference on Information, business and Education Technology (ICIBT 2013). Thimbleby,H., Anderson,S. and Cairns, P. 1998. A framework for Modelling Trojans and Computer Virus Infection, Computer Journal,Vol(41):7,444-458. Huang, H., Chuang, T., Tsai, Y., and Lee, C., 2010. Ontology-based Intelligent System for Malware Behavioral Analysis. WCCI 2010 IEEE World Congress on Computational Intelligence, July, 18-23,2010 CCIB, Barcelona, Spain. Chandrasekaran, B., Josephson, J, R., and Benjamins V, R., 1999. Waht are Ontologies, and Do we Need Them?, IEEE Intelegent System 1004-7167, January/February 1999. Stibor, Thomas. (2010). A Study Of Detecting Computer Viruses In Real-Infected Files in the n-gram Representation with Machine Learning Methods (Electronic Version). URL:

http://www.sec.in.turn.de/assets/staff/stiborr/iea.aie.final.extended.pdf

22