MalPhase: Fine-Grained Malware Detection Using Network Flow Data

Piskozub, Michal; Gaspari, Fabio De; Barr-Smith, Frederick; Mancini, Luigi V.; Martinovic, Ivan

doi:10.1145/3433210.3453101

Cited by 18 publications

(17 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At first sight, these techniques seem to hold great promise: the behavior of malware differs significantly from that of benign processes and MLbased behavioral models can easily and reliably exploit this difference to distinguish between these two classes of processes. Moreover, behavioral-based approaches are also able to correctly detect unseen malware samples, as long as these new samples exhibit some form of anomalous behavior with respect to benign processes, as showed by several recent works [4][5][6][7][8]. Finally, behavioral detectors generally use malware features arising from operations that are required to achieve the desired malicious behavior, and therefore are extremely hard to disguise or evade.…”

Section: Introductionmentioning

confidence: 99%

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

Self Cite

View full text Add to dashboard Cite

Recent progress in machine learning has led to promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them. Ransomware behavior differs significantly from that of benign processes, making it an ideal best case for behavioral detectors, and a difficult candidate for evasion. We identify and propose a set of novel attacks that distribute the overall malware workload across a small set of independent, cooperating processes in order to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6 to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors in a black-box setting. Finally, we evaluate a detector designed to identify our most effective attack, as well as discuss potential directions to mitigate our most advanced attack.

show abstract

Section: Introductionmentioning

confidence: 99%

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

Self Cite

View full text Add to dashboard Cite

show abstract

“… The datasets collection enables researchers to experiment with DNS over HTTPS traffic recognition and pattern analysis. However, since the data are provided in raw packet captures, it can be suitable for other network traffic analysis tasks, e.g., it can be also used as a real-world benign traffic sample in malware identification challenges [10] , [11] . The datasets provide a large and unique combination of labeled traffic.…”

Section: Value Of the Datamentioning

confidence: 99%

Collection of datasets with DNS over HTTPS traffic

et al. 2022

View full text Add to dashboard Cite

“…AE are composed of two parts: the encoder, which compresses the original feature vector into the latent representation, and the decoder, which takes the output of the encoder and reconstructs the input. AE are generally used to extract robust features from a feature vector and aid classification [37], [38]. In our third architecture, we use the encoder portion of a trained autoencoder to pre-process samples into a compressed latent representation, which is then used as input by a fullyconnected NN.…”

Section: Model Architecture Extension: Autoencodersmentioning

confidence: 99%

Reliable Detection of Compressed and Encrypted Data

Gaspari

Hitaj

Pagnotta

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Several cybersecurity domains, such as ransomware detection, forensics and data analysis, require methods to reliably identify encrypted data fragments. Typically, current approaches employ statistics derived from byte-level distribution, such as entropy estimation, to identify encrypted fragments. However, modern content types use compression techniques which alter data distribution pushing it closer to the uniform distribution. The result is that current approaches exhibit unreliable encryption detection performance when compressed data appears in the dataset. Furthermore, proposed approaches are typically evaluated over few data types and fragment sizes, making it hard to assess their practical applicability.This paper compares existing statistical tests on a large, standardized dataset and shows that current approaches consistently fail to distinguish encrypted and compressed data on both small and large fragment sizes. We address these shortcomings and design ENCOD, a learning-based classifier which can reliably distinguish compressed and encrypted data. We evaluate ENCOD on a dataset of 16 different file types and fragment sizes ranging from 512B to 8KB. Our results highlight that ENCOD outperforms current approaches by a wide margin, with accuracy ranging from ∼ 82% for 512B fragments up to ∼ 92% for 8KB data fragments. Moreover, ENCOD can pinpoint the exact format of a given data fragment, rather than performing only binary classification like previous approaches.

show abstract

MalPhase: Fine-Grained Malware Detection Using Network Flow Data

Cited by 18 publications

References 33 publications

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Collection of datasets with DNS over HTTPS traffic

Reliable Detection of Compressed and Encrypted Data

Contact Info

Product

Resources

About