Malware Triage Based on Static Features and Public APT Reports

Laurenza, Giuseppe; Aniello, Leonardo; Lazzeretti, Riccardo; Baldoni, Roberto

doi:10.1007/978-3-319-60080-2_21

Cited by 20 publications

(25 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we define the methodologies that lead us to define the proposed framework with high performances. In particular, in Section 4.1, we explain the feature extraction process, in Sections 4.2 and 4.3, we respectively discuss the RFT multi-class methodology proposed by Laurenza et al [11] and the one-class classification approach through which we implement the malware triage.…”

Section: Methodsmentioning

confidence: 99%

“…In fact, this so-called negative class has a cardinality of several orders of magnitude bigger than the set of APT samples, and there is a large variety among its samples. Thus, the result in terms of accuracy and precision are very poor, and for this reason in Reference [11] the authors proposed a Random Forest-based triage (RFT) approach. They trained their model on a knowledge base built upon a collection of ATPs' related reports publicly released by cyber-security firms.…”

Section: Contributionmentioning

confidence: 99%

“…In the previous malware triage work [11], the authors aim to recognize malware developed by APTs, but, contrary to the other described works, they focus on the sample analysis instead of the malware activity observed during the infection. The work achieves high precision and very high accuracy in detecting the ownership of this kind of malware but suffers the problem highlighted in Section 1.…”

Section: Apt Detectionmentioning

confidence: 99%

See 2 more Smart Citations

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

Self Cite

View full text Add to dashboard Cite

In the past decade, a new class of cyber-threats, known as "Advanced Persistent Threat" (APT), has emerged and has been used by different organizations to perform dangerous and effective attacks against financial and politic entities, critical infrastructures, and so on. To identify APT related malware early, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step identifies incoming APT samples early, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the article, the authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this article, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%. CCS Concepts: • Social and professional topics → Malware/spyware crime;

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Contributionmentioning

confidence: 99%

Section: Apt Detectionmentioning

confidence: 99%

See 1 more Smart Citation

Malware Triage for Early Identification of Advanced Persistent Threat Activities

2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…There are a number of features in a binary to support this process: and shares some aspects with malware similarity analysis, as they both provide key information to support malware analysis prioritisation. Anyway, they are different because triage requires faster results at the cost of worse accuracy, hence different techniques are usually employed [75,77,101,86].…”

Section: Malware Attributionmentioning

confidence: 99%

Survey of machine learning techniques for malware analysis

Ucci

Aniello

Baldoni

2019

Computers & Security

Self Cite

394

189

View full text Add to dashboard Cite

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies to keep pace with malware evolution. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis in Windows environments, i.e. for the analysis of Portable Executables. We systematize surveyed papers according to their objectives (i.e., the expected output), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of issues and challenges, including those concerning the used datasets, and identify the main current topical trends and how to possibly advance them. In particular, we introduce the novel concept of malware analysis economics, regarding the study of existing trade-offs among key metrics, such as analysis accuracy and economical costs.

show abstract

“…There have been many studies on the detection and analysis of malware using machine learning that study fine-grained features [34], deep learning [35][36][37], dynamic features [38], static features [36,39], concept drift [40], predicting signatures [41], hybrid framework [42], malware metadata [43], reverse engineering of large datasets of binaries [44].…”

mentioning

confidence: 99%

A Survey on Malware Detection and Analysis Tools

Talukder¹,

Talukder²

2020

IJNSA

View full text Add to dashboard Cite

The huge amounts of data and information that need to be analyzed for possible malicious intent are one of the big and significant challenges that the Web faces today. Malicious software, also referred to as malware developed by attackers, is polymorphic and metamorphic in nature which can modify the code as it spreads. In addition, the diversity and volume of their variants severely undermine the effectiveness of traditional defenses that typically use signature-based techniques and are unable to detect malicious executables previously unknown. Malware family variants share typical patterns of behavior that indicate their origin and purpose. The behavioral trends observed either statically or dynamically can be manipulated by using machine learning techniques to identify and classify unknown malware into their established families. This survey paper gives an overview of the malware detection and analysis techniques and tools.

show abstract

Malware Triage Based on Static Features and Public APT Reports

Cited by 20 publications

References 17 publications

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Survey of machine learning techniques for malware analysis

A Survey on Malware Detection and Analysis Tools

Contact Info

Product

Resources

About