Using File Relationships in Malware Classification

Karampatziakis, Nikos; Stokes, Jack W.; Thomas, Anil; Marinescu, Mady

doi:10.1007/978-3-642-37300-8_1

Cited by 21 publications

(12 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In total, we have 23,558 and 5,717 sequences for Cerber and Locky, respectively, with lengths between 2 to 30. We use n-gram analysis by mining the top-k popular bigram and trigram patterns from the sequences [9], [28]. We mine the actual patterns that would be obtained if no privacy were applied, and the patterns obtained after Sequence-CLDP is applied.…”

Section: Case Study #3: Inspecting Suspicious Activitymentioning

confidence: 99%

“…It can be argued that this nuanced domain has the potential to greatly benefit from an LDP-like protection mechanism. This is because many security products rely on information collected from their clients, with the required telemetry ranging from file occurrence information in file reputation systems [8], [9], [10] to heterogeneous security event information such as system calls and memory dumps in the context of Endpoint Detection and Response systems (see [11] for a survey on core behavioral detection techniques used by such systems). Nevertheless, clients are often reluctant to share such data fearing that it may reveal the applications they are running, the files they store, or the overall cyber hygiene of their devices.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Secure and Utility-Aware Data Collection with Condensed Local Differential Privacy

Gürsoy

Tamersoy

Truex

et al. 2019

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Local Differential Privacy (LDP) is popularly used in practice for privacy-preserving data collection. Although existing LDP protocols offer high data utility for large user populations (100,000 or more users), they perform poorly in scenarios with small user populations (such as those in the cybersecurity domain) and lack perturbation mechanisms that are effective for both ordinal and non-ordinal item sequences while protecting sequence length and content simultaneously. In this paper, we address the small user population problem by introducing the concept of Condensed Local Differential Privacy (CLDP) as a specialization of LDP, and develop a suite of CLDP protocols that offer desirable statistical utility while preserving privacy. Our protocols support different types of client data, ranging from ordinal data types in finite metric spaces (numeric malware infection statistics), to non-ordinal items (OS versions, transaction categories), and to sequences of ordinal and non-ordinal items. Extensive experiments are conducted on multiple datasets, including datasets that are an order of magnitude smaller than those used in existing approaches, which show that proposed CLDP protocols yield higher utility compared to existing LDP protocols. Furthermore, case studies with Symantec datasets demonstrate that our protocols outperform existing protocols in key cybersecurity-focused tasks of detecting ransomware outbreaks, identifying targeted and vulnerable OSs, and inspecting suspicious activities on infected machines.

show abstract

Section: Case Study #3: Inspecting Suspicious Activitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Secure and Utility-Aware Data Collection with Condensed Local Differential Privacy

Gürsoy

Tamersoy

Truex

et al. 2019

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…In static approach, a malicious program is differentiated from benign programs using those features which can be extracted from the program binary, such as bytes read from the file [3], operational codes (opcodes) extracted from disassembled programs [8], [10], etc. Due to the limitations of static approaches against malware obfuscation techniques, which change the appearance of a program's code without changing its action, dynamic approach was proposed [11] which involves executing a given program and observing its behavior with respect to some dynamic aspects such as system calls [5], [12] and ASCII strings present in a process' memory [7], [13], etc. In addition, hybrid approach has also been proposed in the literature, where static and dynamic features are jointly used to represent a program [14], [15].…”

Section: Introductionmentioning

confidence: 99%

Similarity-Based Malware Classification Using Hidden Markov Model

Imran

Afzal

Qadir

2015

2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec)

View full text Add to dashboard Cite

The problem of malware classification has gained the attention of cyber security community due to the following facts: (1) thousands of new malware are generated every day (2) the global losses caused by malware are in billions of dollars every year. In this paper a novel malware classification scheme is proposed that is based on Hidden Markov Models (HMMs) and discriminative classifiers. Sequences of system calls generated by malware during execution are represented as observation sequences to train the HMMs. Individual malware samples are then evaluated against these models to generate similarity vectors, which are used to predict the class label for an unknown sample by training a discriminative classifier. Our novel combination of HMMs, dynamic program features and discriminative classifier has shown promising results in experiments performed using system call logs of real malware.

show abstract

“…However, such techniques mostly utilize local features either statically or dynamically extracted from file samples, while rarely investigating relations among file samples for malware detection. Recently, features beyond file content are starting to be leveraged for malware detection [149,25,121,72], such as machine-to-file relations [25] and file-to-file relations (e.g., file co-existence) [149,121], which provide invaluable insight about the properties of file samples [149]. In this dissertation, we take a further step to delve deeper into the relationship characteristics of malware and benign files, and investigate how we can construct the file-to-file relation graph between malware and benign file, what graph-based features, relationship characteristics, and representations can be employed for malware detection, and how we can build effective learning frameworks over graph for malware detection.…”

Section: Resultsmentioning

confidence: 99%

“…Ignoring the relations among file samples is a significant limitation of current malware detection methods. Recently, features beyond file content are starting to be leveraged to curb the security threats that malware poses [149,25,121,72], such as machine-to-file relations [25] and file-to-file relations (e.g., file co-existence) [149,121], which provide invaluable insight about the properties of file samples [149]. However, much needs to be done to take full advantage of the relationships of malware and benign files (i.e., malware-malware, malware-benign, benign-benign relations).…”

Section: Acknowledgmentsmentioning

confidence: 99%

Intelligent Malware Detection Using File-to-file Relations and Enhancing its Security against Adversarial Attacks

Chen¹

View full text Add to dashboard Cite

Intelligent Malware Detection Using File-to-file Relations and Enhancing its Security against Adversarial Attacks Lingwei Chen With computing devices and the Internet being indispensable in people's everyday life, malware has posed serious threats to their security, making its detection of utmost concern. To protect legitimate users from the evolving malware attacks, machine learning-based systems have been successfully deployed and offer unparalleled flexibility in automatic malware detection. In most of these systems, resting on the analysis of different content-based features either statically or dynamically extracted from the file samples, various kinds of classifiers are constructed to detect malware. However, besides content-based features, file-to-file relations, such as file coexistence , can provide valuable information in malware detection and make evasion harder. To better understand the properties of file-to-file relations, we construct the file coexistence graph. Resting on the constructed graph, we investigate the semantic relatedness among files, and leverage graph inference, active learning and graph representation learning for malware detection. Comprehensive experimental results on the real sample collections from Comodo Cloud Security Center demonstrate the effectiveness of our proposed learning paradigms. As machine learning-based detection systems become more widely deployed, the incentive for defeating them increases. Therefore, we go further insight into the arms race between adversarial malware attack and defense, and aim to enhance the security of machine learning-based malware detection systems. In particular, we first explore the adversarial attacks under different scenarios (i.e., different levels of knowledge the attackers might have about the targeted learning system), and define a general attack strategy to thoroughly assess the adversarial behaviors. Then, considering different skills and capabilities of the attackers, we propose the corresponding secure-learning paradigms to counter the adversarial attacks and enhance the security of the learning systems while not compromising the detection accuracy. We conduct a series of comprehensive experimental studies based on the real sample collections from Comodo Cloud Security Center and the promising results demonstrate the effectiveness of our proposed securelearning models, which can be readily applied to other detection tasks. Contents Acknowledgments iii List of Figures vi List of Tables ix List of Notations x List of Acronyms xii List of Figures vii 4.2 Different scenarios of the adversarial attacks. With the direction of the inward arrow, the adversarial attacks are depicted with the knowledge of (X,D), (X, D), and (X, D, f

show abstract

Using File Relationships in Malware Classification

Cited by 21 publications

References 15 publications

Secure and Utility-Aware Data Collection with Condensed Local Differential Privacy

Secure and Utility-Aware Data Collection with Condensed Local Differential Privacy

Similarity-Based Malware Classification Using Hidden Markov Model

Intelligent Malware Detection Using File-to-file Relations and Enhancing its Security against Adversarial Attacks

Contact Info

Product

Resources

About