An empirical study of malware evolution

Gupta, Archit; Kuppili, Pavan; Barford, Paul

doi:10.1109/comsnets.2009.4808876

Cited by 29 publications

(26 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These methods do not identify ancestral relationships in the data, but do give similarity relationships. However, it is more informative to know the set of parents from which a given sample's functionality is derived . Most similar to this paper is the method of using the graphical lasso, an undirected graphical model, with post hoc assignment of edge direction by a domain expert.…”

Section: Related Workmentioning

confidence: 99%

“…We compare against other algorithms that have been used for learning malware phylogeny. The algorithms that we compare against are MKLGC , which uses a graphical lasso with multiple kernel learning plus clustering of malware programs; Gupta , a graph pruning algorithm; and the minimum spanning tree as a naive baseline. These 3 algorithms each produce a single network as output, instead of an expectation on each edge as our Bayesian network discovery algorithm produces.…”

Section: Application To Malware Characterizationmentioning

confidence: 99%

“…Cyber security analysts and software reverse-engineers need to understand the function of malware in order to evaluate new threats. Malware is typically developed the same way as any software: it is evolved by modifying and combining existing malware [9,15]. We take a collection of related malware and benign programs and construct a Bayesian network to model the phylogeny of the programs.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Order priors for Bayesian network discovery with an application to malware phylogeny

Oyen

Anderson

Sentz

et al. 2017

Statistical Analysis

View full text Add to dashboard Cite

Bayesian networks have been used extensively to model and discover dependency relationships among sets of random variables. We learn Bayesian network structure with a combination of human knowledge about the partial ordering of variables and statistical inference of conditional dependencies from observed data. Our approach leverages complementary information from human knowledge and inference from observed data to produce networks that reflect human beliefs about the system as well as to fit the observed data. Applying prior beliefs about partial orderings of variables is an approach distinctly different from existing methods that incorporate prior beliefs about direct dependencies (or edges) in a Bayesian network. We provide an efficient implementation of the partial‐order prior in a Bayesian structure discovery learning algorithm, as well as an edge prior, showing that both priors meet the local modularity requirement necessary for an efficient Bayesian discovery algorithm. In benchmark studies, the partial‐order prior improves the accuracy of Bayesian network structure learning as well as the edge prior, even though order priors are more general. Our primary motivation is in characterizing the evolution of families of malware to aid cyber security analysts. For the problem of malware phylogeny discovery, we find that our algorithm, compared to existing malware phylogeny algorithms, more accurately discovers true dependencies that are missed by other algorithms.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Application To Malware Characterizationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Order priors for Bayesian network discovery with an application to malware phylogeny

Oyen

Anderson

Sentz

et al. 2017

Statistical Analysis

View full text Add to dashboard Cite

show abstract

“…During a campaign, an adversary typically recycles techniques from previous ones and evolves its campaign slowly over time. For example, a new malware campaign may use a vulnerability known from a previous attack but use a delivery mechanism that changes to avoid detection [15]. Spam emails also tend to evolve from previous ones by, for example, selling the same product but under a different (misspelled) name [23].…”

Section: Families and Isolationmentioning

confidence: 99%

Approaches to adversarial drift

Kantchelian

Afroz

Huang

et al. 2013

Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

In this position paper, we argue that to be of practical interest, a machine-learning based security system must engage with the human operators beyond feature engineering and instance labeling to address the challenge of drift in adversarial environments. We propose that designers of such systems broaden the classification goal into an explanatory goal, which would deepen the interaction with system's operators.To provide guidance, we advocate for an approach based on maintaining one classifier for each class of unwanted activity to be filtered. We also emphasize the necessity for the system to be responsive to the operators constant curation of the training set. We show how this paradigm provides a property we call isolation and how it relates to classical causative attacks.In order to demonstrate the effects of drift on a binary classification task, we also report on two experiments using a previously unpublished malware data set where each instance is timestamped according to when it was seen.

show abstract

“…[17] used metadata (such as time of collection and analyst notations) compiled by McAfee in a knowledge-based approach to lineage reconstruction. Lineage reconstruction using only features from malware binaries is essentially a new problem.…”

Section: B Detecting Shared or Similar Codementioning

confidence: 99%

Scalable malware forensics using phylogenetic analysis

Jilcott

2015

2015 IEEE International Symposium on Technologies for Homeland Security (HST)

View full text Add to dashboard Cite

Malware forensics analysts confront one of our biggest homeland security challenges -a continuing flood of new malware variants released by adaptable adversaries seeking new targets in cyberspace, exploiting new technologies, and bypassing existing security mechanisms. Reverse engineering new samples, understanding their capabilities, and ascertaining provenance is time-intensive and requires considerable human expertise. We present DECODE, a prototype malware forensics analysis system developed under DARPA's Cyber Genome program. DECODE increases the actionable forensics derivable from large repositories of collected malware by quickly identifying a new malware sample as a variant of other malware samples, without relying on pre-existing anti-virus signatures. DECODE also accelerates reverse engineering efforts by quickly identifying parts of the malware that have already been seen in other samples and characterizing the new and different capabilities. DECODE can also reconstruct the evolution of malware variants over time. DECODE applies phylogenetic analysis to provide these advantages. Phylogenetic analysis is the study of similarities and differences in program structure to find relationships within groups of software programs, providing insights about new malware variants not available from signature-based malware detection. (Abstract)

show abstract

An empirical study of malware evolution

Cited by 29 publications

References 16 publications

Order priors for Bayesian network discovery with an application to malware phylogeny

Order priors for Bayesian network discovery with an application to malware phylogeny

Approaches to adversarial drift

Scalable malware forensics using phylogenetic analysis

Contact Info

Product

Resources

About