Stochastic identification of malware with dynamic traces

Storlie, Curtis B.; Anderson, Blake; Wiel, Scott Vander; Quist, Daniel; Hash, Curtis; Brown, Nathan

doi:10.1214/13-aoas703

Cited by 18 publications

(22 citation statements)

References 35 publications

(34 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given Similarity > X FIGURE 4 The empirical probability that a pair of samples belong to the same family given that their global static trace similarity exceeds X.…”

Section: Same Family Probabilitymentioning

confidence: 99%

“…However, ref. [4] points out that the static trace of a program is not always available because it can be obscured if the program uses an unknown packer. If a program's static trace is available, it is possible to group the instructions into subroutines using an interactive disassembler, such as IDA Pro [5].…”

Section: Introductionmentioning

confidence: 99%

“…Whenever a suspicious piece of software is received, they would like to be able to identify any similar database entries in order to aid discovering the origin and purpose of the piece of malware. Currently, manually reverse engineering a piece of malware is a time-consuming task [4]. Because reverse engineering a piece of malware can be so time-consuming, the ability to quickly find similar programs in the database that have already been reverse engineered would improve efficiency and be helpful to a reverse engineer.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

APT malware static trace analysis through bigrams and graph edit distance

Bolton

Anderson‐Cook

2017

Statistical Analysis

View full text Add to dashboard Cite

Research and business organizations are vulnerable to attack by malware, particularly advanced persistent threat malware tailored for a specific target. Malware identification is made more difficult because samples can be subtly altered to avoid detection by methods that check for an identical match to known code. Different versions of an original piece of malware form a malware family. When new malicious software is identified, reverse engineers seek to identify its origin and purpose. Knowing whether new malware is from a known family or a previously unobserved family aids the efficiency of reverse engineers. This article presents a three‐stage method to classify new malware into a family by comparing its similarity to existing static traces, and assigning it to the most similar family. First, a fast filtering method creates a shortlist of samples with some similarity to the new malware, using a simple bigram comparison of the instructions. The second stage takes the call graph view of the shortlisted static traces and uses simulated annealing to estimate the graph edit distance, a measure of dissimilarity between graphs. Finally, a random forest classifier combines the previous two results to predict the family to which a new sample belongs. The paper also considers how to detect when malware is from a new family.

show abstract

“…Given Similarity > X FIGURE 4 The empirical probability that a pair of samples belong to the same family given that their global static trace similarity exceeds X.…”

Section: Same Family Probabilitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

APT malware static trace analysis through bigrams and graph edit distance

Bolton

Anderson‐Cook

2017

Statistical Analysis

View full text Add to dashboard Cite

show abstract

“…Assembly instructions have had a lot of exposure in the literature [1,4,19,23]. This is a fundamental view of subroutines, and we make use of it in this work.…”

Section: Instructionsmentioning

confidence: 99%

Automating Reverse Engineering with Machine Learning Techniques

Anderson

Storlie

Yates

et al. 2014

Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop

Self Cite

View full text Add to dashboard Cite

Malware continues to be an ongoing threat, with millions of unique variants created every year. Unlike the majority of this malware, Advanced Persistent Threat (APT) malware is created to target a specific network or set of networks and has a precise objective, e.g. exfiltrating sensitive data. While 0-day malware detectors are a good start, they do not help the reverse engineers better understand the threats attacking their networks. Understanding the behavior of malware is often a time sensitive task, and can take anywhere between several hours to several weeks. Our goal is to automate the task of identifying the general function of the subroutines in the function call graph of the program to aid the reverse engineers. Two approaches to model the subroutine labels are investigated, a multiclass Gaussian process and a multiclass support vector machine. The output of these methods is the probability that the subroutine belongs to a certain class of functionality (e.g., file I/O, exploit, etc.). Promising initial results, illustrating the efficacy of this method, are presented on a sample of 201 subroutines taken from two malicious families.

show abstract

“…Here, we evaluate the relative performance of five regularized linear regression models for prediction. The methods comprise the Least absolute shrinkage and selection operator (Lasso) [4][5], Ridge regression (RR) [5][6][7], Elastic net [5,[8][9][10],Relaxed lasso [11][12],Least Angle Regression(LARS) [13][14]. The claim and arrival of regularization models in various application fields, containing descriptor selection, associated to their use of penalties that eases fitting models with variables that run towards thousands, including many irrelevant to the response, far exceed the sample size, or are highly correlated, with high efficiency and prediction accuracy.…”

Section: Introductionmentioning

confidence: 99%