Malware Analysis and attribution using Genetic Information

Pfeffer, Avi; Call, Catherine; Chamberlain, John; Kellogg, Lee; Ouellette, Jacob; Patten, Terry; Zacharias, Greg L.; Lakhotia, Arun; Golconda, Suresh; Bay, John S.; Hall, Robert T.; Scofield, Daniel

doi:10.1109/malware.2012.6461006

Cited by 40 publications

(14 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, we plan to investigate also the field of semantic features. Works like Reference [22] show how it is possible to use semantic features to determining malware similarity and the temporal ordering of malware, generating also malware lineages. We believe that these information can heavily help to detect and identifying malware developed by APTs, with the addition of highlighting the evolution of the tools used by attackers to perform their activities.…”

Section: Execution Timementioning

confidence: 99%

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

View full text Add to dashboard Cite

In the past decade, a new class of cyber-threats, known as "Advanced Persistent Threat" (APT), has emerged and has been used by different organizations to perform dangerous and effective attacks against financial and politic entities, critical infrastructures, and so on. To identify APT related malware early, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step identifies incoming APT samples early, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the article, the authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this article, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%. CCS Concepts: • Social and professional topics → Malware/spyware crime;

show abstract

Section: Execution Timementioning

confidence: 99%

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

View full text Add to dashboard Cite

show abstract

“…The work of Pfeffer et al [ 6 ] examines information obtained via both static and dynamic analysis of malware samples in order to organize code samples into lineages indicative of the order in which samples were derived from each other.…”

Section: Background and Related Workmentioning

confidence: 99%

End-to-End Deep Neural Networks and Transfer Learning for Automatic Analysis of Nation-State Malware

Rosenberg¹,

Sicard²,

David³

2018

Entropy

View full text Add to dashboard Cite

Malware allegedly developed by nation-states, also known as advanced persistent threats (APT), are becoming more common. The task of attributing an APT to a specific nation-state or classifying it to the correct APT family is challenging for several reasons. First, each nation-state has more than a single cyber unit that develops such malware, rendering traditional authorship attribution algorithms useless. Furthermore, the dataset of such available APTs is still extremely small. Finally, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. In this paper, we use a deep neural network (DNN) as a classifier for nation-state APT attribution. We record the dynamic behavior of the APT when run in a sandbox and use it as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. We also use the same raw features for APT family classification. Finally, we use the feature abstractions learned by the APT family classifier to solve the attribution problem. Using a test set of 1000 Chinese and Russian developed APTs, we achieved an accuracy rate of 98.6%

show abstract

“…Because we acquired statistical data through static analysis for the detection and classification of malware, this information was used as features in machine learning. Many features extracted by static methods, such as byte sequence [31], strings [31,43], DLL [31], n-gram [35], grayscale images [38], control flow graph (CFG) [39], function length frequency [40], PE header [41,42], mnemonics [49,50], API call [51][52][53][54], and opcode [8,[44][45][46][47], have typically been leveraged to detect and classify malware using machine learning. We select opcode as a core feature to distinguish malware from benign samples during execution.…”

Section: Machine Learning-based Analysismentioning

confidence: 99%

Machine Learning Framework to Analyze IoT Malware Using ELF and Opcode Features

et al. 2020

View full text Add to dashboard Cite

Threats to devices that are part of the Internet of Things (IoT) are on the rise. Owing to the overwhelming diversity of IoT hardware and software, as well as its variants, conventional anti-virus techniques based on the Windows paradigm cannot be applied directly to counter threats to the IoT devices. In this article, we propose a framework that can efficiently analyze IoT malware in a wide range of environments. It consists of a universal feature representation obtained by static analysis of the malware and a machine learning scheme that first detects the malware and then classifies it into a known category. The framework was evaluated by applying it to a recently developed dataset consisting of more than 6,000 IoT malware samples collected from the HoneyPot project. The results show that the proposed method can obtain near-optimal accuracy in terms of the detection and classification of malware targeting IoT devices. CCS Concepts: • Security and privacy → Software reverse engineering; Malware and its mitigation;

show abstract

Malware Analysis and attribution using Genetic Information

Cited by 40 publications

References 4 publications

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Malware Triage for Early Identification of Advanced Persistent Threat Activities

End-to-End Deep Neural Networks and Transfer Learning for Automatic Analysis of Nation-State Malware

Machine Learning Framework to Analyze IoT Malware Using ELF and Opcode Features

Contact Info

Product

Resources

About