Malware Triage for Early Identification of Advanced Persistent Threat Activities

Laurenza, Giuseppe; Lazzeretti, Riccardo; Mazzotti, Luca

doi:10.1145/3386581

Cited by 16 publications

(30 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This concurs with the rest of the field [50,22,58,77,44]. Seven papers consider three alternative ML methods: clustering, anomaly detection and structured prediction techniques [106,66,80,78,7,8,47]. We explore these further as they show promise towards the open-world problem.…”

Section: Data Modeling Techniquessupporting

confidence: 69%

“…Our search criteria looked for work which addressed the problem of binary and malware authorship attribution. We omitted any papers which performed a binary classification on malware and contained no significant contribution on authorship styles to malicious files, e.g., we omit the paper [65] as this classifies malware into APT group or non-APT group but we include [66] as this classifies malware into specific APT groups. We identified eighteen papers which possess a significant relationship with MAA, and we contacted all authors whose systems were not publicly available.…”

Section: Malware Binary Authorship Attributionmentioning

confidence: 99%

See 1 more Smart Citation

Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets

Gray,

Sgandurra,

Cavallaro

2021

Preprint

View full text Add to dashboard Cite

Attributing a piece of malware to its creator typically requires threat intelligence. Binary attribution increases the level of difficulty as it mostly relies upon the ability to disassemble binaries to identify authorship style. Our survey explores malicious author style and the adversarial techniques used by them to remain anonymous. We examine the adversarial impact on the state-of-the-art methods. We identify key findings and explore the open research challenges. To mitigate the lack of ground truth datasets in this domain, we publish alongside this survey the largest and most diverse metainformation dataset of 15,660 malware labeled to 164 threat actor groups.

show abstract

Section: Data Modeling Techniquessupporting

confidence: 69%

Section: Malware Binary Authorship Attributionmentioning

confidence: 99%

Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets

Gray,

Sgandurra,

Cavallaro

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…However, the method to judge the priority of API is based on prior knowledge, which may lead to a deviation. Laurenza et al [3] relied on the static characteristics of malware and designed a malware classification framework based on the concept of isolation forest learning. ey trained each isolation forest with specific APT samples using only static features.…”

Section: Related Workmentioning

confidence: 99%

“…Similar to traditional network attacks, APT attackers must use malware as attack weapons to attack in cyberspace [2]. However, unlike traditional network attacks, APT attacks will use some independent development malware to achieve specific purposes against different targets [3]. is malware is collectively called APT malware [4].…”

Section: Introductionmentioning

confidence: 99%

“…Currently, there are two methods for solving this problem: dynamic and static analyses [9]. It means training the classification model by extracting dynamic or static features [2,3,7,8,10,11]. Static analysis technology can inspect executable programs without actual execution samples; the main advantage it has is that it is not affected by execution expenses, whereas dynamic analysis is to observe executable programs in real or virtual execution environments and monitor actual malicious acts [12].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Toward Identifying APT Malware through API System Calls

Wei

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current research cannot effectively explain the relationship between the recognition, detection, and defense of APT. The model of similar studies also lacks an explanation about it. To defend against APT attacks and inquire about the similarity of different APT attacks, this study proposes an APT malware classification method based on a combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public. By extracting the application programming interface (API) system calls, with the vector representation of features by combining dynamic LSTM and attention algorithm, we can obtain API at different APT families classification contributions trained dynamic. Thus, we used transfer learning to perform multiple classifications of the APT family. This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files when defending against APT attacks. Additionally, it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by combining threat intelligence in public. The experimental result shows that the proposed method can achieve 99.2% in distinguishing common malware from APT malware and assign APT malware to different APT families with an accuracy of 95.5%.

show abstract

Early DGA-based botnet identification: pushing detection to the edges

Zago

Pérez

2021

Cluster Comput

View full text Add to dashboard Cite

With the first commercially available 5G infrastructures, worldwide's attention is shifting to the next generation of theorised technologies that might be finally deployable. In this context, the cybersecurity of edge equipment and end-devices must be a top priority as botnets see their spread remarkably increase. Most of them rely on algorithmically generated domain names (AGDs) to evade detection and remain shrouded from intrusion detection systems, via the so-called Domain Generation Algorithm (DGA). Despite the issue, by applying concepts such as distributed computing and federated learning, the cybersecurity community has prototyped and developed dynamic and scalable solutions that leverage the increased capabilities and connectivity of edge devices. This article proposes a lightweight and privacy-preserving framework that pushes the intelligence modules to the edges aiming to achieve early DGA-based botnet detection in mobile and edge-oriented scenarios. Experimental results prove the deployability of such architecture at all levels, including resourceconstrained end-devices.

show abstract

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Cited by 16 publications

References 17 publications

Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets

Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets

Toward Identifying APT Malware through API System Calls

Early DGA-based botnet identification: pushing detection to the edges

Contact Info

Product

Resources

About