Ensemble Models for Data-driven Prediction of Malware Infections

Kang, Chanhyun; Park, Noseong; Prakash, B. Aditya; Serra, Edoardo; Subrahmanian, V. S.

doi:10.1145/2835776.2835834

Cited by 31 publications

(21 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Predicting Security Incidents. Prior work studied the feasibility of predicting future computer-security incidents [34,42,51,69,71,72,76]. Soska and Christin showed that, using publicly available indicators, they could reliably predict whether websites would be compromised within one year [76].…”

Section: Related Workmentioning

confidence: 99%

“…Liu et al demonstrated that one can predict if an enterprise will suffer future security incidents (e.g., server breach), using externally observed indicators (e.g., DNS misconfigurations) [51]. Sabottke et al focused on predicting which vulnerabilities will be exploited using information collected from Twitter feeds [69], while Kang et al proposed to predict what percentage of hosts within a country are likely to be infected by a particular piece of malware [42].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Predicting Impending Exposure to Malicious Content from User Behavior

Sharif

Urakawa

Christin

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Many computer-security defenses are reactive-they operate only when security incidents take place, or immediately thereafter. Recent efforts have attempted to predict security incidents before they occur, to enable defenders to proactively protect their devices and networks. These efforts have primarily focused on long-term predictions. We propose a system that enables proactive defenses at the level of a single browsing session. By observing user behavior, it can predict whether they will be exposed to malicious content on the web seconds before the moment of exposure, thus opening a window of opportunity for proactive defenses. We evaluate our system using three months' worth of HTTP traffic generated by 20,645 users of a large cellular provider in 2017 and show that it can be helpful, even when only very low false positive rates are acceptable, and despite the difficulty of making "on-the-fly" predictions. We also engage directly with the users through surveys asking them demographic and security-related questions, to evaluate the utility of self-reported data for predicting exposure to malicious content. We find that self-reported data can help forecast exposure risk over long periods of time. However, even on the long-term, self-reported data is not as crucial as behavioral measurements to accurately predict exposure. CCS CONCEPTS• Security and privacy → Network security; Human and societal aspects of security and privacy; • Computing methodologies → Neural networks; KEYWORDS Exposure prediction; network security; proactive security ACM Reference Format:

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Predicting Impending Exposure to Malicious Content from User Behavior

Sharif

Urakawa

Christin

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The contact graph is a directed graph with a set of nodes and edges at time t . If there is a network flow between two nodes at that time, an edge is inserted between these nodes in the graph. Altarelli et al have used a certain number of features of propagation characteristics, including the recovery probability for each node, the probability by which two nodes infect each other, the distribution of recovery time, and the transmission delay distribution. In another study, historical diffusion traces were available, and the following features were extracted: which nodes got infected and when did this happen. Zhu et al have defined the following features: the time elapsed before the subnet gets worm duplication, the number of infected hosts in each subnet at a moment, the bandwidth consumed by the worm inside subnet i to attack the outside ( bandwidth _ out ), the bandwidth consumed by the worm outside subnet i to attack the subnet ( bandwidth _ in ), and the bandwidth consumed by the worm inside subnet i to attack the subnet ( bandwidth _ inside ) are used as features. In the previous research, to predict the number of malware infections in a country the following features have been defined: the time when a file becomes infected with a malware, antivirus signature release time, and the patch release time. In another study, 323 features were collected from a monitored computer, which could be classified into the following 11 main categories to detect worm activity in computers: ICMP, IP, memory, network interface, physical disk, process, processor, system, Transport Control Protocol TCP, thread, UDP. In an investigation by Tabish, instructions or call sequences of an executable program have been mapped to a graph. Features were extracted from the constructed graph at the three following levels: vertex level, subgraph level, and graph level.…”

Section: Related Workmentioning

confidence: 99%

“…• Zhu et al 39 have defined the following features: the time elapsed before the subnet gets worm duplication, the number of infected hosts in each subnet at a moment, the bandwidth consumed by the worm inside subnet i to attack the outside (bandwidth_out), the bandwidth consumed by the worm outside subnet i to attack the subnet (bandwidth_in), and the bandwidth consumed by the worm inside subnet i to attack the subnet (bandwidth_inside) are used as features. • In the previous research, 40 to predict the number of malware infections in a country the following features have been defined: the time when a file becomes infected with a malware, antivirus signature release time, and the patch release time.…”

Section: Featuresmentioning

confidence: 99%

A probability distribution function for investigating node infection and removal times

Tafazzoli

Sadeghiyan

2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Considering the important issue of computer infections by worms spread via networks, the theme of source identification has been a prominent research field that aims at investigating infection propagation including acquiring knowledge about the infection and the node removal times when a worm infection happens. This information helps in identifying the patient zero in the worm attack and may be used by computer forensic investigators and network administrators to spot the culprits and to identify related network vulnerabilities. In this paper, we tackle this problem by developing new probabilistic models based on Bayesian networks. We learn a probability distribution to calculate, at every time step, the probability that each node is infected by a scanning worm, using historical data and features extracted from the network and application layers. With the mentioned probability distribution, the node infection status can be inferred using feature values at each time step. We propose a four‐step method to investigate the time of infection and removal of each node probabilistically. First, features are extracted and derived from network traffic data. There are no suitable training and test datasets publicly available for our tests; therefore, we developed the training and test datasets using simulations of the Code Red II worm. Second, a prior model is built using training data. Third, the probabilistic model is built by the estimation of distribution algorithm. Fourth, the infection probability of nodes is inferred given the probability distribution and feature values at each time step. It has already been shown that the number of infectious nodes can be probabilistically approximated backward in time through the stochastic Back‐to‐Origin Markov model. We combine our first model with the prior stochastic Back‐to‐Origin Markov model to develop our second model. To evaluate our first and second models, we conducted experiments that show that these models can pinpoint the source node and the infection time of nodes with acceptable accuracy. It should be noted that our method could be employed with other propagating worm types including ransomware worms.

show abstract

“…From our prior research [3,25], we know that ensembles frequently beat vanilla classifiers. As a consequence, we decided to try out ensembles on our data.…”

Section: Ensemble Learningmentioning

confidence: 99%

CREATE: Clinical Record Analysis Technology Ensemble

Eglowski¹

View full text Add to dashboard Cite

CREATE: Clinical Record Analysis Technology Ensemble Skylar EglowskiIn this thesis, we describe an approach that won a psychiatric symptom severity prediction challenge. The challenge was to correctly predict the severity of psychiatric symptoms on a 4-point scale. Our winning submission uses a novel stacked machine learning architecture in which (i) a base data ingestion/cleaning step was followed by the (ii) derivation of a base set of features defined using text analytics, after which (iii) association rule learning was used in a novel way to generate new features, followed by a (iv) feature selection step to eliminate irrelevant features, followed by a (v) classifier training algorithm in which a total of 22 classifiers including new classifier variants of AdaBoost and RandomForest were trained on seven different data views, and (vi) finally an ensemble learning step, in which ensembles of best learners were used to improve on the accuracy of individual learners. All of this was tested via standard 10fold cross-validation on training data provided by the N-GRID challenge organizers, of which the three best ensembles were selected for submission to N-GRID's blind testing. The best of our submitted solutions garnered an overall final score of 0.863 according to the organizer's measure. All 3 of our submissions placed within the top 10 out of the 65 total submissions. The challenge constituted Track

show abstract

Ensemble Models for Data-driven Prediction of Malware Infections

Cited by 31 publications

References 22 publications

Predicting Impending Exposure to Malicious Content from User Behavior

Predicting Impending Exposure to Malicious Content from User Behavior

A probability distribution function for investigating node infection and removal times

CREATE: Clinical Record Analysis Technology Ensemble

Contact Info

Product

Resources

About