Understanding the behavior of malware requires a semi-automatic approach including complex software tools and human analysts in the loop. However, the huge number of malicious samples developed daily calls for some prioritization mechanism to carefully select the samples that really deserve to be further examined by analysts. This avoids computational resources be overloaded and human analysts saturated. In this paper we introduce a malware triage stage where samples are quickly and automatically examined to promptly decide whether they should be immediately dispatched to human analysts or to other specific automatic analysis queues, rather than following the common and slow analysis pipeline. Such triage stage is encapsulated into an architecture for semi-automatic malware analysis presented in a previous work. In this paper we propose an approach for sample prioritization, and its realization within such architecture. Our analysis in the paper focuses on malware developed by Advanced Persistent Threats (APTs). We build our knowledge base, used in the triage, on known APTs obtained from publicly available reports. To make the triage as fast as possible, only static malware features are considered, which can be extracted with negligible delay, without the necessity of executing the malware samples, and we use them to train a random forest classifier. The classifier has been tuned to maximize its precision, so that analysts and other components of the architecture are mostly likely to receive only malware correctly identified as being similar to known APT, and do not waste important resources on false positives. A preliminary analysis shows high precision and accuracy, as desired.

Malware Triage Based on Static Features and Public APT Reports / Laurenza, Giuseppe; Aniello, Leonardo; Lazzeretti, Riccardo; Baldoni, Roberto. - STAMPA. - 10332:(2017), pp. 288-305. (Intervento presentato al convegno 1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017 tenutosi a Beer-Sheva; Israel) [10.1007/978-3-319-60080-2_21].

Malware Triage Based on Static Features and Public APT Reports

Laurenza Giuseppe
;
Aniello Leonardo;Lazzeretti Riccardo;Baldoni Roberto
2017

Abstract

Understanding the behavior of malware requires a semi-automatic approach including complex software tools and human analysts in the loop. However, the huge number of malicious samples developed daily calls for some prioritization mechanism to carefully select the samples that really deserve to be further examined by analysts. This avoids computational resources be overloaded and human analysts saturated. In this paper we introduce a malware triage stage where samples are quickly and automatically examined to promptly decide whether they should be immediately dispatched to human analysts or to other specific automatic analysis queues, rather than following the common and slow analysis pipeline. Such triage stage is encapsulated into an architecture for semi-automatic malware analysis presented in a previous work. In this paper we propose an approach for sample prioritization, and its realization within such architecture. Our analysis in the paper focuses on malware developed by Advanced Persistent Threats (APTs). We build our knowledge base, used in the triage, on known APTs obtained from publicly available reports. To make the triage as fast as possible, only static malware features are considered, which can be extracted with negligible delay, without the necessity of executing the malware samples, and we use them to train a random forest classifier. The classifier has been tuned to maximize its precision, so that analysts and other components of the architecture are mostly likely to receive only malware correctly identified as being similar to known APT, and do not waste important resources on false positives. A preliminary analysis shows high precision and accuracy, as desired.
2017
1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017
Malware analysis; Advanced Persistent Threats; Static analysis; Malware triage
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Malware Triage Based on Static Features and Public APT Reports / Laurenza, Giuseppe; Aniello, Leonardo; Lazzeretti, Riccardo; Baldoni, Roberto. - STAMPA. - 10332:(2017), pp. 288-305. (Intervento presentato al convegno 1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017 tenutosi a Beer-Sheva; Israel) [10.1007/978-3-319-60080-2_21].
File allegati a questo prodotto
File Dimensione Formato  
Laurenza_Postprint-Malware-Triage-based_2017

accesso aperto

Note: https://link.springer.com/chapter/10.1007/978-3-319-60080-2_21
Tipologia: Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 315.41 kB
Formato Adobe PDF
315.41 kB Adobe PDF
Laurenza_Malware-Triage-Based_2017.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 636.39 kB
Formato Adobe PDF
636.39 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1016190
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 12
  • ???jsp.display-item.citation.isi??? 8
social impact