Malware Fingerprinting under Uncertainty

Krishnendu Ghosh, William Casey, Jose Andre Morales, Bhubaneswar Mishra

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Malware detection and classification is critical for the security of IT infrastructure. Legacy detection of malware has been highly reliant on static signatures, so malware authors have evolved code polymorphic techniques to counteract these tools, thus rendering static malware detectors ineffective. While malware writers may easily use code rewriting techniques to scramble binary images; malware processes at runtime still must conduct a sequence of operational steps to achieve its design goal, indicating an approach based on behavioral analysis where the captured invariants form a new type of forensic fingerprint. Moreover these operational steps are constrained to occur within the computers' or mobile devices' abstract system interface- A finite basis of activities that submit to effective monitoring with a variety of tools. In this work, we propose a formalism for expressing these behaviors, learning them and analyzing them to form automated malware analysis tools. Thus motivated by a need to detect and classify malware, we root its foundation in formal verification, as well as methodology from statistical and machine learning. Specifically using trace data from malware we leverage formal verification methods (such as probabilistic model checking) to construct classifiers and evaluate their efficacy in supervised learning and cross-fold validation experiments. The results inform how a fully automated reasoning mechanism may be applied to unknown software by posing its system trace as a query to various classifiers as hypothesis testing, the outputs informing belief of membership. Finally, we demonstrate the method and results on real malware data.

Original languageEnglish (US)
Title of host publicationProceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages276-286
Number of pages11
ISBN (Electronic)9781509066438
DOIs
StatePublished - Jul 20 2017
Event4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017 - New York, United States
Duration: Jun 26 2017Jun 28 2017

Other

Other4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017
CountryUnited States
CityNew York
Period6/26/176/28/17

Fingerprint

Classifiers
Malware
Uncertainty
Binary images
Supervised learning
Model checking
Mobile devices
Interfaces (computer)
Learning systems
Computer systems
Detectors
Monitoring
Testing
Experiments
Formal verification
Statistical Models

Keywords

  • Classification. Machine Learning
  • Malware
  • Model Checking

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture

Cite this

Ghosh, K., Casey, W., Morales, J. A., & Mishra, B. (2017). Malware Fingerprinting under Uncertainty. In Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017 (pp. 276-286). [7987210] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CSCloud.2017.63

Malware Fingerprinting under Uncertainty. / Ghosh, Krishnendu; Casey, William; Morales, Jose Andre; Mishra, Bhubaneswar.

Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 276-286 7987210.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ghosh, K, Casey, W, Morales, JA & Mishra, B 2017, Malware Fingerprinting under Uncertainty. in Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017., 7987210, Institute of Electrical and Electronics Engineers Inc., pp. 276-286, 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017, New York, United States, 6/26/17. https://doi.org/10.1109/CSCloud.2017.63
Ghosh K, Casey W, Morales JA, Mishra B. Malware Fingerprinting under Uncertainty. In Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 276-286. 7987210 https://doi.org/10.1109/CSCloud.2017.63
Ghosh, Krishnendu ; Casey, William ; Morales, Jose Andre ; Mishra, Bhubaneswar. / Malware Fingerprinting under Uncertainty. Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 276-286
@inproceedings{4f1db6f2e24b40ddbdb9c637dfe7e76b,
title = "Malware Fingerprinting under Uncertainty",
abstract = "Malware detection and classification is critical for the security of IT infrastructure. Legacy detection of malware has been highly reliant on static signatures, so malware authors have evolved code polymorphic techniques to counteract these tools, thus rendering static malware detectors ineffective. While malware writers may easily use code rewriting techniques to scramble binary images; malware processes at runtime still must conduct a sequence of operational steps to achieve its design goal, indicating an approach based on behavioral analysis where the captured invariants form a new type of forensic fingerprint. Moreover these operational steps are constrained to occur within the computers' or mobile devices' abstract system interface- A finite basis of activities that submit to effective monitoring with a variety of tools. In this work, we propose a formalism for expressing these behaviors, learning them and analyzing them to form automated malware analysis tools. Thus motivated by a need to detect and classify malware, we root its foundation in formal verification, as well as methodology from statistical and machine learning. Specifically using trace data from malware we leverage formal verification methods (such as probabilistic model checking) to construct classifiers and evaluate their efficacy in supervised learning and cross-fold validation experiments. The results inform how a fully automated reasoning mechanism may be applied to unknown software by posing its system trace as a query to various classifiers as hypothesis testing, the outputs informing belief of membership. Finally, we demonstrate the method and results on real malware data.",
keywords = "Classification. Machine Learning, Malware, Model Checking",
author = "Krishnendu Ghosh and William Casey and Morales, {Jose Andre} and Bhubaneswar Mishra",
year = "2017",
month = "7",
day = "20",
doi = "10.1109/CSCloud.2017.63",
language = "English (US)",
pages = "276--286",
booktitle = "Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

TY - GEN

T1 - Malware Fingerprinting under Uncertainty

AU - Ghosh, Krishnendu

AU - Casey, William

AU - Morales, Jose Andre

AU - Mishra, Bhubaneswar

PY - 2017/7/20

Y1 - 2017/7/20

N2 - Malware detection and classification is critical for the security of IT infrastructure. Legacy detection of malware has been highly reliant on static signatures, so malware authors have evolved code polymorphic techniques to counteract these tools, thus rendering static malware detectors ineffective. While malware writers may easily use code rewriting techniques to scramble binary images; malware processes at runtime still must conduct a sequence of operational steps to achieve its design goal, indicating an approach based on behavioral analysis where the captured invariants form a new type of forensic fingerprint. Moreover these operational steps are constrained to occur within the computers' or mobile devices' abstract system interface- A finite basis of activities that submit to effective monitoring with a variety of tools. In this work, we propose a formalism for expressing these behaviors, learning them and analyzing them to form automated malware analysis tools. Thus motivated by a need to detect and classify malware, we root its foundation in formal verification, as well as methodology from statistical and machine learning. Specifically using trace data from malware we leverage formal verification methods (such as probabilistic model checking) to construct classifiers and evaluate their efficacy in supervised learning and cross-fold validation experiments. The results inform how a fully automated reasoning mechanism may be applied to unknown software by posing its system trace as a query to various classifiers as hypothesis testing, the outputs informing belief of membership. Finally, we demonstrate the method and results on real malware data.

AB - Malware detection and classification is critical for the security of IT infrastructure. Legacy detection of malware has been highly reliant on static signatures, so malware authors have evolved code polymorphic techniques to counteract these tools, thus rendering static malware detectors ineffective. While malware writers may easily use code rewriting techniques to scramble binary images; malware processes at runtime still must conduct a sequence of operational steps to achieve its design goal, indicating an approach based on behavioral analysis where the captured invariants form a new type of forensic fingerprint. Moreover these operational steps are constrained to occur within the computers' or mobile devices' abstract system interface- A finite basis of activities that submit to effective monitoring with a variety of tools. In this work, we propose a formalism for expressing these behaviors, learning them and analyzing them to form automated malware analysis tools. Thus motivated by a need to detect and classify malware, we root its foundation in formal verification, as well as methodology from statistical and machine learning. Specifically using trace data from malware we leverage formal verification methods (such as probabilistic model checking) to construct classifiers and evaluate their efficacy in supervised learning and cross-fold validation experiments. The results inform how a fully automated reasoning mechanism may be applied to unknown software by posing its system trace as a query to various classifiers as hypothesis testing, the outputs informing belief of membership. Finally, we demonstrate the method and results on real malware data.

KW - Classification. Machine Learning

KW - Malware

KW - Model Checking

UR - http://www.scopus.com/inward/record.url?scp=85028652006&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85028652006&partnerID=8YFLogxK

U2 - 10.1109/CSCloud.2017.63

DO - 10.1109/CSCloud.2017.63

M3 - Conference contribution

SP - 276

EP - 286

BT - Proceedings - 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -