research-article

Open access

Malware Triage for Early Identification of Advanced Persistent Threat Activities

Authors:

Giuseppe Laurenza,

Riccardo Lazzeretti,

Luca MazzottiAuthors Info & Claims

Digital Threats: Research and Practice , Volume 1, Issue 3

Article No.: 16, Pages 1 - 17

https://doi.org/10.1145/3386581

Published: 04 August 2020 Publication History

All formats PDF

Abstract

In the past decade, a new class of cyber-threats, known as “Advanced Persistent Threat” (APT), has emerged and has been used by different organizations to perform dangerous and effective attacks against financial and politic entities, critical infrastructures, and so on. To identify APT related malware early, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step identifies incoming APT samples early, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the article, the authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this article, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.

References

[1]

Mansour Ahmadi, Dmitry Ulyanov, Stanislav Semenov, Mikhail Trofimov, and Giorgio Giacinto. 2016. Novel feature extraction, selection and fusion for effective malware family classification. In Proceedings of the Conference on Data and Application Security and Privacy (CODASPY’16). ACM, 183--194.

[2]

Alex Bassett, Christiaan Beek, Niamh Minihane, Eric Peterson, Raj Samani, Craig Schmugar, ReseAnne Sims, Dan Sommer, and Bing Sun. 2018. McAfee Labs Threats Report: December 2018. Technical Report. McAfee. Retrieved from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf.

[3]

Leo Breiman. 2001. Random forests. In Machine Learning. Springer, Berlin, 5--32.

[4]

FireEyeLabs. 2014. Advanced Threat Report 2013. Technical Report. FireEyeLabs. Retrieved from https://www2.fireeye.com/advanced-threat-report-2013.html.

[5]

Ivo Friedberg, Florian Skopik, Giuseppe Settanni, and Roman Fiedler. 2015. Combating advanced persistent threats: From network event correlation to incident detection. In Computers 8 Security. Elsevier, 35--57.

[6]

Kamil A. Grajski, Leo Breiman, Gonzalo Viana Di Prisco, and Walter J. Freeman. 1986. Classification of EEG spatial patterns with a tree-structured methodology: CART. IEEE Trans. Biomed. Eng. 12 (1986), 1076--1086.

[7]

Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Leading Issues in Information Warfare 8 Security Research. 80.

[8]

Jiyong Jang, David Brumley, and Shobha Venkataraman. 2010. Bitshred: Fast, scalable malware triage. Cylab, Technical Report CMU-Cylab-10, Carnegie Mellon University, Pittsburgh, PA.

[9]

Dhilung Kirat, Lakshmanan Nataraj, Giovanni Vigna, and B. S. Manjunath. 2013. Sigmal: A static signal processing based malware triage. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’13). ACM, 89--98.

[10]

Deguang Kong and Guanhua Yan. 2013. Discriminant malware distance learning on structural information for automated malware classification. In Proceedings of the International Conference on Knowledge Discovery and Data Mining, ACM SIGKDD. ACM, 1357--1365.

[11]

Giuseppe Laurenza, Leonardo Aniello, Riccardo Lazzeretti, and Roberto Baldoni. 2017. Malware triage based on static features and public APT reports. In Proceedings of the International Conference on Cyber Security Cryptography and Machine Learning (CSCML’17). Springer, 288--305.

[12]

Giuseppe Laurenza and Riccardo Lazzeretti. 2019. dAPTaset: A comprehensive mapping of APT-related data. In Computer Security. Springer, 217--225.

[13]

Giuseppe Laurenza, Daniele Ucci, Leonardo Aniello, and Roberto Baldoni. 2016. An architecture for semi-automatic collaborative malware analysis for cis. In Proceedings of the International Conference on Dependable Systems and Networks Workshop (DSN’16). IEEE, 137--142.

[14]

Charles LeDoux and Arun Lakhotia. 2015. Malware and machine learning. In Intelligent Methods for Cyber Warfare. Springer, 1--42.

[15]

Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. 2008. Isolation forest. In Proceedings of the International Conference on Data Mining (ICDM’08). IEEE, 413--422.

[16]

Aziz Makandar and Anita Patrot. 2015. Malware analysis and classification using artificial neural network. In Proceedings of the International Conference on Trends in Automation, Communications and Computing Technology (I-TACT’15). IEEE, 1--6.

[17]

Mirco Marchetti, Fabio Pierazzi, Michele Colajanni, and Alessandro Guido. 2016. Analysis of high volumes of network traffic for advanced persistent threat detection. In Computer Networks. Elsevier, 127--141.

[18]

Sebastian Mika, Gunnar Ratsch, Jason Weston, Bernhard Scholkopf, and Klaus-Robert Mullers. 1999. Fisher discriminant analysis with kernels. In Proceedings of the Neural Networks for Signal Processing, Signal Processing Society Workshop. IEEE, 41--48.

[19]

Saeed Nari and Ali A Ghorbani. 2013. Automated malware classification based on network behavior. In Proceedings of the International Conference on Computing, Networking and Communications (ICNC’13). IEEE, 642--647.

[20]

Aude Oliva. 2005. Gist of the scene. In Neurobiology of Attention. Elsevier, 251--256.

[21]

PandaLabs. 2015. Annual Report 2015. Technical Report. PandaLabs. Retrieved from https://www.pandasecurity.com/mediacenter/src/uploads/2014/07/Pandalabs-2015-anual-EN.pdf.

[22]

Avi Pfeffer, Catherine Call, John Chamberlain, Lee Kellogg, Jacob Ouellette, Terry Patten, Greg Zacharias, Arun Lakhotia, Suresh Golconda, John Bay, et al. 2012. Malware analysis and attribution using genetic information. In Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software. IEEE, 39--45.

Digital Library

[23]

Robert Serfling and Shanshan Wang. 2014. General foundations for studying masking and swamping robustness of outlier identifiers. In Statistical Methodology. 79--90.

[24]

Deana Shick and Kyle OMeara. 2016. Unique Approach to Threat Analysis Mapping: A Malware Centric Methodology for Better Understanding the Adversary Landscape. Technical Report.

[25]

Anshuman Singh, Andrew Walenstein, and Arun Lakhotia. 2012. Tracking concept drift in malware families. In Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence. 81--92.

Digital Library

[26]

Martin Ussath, Feng Cheng, and Christoph Meinel. 2015. Concept for a security investigation framework. In Proceedings of the International Conference on New Technologies, Mobility and Security (NTMS’15). IEEE, 1--5.

[27]

Ian Welch, Xiaoying Gao, Peter Komisarczuk, et al. 2012. A novel scoring model to detect potential malicious web pages. In Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 254--263.

Cited By

Zhang JLiu SLiu Z(2024)Attribution classification method of APT malware based on multi-feature fusionPLOS ONE10.1371/journal.pone.030406619:6(e0304066)Online publication date: 27-Jun-2024
https://doi.org/10.1371/journal.pone.0304066
Zhang JLiu SLiu Z(2024)Research on APT Malware Detection Based on BERT-Transformer-TextCNN ModelingProceedings of the 2024 International Conference on Generative Artificial Intelligence and Information Security10.1145/3665348.3665389(235-242)Online publication date: 10-May-2024
https://dl.acm.org/doi/10.1145/3665348.3665389
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3653973
Show More Cited By

Index Terms

Malware Triage for Early Identification of Advanced Persistent Threat Activities
1. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
      1. Malware / spyware crime

Recommendations

A Survey on malware analysis and mitigation techniques
Abstract
In recent days, malwares are advanced, sophisticatedly engineered to attack the target. Most of such advanced malwares are highly persistent and capable of escaping from the security systems. This paper explores such an advanced ...
Hybrid Analysis Technique to detect Advanced Persistent Threats

Advanced persistent threats APT are major threats in the field of system and network security. They are extremely stealthy and use advanced evasion techniques like packing and behaviour obfuscation to hide their malicious behaviour and evade the ...
The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
ICEC '15: Proceedings of the 17th International Conference on Electronic Commerce 2015

Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using ...

Comments

Information & Contributors

Information

Published In

cover image Digital Threats: Research and Practice

Digital Threats: Research and Practice Volume 1, Issue 3

Field Notes

September 2020

93 pages

EISSN:2576-5337

DOI:10.1145/3415596

Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 August 2020

Online AM: 07 May 2020

Accepted: 01 March 2020

Revised: 01 February 2020

Received: 01 May 2019

Published in DTRAP Volume 1, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

La Sapienza University of Rome Bando Ricerca 2017
Consorzio Interuniversitario Nazionale Informatica (CINI) National Laboratory of Cyber Security

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
2,002
Total Downloads

Downloads (Last 12 months)358
Downloads (Last 6 weeks)32

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang JLiu SLiu Z(2024)Attribution classification method of APT malware based on multi-feature fusionPLOS ONE10.1371/journal.pone.030406619:6(e0304066)Online publication date: 27-Jun-2024
https://doi.org/10.1371/journal.pone.0304066
Zhang JLiu SLiu Z(2024)Research on APT Malware Detection Based on BERT-Transformer-TextCNN ModelingProceedings of the 2024 International Conference on Generative Artificial Intelligence and Information Security10.1145/3665348.3665389(235-242)Online publication date: 10-May-2024
https://dl.acm.org/doi/10.1145/3665348.3665389
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3653973
Ashawa MOwoh NRiley JOsamor JHosseinzadeh S(2024)An Exploration of shared code execution for malware analysis2024 International Conference on Artificial Intelligence, Computer, Data Sciences and Applications (ACDSA)10.1109/ACDSA59508.2024.10467679(1-9)Online publication date: 1-Feb-2024
https://doi.org/10.1109/ACDSA59508.2024.10467679
Dau DLee SKim H(2024)A comprehensive comparison study of ML models for multistage APT detection: focus on data preprocessing and resamplingThe Journal of Supercomputing10.1007/s11227-024-06010-280:10(14143-14179)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s11227-024-06010-2
Çakmakçı SGkoktsis GBuchta RDetken KHeine FKleiner C(2023)APT Detection: An Incremental Correlation Approach2023 IEEE 12th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS)10.1109/IDAACS58523.2023.10348952(151-156)Online publication date: 7-Sep-2023
https://doi.org/10.1109/IDAACS58523.2023.10348952
Hasan MIslam MUddin J(2023)Advanced Persistent Threat Identification with Boosting and Explainable AISN Computer Science10.1007/s42979-023-01744-x4:3Online publication date: 20-Mar-2023
https://dl.acm.org/doi/10.1007/s42979-023-01744-x
Sharma AGupta BSingh ASaraswat V(2023)Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasuresJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-023-04603-y14:7(9355-9381)Online publication date: 6-May-2023
https://doi.org/10.1007/s12652-023-04603-y
Jabar TMahinderjit Singh M(2022)Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual FrameworkSensors10.3390/s2213466222:13(4662)Online publication date: 21-Jun-2022
https://doi.org/10.3390/s22134662
Wei CLi QGuo DMeng X(2021)Toward Identifying APT Malware through API System CallsSecurity and Communication Networks10.1155/2021/80772202021Online publication date: 9-Dec-2021
https://dl.acm.org/doi/10.1155/2021/8077220
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents