research-article

Centrality metrics of importance in access behaviors and malware detections

Authors:

Don TowsleyAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 376 - 385

https://doi.org/10.1145/2664243.2664286

Published: 08 December 2014 Publication History

Abstract

System objects play different roles in a computer system and exhibit different degrees of importance with respect to system security. Identifying importance metrics can help us to develop more effective and efficient security protection methods. However, there is little previous work on evaluating the importance of objects from the perspective of security. In this paper, we propose a novel approach to evaluate the importance of various system objects based on a bipartite dependency network representation of access behaviors observed in a computer system. We introduce centrality metrics from network science to quantitatively measure the relative importance of system objects and reveal their inherent connections to security properties such as integrity and confidentiality. Furthermore, we propose importance-metric based models to characterize process behaviors and identify abnormal access patterns with respect to confidentiality and integrity. Extensive experimental results on one real-world dataset demonstrate that our model is capable of detecting 7,257 malware samples from 27,840 benign processes at 93.94% TPR under 0.1% FPR. Moreover, a selective protection scheme based on a partial behavioral model of important objects achieves comparable or even better results in malware detection when compared with complete behavior models. This demonstrates the feasibility of the devised importance metrics and presents a promising new approach to malware detection.

References

[1]

F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo. Detecting malicious software by monitoring anomalous windows registry accesses. In Proceedings of the 5th international conference on Recent advances in intrusion detection, RAID'02, pages 36--53, Berlin, Heidelberg, 2002. Springer-Verlag.

Digital Library

[2]

D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. ESD-TR 73-278, MITRE Corp., Bedford, MA, 1973.

[3]

S. Bhatkar, A. Chaturvedi, and R. Sekar. Dataflow anomaly detection. IEEE Symposium on Security and Privacy (S&P), pages 48--62, 2006.

Digital Library

[4]

M. Bianchini, M. Gori, and F. Scarselli. Inside pagerank. ACM Transactions on Internet Technology (TOIT), 5(1):92--128, 2005.

Digital Library

[5]

Biba. Integrity considerations for secure computer systems. ESD-TR 76-372, MITRE Corp., 1977.

[6]

E. Borgonovo. A new uncertainty importance measure. Reliability Engineering & System Safety, 92(6):771--784, 2007.

[7]

L. Breiman. Random forests. Machine Learning, 45:5--32, 2001. 10.1023/A:1010933404324.

Digital Library

[8]

S. Brin and L. Page. The anatomy of a large-scale hypertextual web search engine. Computer Networks and ISDN Systems, 30(1--7):107--117, 1998.

Digital Library

[9]

D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. A quantitative study of accuracy in system call-based malware detection. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, pages 122--132. ACM, 2012.

Digital Library

[10]

Comodo. http://camas.comodo.com, 2013.

[11]

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on, pages 120--128. IEEE, 1996.

Digital Library

[12]

M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. IEEE Symposium on Security and Privacy (S&P), pages 45--60, 2010.

Digital Library

[13]

K. A. Heller, K. M. Svore, A. D. Keromytis, and S. J. Stolfo. One class support vector machines for detecting anomalous windows registry accesses. In In Proc. of the workshop on Data Mining for Computer Security, 2003.

[14]

C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. Computer Security--ESORICS 2003, pages 326--343, 2003.

[15]

A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), pages 399--412, New York, NY, USA, 2010. ACM.

Digital Library

[16]

D. Lerche and P. B. Sørensen. Evaluation of the ranking probabilities for partial orders based on random linear extensions. Chemosphere, 53(8):981--992, 2003.

[17]

B. C. Mark Russinovich. Process monitor, 2013. http://technet.microsoft.com/en-us/sysinternals/bb896645.

[18]

L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. Mitchell. A layered architecture for detecting malicious behaviors. In Recent Advances in Intrusion Detection (RAID), volume 5230, pages 78--97. Springer Berlin/Heidelberg, 2008.

Digital Library

[19]

M. Newman. Networks: an introduction. Oxford University Press, 2010.

Digital Library

[20]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, et al. Scikit-learn: Machine learning in python. The Journal of Machine Learning Research, 12:2825--2830, 2011.

Digital Library

[21]

M. Sahinoglu. Security meter: A practical decision-tree model to quantify risk. IEEE Security and Privacy, 3(3):18--24, 2005.

Digital Library

[22]

W. Sun, R. Sekar, G. Poothia, and T. Karandikar. Practical proactive integrity preservation: A basis for malware defense. IEEE Symposium on Security and Privacy (S&P), pages 248--262, 2008.

Digital Library

[23]

W.-K. Sze and R. Sekar. A portable user-level approach for system-wide integrity protection. In Proceedings of the 29th Annual Computer Security Applications Conference, pages 219--228. ACM, 2013.

Digital Library

[24]

H. Tong, B. A. Prakash, C. Tsourakakis, T. Eliassi-Rad, C. Faloutsos, and D. H. Chau. On the vulnerability of large graphs. In Data Mining (ICDM), 2010 IEEE 10th International Conference on, pages 1091--1096. IEEE, 2010.

Digital Library

[25]

VXHeaven. http://vx.netlux.org/, 2010.

[26]

T. Wuchner, M. Ochoa, and A. Pretschner. Malware detection with quantitative data flow graphs. In Proceedings of the 9th ACM SIGSAC symposium on Information, computer and communications security. ACM, 2014.

Digital Library

[27]

K.-K. Yan, G. Fang, N. Bhardwaj, R. P. Alexander, and M. Gerstein. Comparing genomes to computer operating systems in terms of the topology and evolution of their regulatory control networks. Proceedings of the National Academy of Sciences, 2010.

[28]

C. Zhai and J. Lafferty. A study of smoothing methods for language models applied to information retrieval. ACM Transactions on Information Systems (TOIS), 22(2):179--214, 2004.

Digital Library

Cited By

Wuchner TCislak AOchoa MPretschner A(2019)Leveraging Compression-Based Graph Mining for Behavior-Based Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.267588116:1(99-112)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2675881
Zhao ZWang MMao WLiu S(2018)Malware Detection via Graph Based Access Behavioral Description and Semi-supervised LearningRecent Developments in Mechatronics and Intelligent Robotics10.1007/978-3-030-00214-5_153(1247-1253)Online publication date: 5-Oct-2018
https://doi.org/10.1007/978-3-030-00214-5_153
Mao WCai ZTowsley DFeng QGuan X(2017)Security importance assessment for system objects and malware detectionComputers and Security10.1016/j.cose.2017.02.00968:C(47-68)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1016/j.cose.2017.02.009
Show More Cited By

Centrality metrics of importance in access behaviors and malware detections
1. Security and privacy
  1. Systems security

Recommendations

Security importance assessment for system objects and malware detection

System objects play different roles in computer systems and exhibit different levels of importance to system security. Assessing the importance of system objects helps us develop effective security protection methods. However, little work has focused on ...
A semantics-based approach to malware detection

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for signatures, which attempt to capture the syntactic characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and Networking

Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Ministry of Science and Technology of the People's Republic of China
International Research Collaboration Project of Shaanxi Province
Ministry of Education of the People's Republic of China
Division of Computer and Network Systems
U.S. Army Research Laboratory
Fundamental Research Funds for Central Universities
National Natural Science Foundation of China

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
329
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wuchner TCislak AOchoa MPretschner A(2019)Leveraging Compression-Based Graph Mining for Behavior-Based Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.267588116:1(99-112)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2675881
Zhao ZWang MMao WLiu S(2018)Malware Detection via Graph Based Access Behavioral Description and Semi-supervised LearningRecent Developments in Mechatronics and Intelligent Robotics10.1007/978-3-030-00214-5_153(1247-1253)Online publication date: 5-Oct-2018
https://doi.org/10.1007/978-3-030-00214-5_153
Mao WCai ZTowsley DFeng QGuan X(2017)Security importance assessment for system objects and malware detectionComputers and Security10.1016/j.cose.2017.02.00968:C(47-68)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1016/j.cose.2017.02.009
Wuchner TOchoa MLovat EPretschner A(2016)Generating behavior-based malware detection models with genetic programming2016 14th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2016.7907008(506-511)Online publication date: Dec-2016
https://doi.org/10.1109/PST.2016.7907008
Mao WCai ZTowsley DGuan X(2015)Probabilistic Inference on Integrity for Access Behavior Based Malware DetectionProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_8(155-176)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-319-26362-5_8
Wüchner TOchoa MPretschner A(2015)Robust and Effective Malware Detection Through Quantitative Data Flow Graph MetricsProceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 914810.1007/978-3-319-20550-2_6(98-118)Online publication date: 9-Jul-2015
https://dl.acm.org/doi/10.1007/978-3-319-20550-2_6
Yang YCai ZMao WYang Z(2015)Identifying Intrusion Infections via Probabilistic Inference on Bayesian NetworkProceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 914810.1007/978-3-319-20550-2_16(307-326)Online publication date: 9-Jul-2015
https://dl.acm.org/doi/10.1007/978-3-319-20550-2_16

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents