Empowering Anti-malware Research in Japan by Sharing the MWS Datasets

Hatada, Mitsuhiro; Akiyama, Mitoshi; Kasama, Takahiro

doi:10.2197/ipsjjip.23.579

Cited by 21 publications

(19 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FFRI Dataset [3,4] is a dataset of dynamic analysis results obtained by executing malwares in Cuckoo Sandbox [33], which is a widely used open-source sandbox for malware analysis based on a virtual machine monitor. Four versions of FFRI Dataset are available (2013-2016); we choose the latest dataset, namely FFRI Dataset 2016.…”

Section: Datasetmentioning

confidence: 99%

“…The objective of this study is to clarify the recent trends of anti-analysis operations executed by real-world malwares. In this paper, we report on the results of analyzing the dynamic behavior log of 8243 samples of Windows malwares recorded in a malware analysis dataset, namely FFRI Dataset 2016 [3,4]. This dataset includes a complete log of Windows API calls invoked by all the malware processes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Trends of anti-analysis operations of malwares observed in API call logs

Oyama

2017

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Some malwares execute operations that determine whether they are running in an analysis environment created by monitoring software, such as debuggers, sandboxing systems, or virtual machine monitors, and if such an operation finds that the malware is running in an analysis environment, it terminates execution to prevent analysis. The existence of malwares that execute such operations (anti-analysis operations) is widely known. However, the knowledge acquired thus far, regarding what proportion of current malwares execute anti-analysis operations, what types of anti-analysis operations they execute, and how effectively such operations prevent analysis, is insufficient. In this study, we analyze FFRI Dataset, which is a dataset of dynamic malware analysis results, and clarify the trends in the anti-analysis operations executed by malware samples collected in 2016. Our findings revealed that, among 8243 malware samples, 856 (10.4%) samples executed at least one type of the 28 anti-analysis operations investigated in this study. We also found that, among the virtual machine monitors, VMware was the most commonly searched for by the malware samples.

show abstract

Section: Datasetmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Trends of anti-analysis operations of malwares observed in API call logs

Oyama

2017

J Comput Virol Hack Tech

View full text Add to dashboard Cite

show abstract

“…In the experiment, SVM (Support Vector Machine) and SCW (Soft-Confidence Weighted learning) [1] were compared. We used the data extracted from CCC DATAset2011 [2] for the attack data, and used the packets obtained on the campus network for the normal data, performed crossvalidation and calculated the accuracy. From the experimental results, SCW can be classified with the same accuracy, precision, and recall as SVM, and thus it is considered that sufficient accuracy can be obtained.…”

Section: Online Learning With Kernel Methodsmentioning

confidence: 99%

Attack Detection Approach by Packet Analysis Using Online Learning with Kernel Method and Correlation Change Method

Niimi¹,

Takahata²

2020

IJICR

View full text Add to dashboard Cite

Recently, information systems are used in schools and companies and have become essential to work. However, cyber-attacks, such as stealing confidential information, stopping systems and tampering with information, pose risks. Thus, an anomaly detection and misuse detection based on machine learning and statistical methods for network monitoring is used as countermeasures against cyber-attacks. In this paper, we propose two methods to attack detection. One is an attack detection method using an online learning method. The other is an attack detection method using a structural change detection method. If abnormal traffic is monitored and discovered quickly, we can implement countermeasures before confidential information is stolen and serves are stopped. First, in this research, we propose a system using an online learning method that applies the kernel method to the intrusion detection problem. The outline of the proposed method and the learning algorithm are described. To verify of our proposed method, we conducted an experiment and discussed the results. Next, the proposed structural change detection method attempts to use structural changes to detect cyber-attacks. In addition, we propose an anomaly detection method to detect collapsed correlation via an attack on a network by structural change detection, where HTTP-DNS and syn-ack pairs are used as attributes. We conducted an experiment to evaluate the proposed structural change detection method. As a result, security can be reinforced relatively to availability and confidentiality. • (Method 1): A method of binary classification of attack communication and normal communication • (Method 2): An anomaly detection method that defines normal state from normal communication and detects from the departure from the normal state

show abstract

“…We also use BOS (Behavior Observable System), D3M (Drive-by Download Data by Marionette) dataset and NCD (Normal Communication Data in MWSCup 2014). These datasets are parts of the MWS datasets [33], and include pcap files. BOS and D3M contain malicious traffic.…”

Section: Experiments 51 Datasetmentioning

confidence: 99%

Leaving All Proxy Server Logs to Paragraph Vector

Mimura

Tanaka

2018

Journal of Information Processing

View full text Add to dashboard Cite

Cyberattack techniques continue to evolve every day. Detecting unseen drive-by-download attacks or C&C traffic is a challenging task. Pattern-matching-based techniques and using malicious blacklists are not efficient anymore, because attackers easily change the traffic pattern or infrastructure to avoid detection. Therefore, many behaviorbased detection methods have been proposed, which use the immutable characteristic of the traffic. These previous methods, however, focus on the attack technique, and can only detect drive-by-download (DbD) attacks or C&C traffic which have the immutable characteristic. These traditional methods have to devise the feature vectors. This paper proposes a generic detection method, which is independent of attack methods and does not need devising feature vectors. Our method uses Paragraph Vector, an unsupervised algorithm that learns fixed-length feature representations from variable-length texts and classifiers. Our method uses Paragraph Vector to capture the context in proxy server logs. We conducted cross-validation, timeline analysis and cross-dataset validation with multiple datasets. The experimental results show our method can detect unseen DbD attacks and C&C traffic in proxy server logs. The best F-measure achieved 0.97 in the timeline analysis and 0.96 on the other dataset.

show abstract

Empowering Anti-malware Research in Japan by Sharing the MWS Datasets

Cited by 21 publications

References 16 publications

Trends of anti-analysis operations of malwares observed in API call logs

Trends of anti-analysis operations of malwares observed in API call logs

Attack Detection Approach by Packet Analysis Using Online Learning with Kernel Method and Correlation Change Method

Leaving All Proxy Server Logs to Paragraph Vector

Contact Info

Product

Resources

About