Maat

Salem, Aleieldin; Bănescu, Sebastian; Pretschner, Alexander

doi:10.1145/3465361

Cited by 24 publications

(7 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To build a ground truth dataset of Indicator objects, we retrieve scanning reports from three services: VirusTotal, HybridAnalysis, and MetaDefender, which are widely used to validate threat indicators [28], [38], [37], [21], [55]. For each attribute type (i.e., malware hashes, domains, URLs, and IP addresses), VirusTotal and MetaDefender provide detection results from various anomaly detection engines, and HybridAnalysis provides a threat score with three status tags (i.e., malicious, suspicious, and no specific threat).…”

Section: A Improper Valuementioning

confidence: 99%

Sharing cyber threat intelligence: Does it really help?

Jin,

Kim,

Lee

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The sharing of Cyber Threat Intelligence (CTI) across organizations is gaining traction, as it can automate threat analysis and improve security awareness. However, limited empirical studies exist on the prevalent types of cybersecurity threat data and their effectiveness in mitigating cyber attacks. We propose a framework named CTI-Lense to collect and analyze the volume, timeliness, coverage, and quality of Structured Threat Information eXpression (STIX) data, a de facto standard CTI format, from a list of publicly available CTI sources. We collected about 6 million STIX data objects from October 31, 2014 to April 10, 2023 from ten data sources and analyzed their characteristics. Our analysis reveals that STIX data sharing has steadily increased in recent years, but the volume of STIX data shared is still relatively low to cover all cyber threats. Additionally, only a few types of threat data objects have been shared, with malware signatures and URLs accounting for more than 90% of the collected data. While URLs are usually shared promptly, with about 72% of URLs shared earlier than or on the same day as VirusTotal, the sharing of malware signatures is significantly slower. Furthermore, we found that 19% of the Threat actor data contained incorrect information, and only 0.09% of the Indicator data provided security rules to detect cyber attacks. Based on our findings, we recommend practical considerations for effective and scalable STIX data sharing among organizations.

show abstract

Section: A Improper Valuementioning

confidence: 99%

Sharing cyber threat intelligence: Does it really help?

Jin,

Kim,

Lee

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…As a result, the platform user must choose how to interpret this information to determine if a file is malicious. There are no standard procedures for interpreting scan results from Virus Total to directly tag applications [32]. In this study, malicious files were detected using the signature-based detection method with Virus Total's assist, and the anti-virus programs' responses were evaluated.…”

Section: Evaluation Of Malwarementioning

confidence: 99%

Analysis of Malicious Files Gathering via Honeypot Trap System and Benchmark of Anti-Virus Software

BASER,

GUVEN,

AYDIN

2023

Preprint

View full text Add to dashboard Cite

In an era dominated by the pervasive integration of digital technologies, the surge in cyber threats is increasingly conspicuous. Cyber attackers employ malicious software (Malware) to compromise data integrity and exploit system resources. Tactics include transforming devices into remotely controlled assets or extorting ransom through data encryption. While end users commonly resort to antivirus software with signature-based detection, the protracted and dangered of malware detection necessitates alternative approaches. This study addresses this need by utilizing a honeypot trap system on Google Cloud to analyze suspicious files uploaded by attackers. Evaluated through a signature-based method, these files using 64 antivirus programs underscore the inadequacy of relying solely on this approach, with only three exhibiting success rates exceeding 90%. The majority, 61 antivirus programs, showed success rates predominantly below 70%. This underscores a crucial conclusion: sole reliance on signature-based security falls short in combating contemporary cyber threats. The study advocates for diverse detection techniques, independent or concurrent with signature-based methods, to fortify cybersecurity. The repository containing the honeypot-collected malicious files and Python script is publicly available on Github, serving as a valuable research resource.

show abstract

“…First of all, no standards exist on how to interpret the scan results. Several researchers use threshold-based labeling strategies but these thresholds are inconsistent over time as the set and version of scanners used changes [8]. Salem et al propose a machine learning-based labeling schema that outperforms this threshold-based strategy [8].…”

Section: Related Workmentioning

confidence: 99%

“…Peng et al show that phishing detection is difficult for most vendors, that scanning results are not updated immediately and that third-party vendors often not permit to use all functionality or to access the most updated blacklists [10]. While the evaluation and benchmarking of VirusTotal is out of scope for this work, we refer to [8], [9], [11]- [13] for more details.…”

Section: Related Workmentioning

confidence: 99%

“…Perhaps we still miss some of these corner cases. Nonetheless, the construction of adversarial examples that meets the above complex constraints is not as straightforward as is the case for creating adversarial images with algorithms like Fast Gradient Sign Method (FGSM) or Projected Gradient Descent (PGD) using a toolbox like Clever-Hans 7 or the Adversarial Robustness Toolbox (ART) 8 . In our application area, there is no immediate notion of "Gradient" to guide the creation of adversarial examples against our ensemble model.…”

Section: Security Threats Against the ML Pipelinementioning

confidence: 99%

See 1 more Smart Citation

Applying Machine Learning to use security oracles: a case study in virus and malware detection

Preuveneers

Lavens

Joosen

2022

2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

Machine Learning (ML) has a significant potential to enhance the security posture of an organization by improving threat detection and discovery. The growing quality and quantity of data through measurements creates opportunities in this context. However, when an organization does not have sufficient labeled data to make predictions, it can rely on third parties for expert advise. In this work, we present a real-world case study of a company offering security services to other businesses on top of its portfolio of internal security assets. The security provider adopts ML to learn when to cost-effectively invoke a third party service/oracle (i.e. VirusTotal), first to boost its own detection rate in order to protect its customers, and second to obtain new ground truth to further optimize its future oracle use, all under fixed query budget constraints. While the decision making of the ML system was very successful in terms of avoiding false positives and false negatives, we nonetheless identified several security challenges when adopting ML for a cost-effective use of security oracles. We evaluate our ML solution on real data, elicit various lessons learned about the increased attack surface when using ML in security applications, and identify countermeasures to secure this ML pipeline.

show abstract

Maat

Cited by 24 publications

References 26 publications

Sharing cyber threat intelligence: Does it really help?

Sharing cyber threat intelligence: Does it really help?

Analysis of Malicious Files Gathering via Honeypot Trap System and Benchmark of Anti-Virus Software

Applying Machine Learning to use security oracles: a case study in virus and malware detection

Contact Info

Product

Resources

About