research-article

AutoCombo: Automatic Malware Signature Generation Through Combination Rule Mining

Authors:

Min Du,

Wenjun Hu,

William HewlettAuthors Info & Claims

CIKM '21: Proceedings of the 30th ACM International Conference on Information & Knowledge Management

Pages 3777 - 3786

https://doi.org/10.1145/3459637.3481896

Published: 30 October 2021 Publication History

Get Access

Abstract

Malware detection is an essential step in building trustworthy computer systems. Signature-based detection detects a sample as malware if the sample data match or contain a pre-stored malware signature. Among all detection methods that malware experts are constantly exploring, signature-based malware detection is indispensable, due to its simplicity, explainability and efficiency. Malware signatures could have various formats, for example, a substring, a subsequence, or a combination rule. A combination rule signature could be viewed as a fixed set of properties, each of which describes some characteristic of an analyzed sample. Although security experts have dedicated many efforts to extract meaningful features from samples, the step of signature generation from the features has been rather ad hoc and time-consuming.

This paper focuses on the generation of combination rule signatures. We abstract and formally define the problem of combination rule malware signature generation, followed by a systematic study towards an effective and efficient implementation. Inspired by classic frequent itemsets mining solutions, the proposed AutoCombo approach is greedy but also complete. It generates higher quality signatures first, but is also able to traverse all possible property combinations for a complete generation. Further optimizations and future research potential are also discussed. The proposed approach is currently in use to assist the analysis for millions of files per day in a large security company. Our evaluation results using large-scale production data have also shown its efficacy. With the release of over 10 million real production records as well as our exploratory code, we hope this initial study could draw AI experts' attention and advance the research even further in this field.

Supplementary Material

MP4 File (CIKM21-fp1281.mp4)

This video recording is a presentation for our paper accepted in CIKM?21, named ?AutoCombo: Automatic Malware Signature Generation Through Combination Rule Mining''. In short, this paper proposes a systematic pipeline to automatically generate combination rule signatures for malware detection. Malware detection is an essential step in building trustworthy computer systems. Signature-based detection detects a sample as malware if the sample data match or contain a pre-stored malware signature. A combination rule signature could be viewed as a fixed set of properties, each of which describes some characteristic of an analyzed sample. This paper focuses on the generation of such signatures. Inspired by classic frequent itemsets mining solutions, the proposed AutoCombo approach is greedy but also complete. It generates higher quality signatures first, but is also able to traverse all possible property combinations for a complete generation. Further optimizations and future research potential are also discussed.

Download
39.03 MB

References

[1]

Olawale Surajudeen Adebayo and Normaziah Abdul Aziz. 2019. Improved Malware Detection Model with Apriori Association Rule and Particle Swarm Optimization. Security and Communication Networks, Vol. 2019 (2019).

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Signature Generation and Detection of Malware Families

DroidLegacy: Automated Familial Classification of Android Malware

Polymorphic worms detection using Extended PolyTree

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations