dAPTaset: A Comprehensive Mapping of APT-Related Data

Laurenza, Giuseppe; Lazzeretti, Riccardo

doi:10.1007/978-3-030-42051-2_15

Cited by 7 publications

(13 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To compare the approaches, we rely on the data provided by dAPTaset [12]. It is a publicly available database 4 with different information about APTs activities, including various Indicators of Compromise like malware hashes, network domains, and IP addresses.…”

Section: Features Extractionmentioning

confidence: 99%

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

Self Cite

View full text Add to dashboard Cite

In the past decade, a new class of cyber-threats, known as "Advanced Persistent Threat" (APT), has emerged and has been used by different organizations to perform dangerous and effective attacks against financial and politic entities, critical infrastructures, and so on. To identify APT related malware early, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step identifies incoming APT samples early, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the article, the authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this article, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%. CCS Concepts: • Social and professional topics → Malware/spyware crime;

show abstract

Section: Features Extractionmentioning

confidence: 99%

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…It contains several vulnerable binaries compiled with 11 compilers in the families of clang, gcc and icc. The total number of different vulnerabilities is 8 13 . We disassembled the dataset with ANGR, obtaining 3160 binary functions.…”

Section: Task 3 -Vulnerability Searchmentioning

confidence: 99%

“…Dataset: -We use the APT dataset from [13]. The dataset contains the mapping between malware and APT developers, it has been created by using public reports 18 of APT activites.…”

Section: E Task 5 -Apt Classificationmentioning

confidence: 99%

“…For us a program P j is a set of functions embeddings P j = { f 0 , ..., f nj }. A function that indicates whether P j contains function f can be defined as: 18 The sources reported in [13] are: MITRE ATT&CK, PT Groups and Operations, APT Notes, MISP Galaxy Cluster. 19 https://github.com/lucamassarelli/safe apt classification Where τ is a threshold (equal to 0.95 in our experiments).…”

Section: E Task 5 -Apt Classificationmentioning

confidence: 99%

“…We applied our semantic classifier to known malwares, and we were able to accurately recognize with it functions implementing encryption algorithms. Moreover, we used a recent dataset [13] of malwares from APT groups, and we used SAFE embedding to build a classifier associating malwares and APT with an f1 score of 90%.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Function Representations for Binary Similarity

Massarelli

Luna

Petroni

et al. 2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

The binary similarity problem consists in determining if two functions are similar considering only their compiled form. Advanced techniques for binary similarity recently gained momentum as they can be applied in several fields, such as copyright disputes, malware analysis, vulnerability detection, etc. In this paper we describe SAFE, a novel architecture for function representation based on a self-attentive neural network. SAFE works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures. Results from our experimental evaluation show how SAFE provides a performance improvement with respect to previous solutions. Furthermore, we show how SAFE can be used in widely different use cases, thus providing a general solution for several application scenarios.

show abstract

Diving Deep With BotLab-DS1: A Novel Ground Truth-Empowered Botnet Dataset

Qasim,

Waleed,

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Cyberspace faces unparalleled threats due to the rapid rise in botnet attacks and their profound repercussions. Utilizing AI-assisted systems emerges as a potent solution for detecting and neutralizing such attacks. Existing research on botnet attack detection revolves around dataset creation, amplifying the detection methods' efficacy and precision via sophisticated machine learning models, and a behaviourcentric analysis. A discerning review of current datasets reveals their limitations: the obsolescence of some datasets, their limited relevance to certain attack types, and an imperative lack of ground truth. Addressing these gaps, we introduce a ground truth, the BotLab-DS1 dataset, featuring 5,279 real-world active botnet samples spanning 12 botnet families and 3,000 benign instances. This paper's core is threefold; initially, we delineate a thorough review of existing datasets and their inherent shortcomings. Subsequently, we unfold a holistic data creation strategy and leverage advanced feature engineering methods on static, behavioural, and network-centric attributes. Finally, the research involves training diverse machine learning algorithms using the BotLab-DS1 dataset for enhanced botnet detection. Our empirical findings underline that BotLab-DS1, when paired with the random forest algorithm, attains 98.6% accuracy and 99.0% precision. In contrast, gradient boosting trails closely, registering 96.34% accuracy and 96.0% precision. We believe our study will pioneer new pathways for dataset formulation and algorithmic scrutiny, enriching the research landscape and backing the global initiative to thwart botnet incursions effectively.INDEX TERMS Cyberspace, botnet, dataset, machine learning, security attacks.

show abstract

dAPTaset: A Comprehensive Mapping of APT-Related Data

Cited by 7 publications

References 2 publications

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Function Representations for Binary Similarity

Diving Deep With BotLab-DS1: A Novel Ground Truth-Empowered Botnet Dataset

Contact Info

Product

Resources

About