Machine learning for computer security: A guide to prospective authors

Giacinto, Giorgio; Dasarathy, Belur V.

doi:10.1016/j.inffus.2011.02.001

Cited by 4 publications

(1 citation statement)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, all approaches to malware grouping run into different versions of the same set of problems. Malware is written by an active adversary who attempts to evade and mislead analysts, including complex code obfuscations and misdirection via code theft to slow analysts and thwart automation [27,28,29,30]. Even standard countermeasures such as packing, which hides the original source code of a program from static analysis, are poorly understood and difficult to circumvent [31].…”

Section: Malware Dataset Labeling Strategiesmentioning

confidence: 99%

MOTIF: A Large Malware Reference Dataset with Ground Truth Family Labels

Joyce¹,

Amlani²,

Nicholas³

et al. 2021

Preprint

View full text Add to dashboard Cite

Malware family classification is a significant issue with public safety and research implications that has been hindered by the high cost of expert labels. The vast majority of corpora use noisy labeling approaches that obstruct definitive quantification of results and study of deeper interactions. In order to provide the data needed to advance further, we have created the Malware Open-source Threat Intelligence Family (MOTIF) dataset. MOTIF contains 3,095 malware samples from 454 families, making it the largest and most diverse public malware dataset with ground truth family labels to date, nearly 3× larger than any prior expert-labeled corpus and 36× larger than the prior Windows malware corpus. MOTIF also comes with a mapping from malware samples to threat reports published by reputable industry sources, which both validates the labels and opens new research opportunities in connecting opaque malware samples to human-readable descriptions. This enables important evaluations that are normally infeasible due to non-standardized reporting in industry. For example, we provide aliases of the different names used to describe the same malware family, allowing us to benchmark for the first time accuracy of existing tools when names are obtained from differing sources. Evaluation results obtained using the MOTIF dataset indicate that existing tasks have significant room for improvement, with accuracy of antivirus majority voting measured at only 62.10% and the well-known AVClass [1] tool having just 46.78% accuracy. Our findings indicate that malware family classification suffers a type of labeling noise unlike that studied in most ML literature, due to the large open set of classes that may not be known from the sample under consideration [2,

show abstract