Beyond Labeling: Intuitive Capability Assessment of Malware using Network Behavioral Profiles
作者: Sicco Verwer , Carlos H. Gañán , Christian Hammerschmidt , Azqa Nadeem
DOI:
关键词:
摘要: Malicious software is still a leading threat in cybersecurity. Anti-Virus (AV) companies are pivotal understanding and assigning labels to new malware samples. Currently, these the sole source of ground truth information available security community evaluate analysis methods. However, their adopted naming conventions known be inconsistent unverifiable. The also black box since they do not represent capabilities malware. We believe that we need white way determine based on behavior, rather than family labels. current state art capability assessment contains largely manual approaches. We propose novel method called MalPaCA, which for large part automates by clustering temporal behavior observed malware's network traces. MalPaCA uses traces most Internet carry out its objectives. In doing so, build behavioral profiles families significantly more descriptive names. an intuitive, visualization-based cluster evaluation obtained clusters. 1.1k samples collected wild. shows promising results: (i) It correctly discovers capabilities, such as port scans reuse Command Control servers; (ii) number discrepancies between clusters traditional designations; (iii) demonstrates effectiveness unlabeled using features producing false positive rate mere 8%.
harvard.edu
arxiv.org
tudelft.nl 参考文章(37)
Federico Maggi, Andrea Bellini, Guido Salvaneschi, Stefano Zanero, Finding non-trivial malware naming inconsistencies international conference on information systems security. pp. 144- 159 ,(2011) , 10.1007/978-3-642-25560-1_10
Nick Cercone, Tony Abou-Assaleh, Vlado Keselj, Ray Sweidan, Detection of New Malicious Code Using N-grams Signatures. conference on privacy, security and trust. pp. 193- 196 ,(2004)
James Clifford, Donald J. Berndt, Using dynamic time warping to find patterns in time series knowledge discovery and data mining. pp. 359- 370 ,(1994)
Ricardo J. G. B. Campello, Davoud Moulavi, Joerg Sander, Density-Based Clustering Based on Hierarchical Density Estimates pacific-asia conference on knowledge discovery and data mining. pp. 160- 172 ,(2013) , 10.1007/978-3-642-37456-2_14
S.T. Tajalizadehkhoob, Hadi Asghari, C. Ganan, Michel van Eeten, Why them? Extracting intelligence about target selection from Zeus financial malware workshop on the economics of information security. ,(2014)
Aziz Mohaisen, Omar Alrawi, Matt Larson, Danny McPherson, Towards a Methodical Evaluation of Antivirus Scans and Labels workshop on information security applications. pp. 231- 241 ,(2013) , 10.1007/978-3-319-05149-9_15
An Wang, Aziz Mohaisen, Wentao Chang, Songqing Chen, None, Capturing DDoS Attack Dynamics Behind the Scenes Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 205- 215 ,(2015) , 10.1007/978-3-319-20550-2_11
Peng Li, Limin Liu, Debin Gao, Michael K. Reiter, On challenges in evaluating malware clustering recent advances in intrusion detection. ,vol. 6307, pp. 238- 255 ,(2010) , 10.1007/978-3-642-15512-3_13
Roberto Perdisci, Nick Feamster, Wenke Lee, Behavioral clustering of HTTP-based malware and signature generation using malicious network traces networked systems design and implementation. pp. 26- 26 ,(2010) , 10.5555/1855711.1855737
Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Kruegel, Engin Kirda, Scalable, behavior-based malware clustering network and distributed system security symposium. ,(2009)