Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering
Using runtime execution artifacts to identify malware and its associated “family” is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity d...
Main Authors: | , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
European Alliance for Innovation (EAI)
2018-12-01
|
Series: | EAI Endorsed Transactions on Security and Safety |
Subjects: | |
Online Access: | http://eudl.eu/doi/10.4108/eai.13-7-2018.156002 |
id |
doaj-61ece09cf294472493ff5067684f959a |
---|---|
record_format |
Article |
spelling |
doaj-61ece09cf294472493ff5067684f959a2020-11-25T01:50:00ZengEuropean Alliance for Innovation (EAI)EAI Endorsed Transactions on Security and Safety2032-93932018-12-0151610.4108/eai.13-7-2018.156002Network-based Analysis and Classification of Malware using Behavioral Artifacts OrderingAziz Mohaisen0Omar Alrawi1Jeman Park2Joongheon Kim3DaeHun Nyang4Manar Mohaisen5University of Central FloridaGeorgia Institute of TechnologyUniversity of Central FloridaChung-Ang UniversityInha UniversityKorea University of Technology and EducationUsing runtime execution artifacts to identify malware and its associated “family” is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics are often circumvented by subsequent malware authors. In this work, we propose Chatter, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and eleven malware families are used. We show the technique achieves 83%-94% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of combined order features to reach an accuracy of up to 98.8%.http://eudl.eu/doi/10.4108/eai.13-7-2018.156002Malwarebehavior-based analysisclassificationmachine learningn-grams |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Aziz Mohaisen Omar Alrawi Jeman Park Joongheon Kim DaeHun Nyang Manar Mohaisen |
spellingShingle |
Aziz Mohaisen Omar Alrawi Jeman Park Joongheon Kim DaeHun Nyang Manar Mohaisen Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering EAI Endorsed Transactions on Security and Safety Malware behavior-based analysis classification machine learning n-grams |
author_facet |
Aziz Mohaisen Omar Alrawi Jeman Park Joongheon Kim DaeHun Nyang Manar Mohaisen |
author_sort |
Aziz Mohaisen |
title |
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering |
title_short |
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering |
title_full |
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering |
title_fullStr |
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering |
title_full_unstemmed |
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering |
title_sort |
network-based analysis and classification of malware using behavioral artifacts ordering |
publisher |
European Alliance for Innovation (EAI) |
series |
EAI Endorsed Transactions on Security and Safety |
issn |
2032-9393 |
publishDate |
2018-12-01 |
description |
Using runtime execution artifacts to identify malware and its associated “family” is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics are often circumvented by subsequent malware authors. In this work, we propose Chatter, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and eleven malware families are used. We show the technique achieves 83%-94% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of combined order features to reach an accuracy of up to 98.8%. |
topic |
Malware behavior-based analysis classification machine learning n-grams |
url |
http://eudl.eu/doi/10.4108/eai.13-7-2018.156002 |
work_keys_str_mv |
AT azizmohaisen networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering AT omaralrawi networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering AT jemanpark networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering AT joongheonkim networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering AT daehunnyang networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering AT manarmohaisen networkbasedanalysisandclassificationofmalwareusingbehavioralartifactsordering |
_version_ |
1725003290317422592 |