A Close Look at a Daily Dataset of Malware Samples

Ugarte-Pedrero, Xabier; Graziano, Mariano; Balzarotti, Davide

doi:10.1145/3291061

Cited by 49 publications

(32 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As such, we wanted our dataset to mimic those that are regularly analyzed by security companies. To satisfy this requirement, for our malicious dataset we downloaded fresh samples submitted to VirusTotal, i.e., samples observed for the first time on the same day in which we downloaded and analyzed them (this is what Ugarte-Pedrero et al [98] call the catch of the day). This was the only criteria we used for our selection.…”

Section: Sample Selectionmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify each sample. Anything more is wasting resources, anything less is jeopardizing the experiments. Despite its importance, there are no clear guidelines on how to choose this parameter, nor experiments that can help companies to assess the pros and cons of a choice over another. To fill this gap, in this paper we provide the first large-scale study of the impact that the execution time has on both the amount and the quality of the collected events. We measure the evolution of system calls and code coverage, to draw a precise picture of the fraction of runtime behavior we can expect to observe in a sandbox. Finally, we implemented a machine learning based malware detection method, and applied it to the data collected in different time windows, to also report on the relevance of the events observed at different points in time. Our results show that most samples run for either less than two minutes or for more than ten. However, most of the behavior (and 98% of the executed basic blocks) are observed during the first two minutes of execution, which is also the time windows that result in a higher accuracy of our ML classifier. We believe this information can help future researchers and industrial sandboxes to better tune their analysis systems.

show abstract

Section: Sample Selectionmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…We gathered 237,288 hashes from VT. We attempted to balance the presence of families and variants to avoid over-representing certain prolific families. Malware feeds like VT usually distribute large numbers of variants of the same polymorphic families [68]. The prevalence of a given malware family in such a feed is not necessarily related to its freshness, impact, or prevalence in the wild.…”

Section: A Dataset Compositionmentioning

confidence: 99%

“…By leveraging this sample selection method, we avoided the over-representation of prominent polymorphic families (such as worms or file infectors like Virut or Allaple) [68] or identical variants of the same family. The removal of these variants balanced the representation of every family in the dataset.…”

Section: A Dataset Compositionmentioning

confidence: 99%

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Barr-Smith

Ugarte-Pedrero

Graziano

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

As malware detection algorithms and methods become more sophisticated, malware authors adopt equally sophisticated evasion mechanisms to defeat them. Anecdotal evidence claims Living-Off-The-Land (LotL) techniques are one of the major evasion techniques used in many malware attacks. These techniques leverage binaries already present in the system to conduct malicious actions. We present the first large-scale systematic investigation of the use of these techniques by malware on Windows systems.In this paper, we analyse how common the use of these native system binaries is across several malware datasets, containing a total of 31,805,549 samples. We identify an average 9.41% prevalence. Our results show that the use of LotL techniques is prolific, particularly in Advanced Persistent Threat (APT) malware samples where the prevalence is 26.26%, over twice that of commodity malware.To illustrate the evasive potential of LotL techniques, we test the usage of LotL techniques against several fully patched Windows systems in a local sandboxed environment and show that there is a generalised detection gap in 10 of the most popular anti-virus products.

show abstract

“…Cybersecurity is a highly dynamic field; with threat behavior constantly evolving [7], Trend reports published by antivirus companies show that the number of unique malicious executable files has risen from less than one million to over one billion between 2008 and 2014 [8,9]. Security companies that analyse malware now routinely collecting over one million unique files per day [3]. Threat sophistication and anomaly distributions also vary significantly by context; for example certain industries may be highly attractive as targets for hackers, and may therefore exhibit higher frequencies or specific types of malware.…”

Section: State Of the Artmentioning

confidence: 99%

Are public intrusion datasets fit for purpose characterising the state of the art in intrusion event datasets

Kenyon¹,

Deka

Elizondo

2020

Computers & Security

View full text Add to dashboard Cite

In recent years cybersecurity attacks have caused major disruption and information loss for online organisations, with high profile incidents in the news. One of the key challenges in advancing the state of the art in intrusion detection is the lack of representative datasets. These datasets typically contain millions of time-ordered events (e.g. network packet traces, flow summaries, log entries); subsequently analysed to identify abnormal behavior and specific attacks [1]. Generating realistic datasets has historically required expensive networked assets, specialised traffic generators, and considerable design preparation. Even with advances in virtualisation it remains challenging to create and maintain a representative environment. Major improvements are needed in the design, quality and availability of datasets, to assist researchers in developing advanced detection techniques. With the emergence of new technology paradigms, such as intelligent transport and autonomous vehicles, it is also likely that new classes of threat will emerge [2]. Given the rate of change in threat behavior [3] datasets become quickly obsolete, and some of the most widely cited datasets date back over two decades. Older datasets have limited value: often heavily filtered and anonymised, with unrealistic event distributions, and opaque design methodology. The relative scarcity of (Intrusion Detection System) IDS datasets is compounded by the lack of a central registry, and inconsistent information on provenance. Researchers may also find it hard to locate datasets or understand their relative merits. In addition, many datasets rely on simulation, originating from academic or government institutions. The publication process itself often creates conflicts, with the need to de-identify sensitive information in order to meet regulations such as General Data Protection Act (GDPR) [4]. Another final issue for researchers is the lack of standardised metrics with which to compare dataset quality. In this paper we attempt to classify the most widely used public intrusion datasets, providing references to archives and associated literature. We illustrate their relative utility and scope, highlighting the threat composition, formats, special features, and associated limitations. We identify best practice in dataset design, and describe potential pitfalls of designing anomaly detection techniques based on data that may be either inappropriate, or compromised due to unrealistic threat coverage. Such contributions as made in this paper is expected to facilitate continuous research and development for effectively combating the constantly evolving cyber threat landscape.

show abstract

A Close Look at a Daily Dataset of Malware Samples

Cited by 49 publications

References 20 publications

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Are public intrusion datasets fit for purpose characterising the state of the art in intrusion event datasets

Contact Info

Product

Resources

About