Exploiting Latent Attack Semantics for Intelligent Malware Detection.
作者: Sanjay Shakkottai , Constantine Caramanis , Mohit Tiwari , Mikhail Kazdagli
DOI:
关键词:
摘要: Behavioral malware detectors promise to expose previously unknown and are an important security primitive. However, even the best behavioral suffer from high false positives negatives. In this paper, we address challenge of aggregating weak per-device in noisy communities (i.e., ones that produce alerts at unpredictable rates) into accurate robust global anomaly detector (GD). Our system - Shape GD combines two insights: Structural: actions such as visiting a website (waterhole attack) or membership shared email thread (phishing by nodes correlate well with spread, create dynamic neighborhoods were exposed same attack vector; Statistical: feature vectors corresponding true local have markedly different conditional distributions. We use amplify transient low-dimensional structure is latent high-dimensional but vary unpredictably, shape extract neighborhood-level features identify infected neighborhoods. Unlike prior works aggregate detectors' alert bitstreams cluster vectors, analyzes led (alert-FVs) separate positives. first filters these alert-FVs efficiently maps neighborhood's alert-FVs' statistical shapes scalar score. then acts neighborhood level training on benign program traces learn ShapeScore positive neighborhoods, classifying anomalous ShapeScores malicious. Shape detects early (~100 ~100K node for waterhole ~10 1000 phishing) robustly (with ~100% TP ~1% FP rates).
arxiv.org参考文章(47)
Yoichi Shinoda, Ko Ikai, Motomu Itoh, Vulnerabilities of passive internet threat monitors usenix security symposium. pp. 14- 14 ,(2005)
John Mark Agosta, Denver Dash, Abraham Bachrach, Eve Schooler, Jaideep Chandrashekar, Alex Newman, Branislav Kveton, When gossip is good: distributed probabilistic inference for detection of slow network intrusions national conference on artificial intelligence. pp. 1115- 1122 ,(2006)
Christopher Kruegel, Giovanni Vigna, Federico Maggi, William K. Robertson, Effective Anomaly Detection with Scarce Training Data network and distributed system security symposium. pp. 1- 16 ,(2010)
J. D. Benamou, Y. Brenier, Mixed L 2-Wasserstein Optimal Mapping Between Prescribed Density Functions Journal of Optimization Theory and Applications. ,vol. 111, pp. 255- 271 ,(2001) , 10.1023/A:1011926116573
Serguei Foss, Dmitry Korshunov, Stanley Zachary, An Introduction to Heavy-Tailed and Subexponential Distributions ,(2011)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Mary Vernon, Jason Franklin, John Bethencourt, Mapping internet sensors with probe response attacks usenix security symposium. pp. 13- 13 ,(2005)
Mihai Christodorescu, Somesh Jha, Static analysis of executables to detect malicious patterns usenix security symposium. pp. 12- 12 ,(2003) , 10.21236/ADA449067
Yinglian Xie, Hyang-Ah Kim, David R. O’Hallaron, Michael K. Reiter, Hui Zhang, Seurat: A Pointillist Approach to Anomaly Detection recent advances in intrusion detection. pp. 238- 257 ,(2004) , 10.1007/978-3-540-30143-1_13
Vern Paxson, Christian Kreibich, Mark Handley, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics usenix security symposium. pp. 9- 9 ,(2001)