Would a File by Any Other Name Seem as Malicious?

Nguyen, André T.; Raff, Edward; Sant-Miller, Aaron

doi:10.1109/bigdata47090.2019.9006132

Cited by 3 publications

(2 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These models typically consist of neural networks that determine whether or not a given binary is malicious or benign based on various, defining features of that binary. For instance, certain models run inference over PE header values, assembly code, network traffic, and even the names of binaries [2,36]. Others follow a dynamic approach and perform manual feature engineering of API calls [37].…”

Section: Background and Related Workmentioning

confidence: 99%

Marvolo: Programmatic Data Augmentation for Practical ML-Driven Malware Detection

Wong¹,

Raff²,

Holt³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Data augmentation has been rare in the cyber security domain due to technical difficulties in altering data in a manner that is semantically consistent with the original data. This shortfall is particularly onerous given the unique difficulty of acquiring benign and malicious training data that runs into copyright restrictions, and that institutions like banks and governments receive targeted malware that will never exist in large quantities. We present MARVOLO, a binary mutator that programmatically grows malware (and benign) datasets in a manner that boosts the accuracy of ML-driven malware detectors. MARVOLO employs semantics-preserving code transformations that mimic the alterations that malware authors and defensive benign developers routinely make in practice , allowing us to generate meaningful augmented data. Crucially, semantics-preserving transformations also enable MARVOLO to safely propagate labels from original to newly-generated data samples without mandating expensive reverse engineering of binaries. Further, MARVOLO embeds several key optimizations that keep costs low for practitioners by maximizing the density of diverse data samples generated within a given time (or resource) budget. Experiments using wide-ranging commercial malware datasets and a recent ML-driven malware detector show that MARVOLO boosts accuracies by up to 5%, while operating on only a small fraction (15%) of the potential input binaries.Preprint. Under review.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Marvolo: Programmatic Data Augmentation for Practical ML-Driven Malware Detection

Wong¹,

Raff²,

Holt³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Toward this goal, we needed to minimize memory use and model size in memory, as well as reliance on any GPU resources. This allows analysts who take "fly-away" kits with them to unfamiliar networks to begin investigations into the network, encountering whatever novel malware that may be present [17]. We also need the tool to produce Yara rules within minutes, as our experience has been that analysts will not, in general, use tools requiring them to wait hours or more.…”

Section: Autoyara Designmentioning

confidence: 99%

Automatic Yara Rule Generation Using Biclustering

Raff

Zak

Munoz

et al. 2020

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security

Self Cite

View full text Add to dashboard Cite

Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor-and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams (n ≥ 8) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, Au-toYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts. In addition, real-world testing by malware analysts indicates Auto-Yara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. Code will be made available at https://github.com/NeuromorphicComputationResearchProgram. CCS CONCEPTS • Security and privacy → Malware and its mitigation; • Computing methodologies → Rule learning; Motif discovery;

show abstract