Dynamic Analysis of Executables to Detect and Characterize Malware

Smith, Michael R.; Ingram, Joey Burton; Lamb, Christopher C.; Draelos, Timothy J.; Doak, Justin E.; Aimone, James B.; James, Conrad D.

doi:10.1109/icmla.2018.00011

Cited by 9 publications

(5 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They identify six key challenges: 1) ML is better for finding similarities rather than differences, 2) very high cost of classification errors, 3) a semantic gap between detection results and their operational interpretation, 4) enormous variability in what is "normal", 5) difficulties in sound evaluation of the results, and 6) operating in an adversarial setting. In the context of detecting malware, other work noted discrepancies particularly with respect to the precision of malware-indicating a large jump in false negatives when deployed in real-world settings stemming from the difference in the proportion of malware and the difficulty on modeling "normal" in executables [71].…”

Section: Other Examplesmentioning

confidence: 99%

Mind the Gap

Smith

Johnson

Ingram

et al. 2020

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

Machine learning (ML) techniques are being used to detect increasing amounts of malware and variants. Despite successful applications of ML, we hypothesize that the full potential of ML is not realized in malware analysis (MA) due to a semantic gap between the ML and MA communities-as demonstrated in the data that is used. Due in part to the available data, ML has primarily focused on detection whereas MA is also interested in identifying behaviors. We review existing open-source malware datasets used in ML and find a lack of behavioral information that could facilitate stronger impact by ML in MA. As a first step in bridging this gap, we label existing data with behavioral information using open-source MA reports-1) altering the analysis from identifying malware to identifying behaviors, 2) aligning ML better with MA, and 3) allowing ML models to generalize to novel malware in a zero/few-shot learning manner. We classify the behavior of a malware family not seen during training using transfer learning from a state-of-the-art model for malware family classification and achieve 57%-84% accuracy on behavioral identification but fail to outperform the baseline set by a majority class predictor. This highlights opportunities for improvement on this task related to the data representation, the need for malware specific ML techniques, and a larger training set of malware samples labeled with behaviors. Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

show abstract

Section: Other Examplesmentioning

confidence: 99%

Mind the Gap

Smith

Johnson

Ingram

et al. 2020

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

show abstract

Section: Other Examplesmentioning

confidence: 99%

Mind the Gap: On Bridging the Semantic Gap between Machine Learning and Information Security

Smith,

Johnson,

Ingram

et al. 2020

Preprint

View full text Add to dashboard Cite

Despite the potential of Machine learning (ML) to learn the behavior of malware, detect novel malware samples, and significantly improve information security (InfoSec) we see few, if any, high-impact ML techniques in deployed systems, notwithstanding multiple reported successes in open literature. We hypothesize that the failure of ML in making high-impacts in InfoSec are rooted in a disconnect between the two communities as evidenced by a semantic gap-a difference in how executables are described (e.g. the data and features extracted from the data). Specifically, current datasets and representations used by ML are not suitable for learning the behaviors of an executable and differ significantly from those used by the InfoSec community. In this paper, we survey existing datasets used for classifying malware by ML algorithms and the features that are extracted from the data. We observe that: 1) the current set of extracted features are primarily syntactic, not behavioral, 2) datasets generally contain extreme exemplars producing a dataset in which it is easy to discriminate classes, and 3) the datasets provide significantly different representations of the data encountered in real-world systems. For ML to make more of an impact in the InfoSec community requires a change in the data (including the features and labels) that is used to bridge the current semantic gap. As a first step in enabling more behavioral analyses, we label existing malware datasets with behavioral features using open-source threat reports associated with malware families. This behavioral labeling alters the analysis from identifying intent (e.g. good vs bad) or malware family membership to an analysis of which behaviors are exhibited by an executable. We offer the annotations with the hope of inspiring future improvements in the data that will further bridge the semantic gap between the ML and InfoSec communities.

show abstract

“…However, dynamic analysis approaches are also imperfect. It is reported in [3,[5][6][7][8][9] that smart malware can detect whether it runs on a virtual or real environment. Moreover, smart malware can modify their behavior by hiding their malicious code to avoid detection.…”

Section: Related Workmentioning

confidence: 99%

“…Unknown vulnerabilities allow an attack window time, that is the time between threat discovery to signature update. It is shown in [2][3][4][5][6] that malware authors use tools to pack and obfuscate malware to hide malware and to escape from detection. Consequently, signature-based approaches are inefficient to cope with malware authors tricks and therefore, they are unreliable.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Ensemble-Based Malware Detection Model Using Minimum Feature Set

Zelinka

Amer²

2019

mendel

View full text Add to dashboard Cite

Current commercial antivirus detection engines still rely on signature-based methods. However, with the huge increase in the number of new malware, current detection methods become not suitable. In this paper, we introduce a malware detection model based on ensemble learning. The model is trained using the minimum number of signification features that are extracted from the file header. Evaluations show that the ensemble models slightly outperform individual classification models. Experimental evaluations show that our model can predict unseen malware with an accuracy rate of 0.998 and with a false positive rate of 0.002. The paper also includes a comparison between the performance of the proposed model and with different machine learning techniques. We are emphasizing the use of machine learning based approaches to replace conventional signature-based methods.

show abstract

Dynamic Analysis of Executables to Detect and Characterize Malware

Cited by 9 publications

References 22 publications

Mind the Gap

Mind the Gap

Mind the Gap: On Bridging the Semantic Gap between Machine Learning and Information Security

An Ensemble-Based Malware Detection Model Using Minimum Feature Set

Contact Info

Product

Resources

About