In the last decade, a new class of cyber-threats, known with the name of “Advanced Persistent Threat” (APT) has emerged and is referred to as different organizations performing dangerous and effective attacks against financial and politic entities, critical infrastructures, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step has the duty to early identify incoming APT samples, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the paper, authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this paper, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.

Malware triage for early identification of Advanced Persistent Threat activities / Laurenza, Giuseppe; Lazzeretti, Riccardo; Mazzotti, Luca. - In: DIGITAL THREATS. - ISSN 2692-1626. - 1:3(2020). [10.1145/3386581]

Malware triage for early identification of Advanced Persistent Threat activities

Giuseppe Laurenza
;
Riccardo Lazzeretti
;
2020

Abstract

In the last decade, a new class of cyber-threats, known with the name of “Advanced Persistent Threat” (APT) has emerged and is referred to as different organizations performing dangerous and effective attacks against financial and politic entities, critical infrastructures, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step has the duty to early identify incoming APT samples, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the paper, authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this paper, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.
2020
Malware Analysis; Advanced Persistent Threats; Isolation Forest;
01 Pubblicazione su rivista::01a Articolo in rivista
Malware triage for early identification of Advanced Persistent Threat activities / Laurenza, Giuseppe; Lazzeretti, Riccardo; Mazzotti, Luca. - In: DIGITAL THREATS. - ISSN 2692-1626. - 1:3(2020). [10.1145/3386581]
File allegati a questo prodotto
File Dimensione Formato  
Laurenza_postprint_Malware_2020.pdf

accesso aperto

Note: https://dl.acm.org/doi/pdf/10.1145/3386581
Tipologia: Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 577.02 kB
Formato Adobe PDF
577.02 kB Adobe PDF
Laurenza_Malware_2020.pdf

accesso aperto

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 229.42 kB
Formato Adobe PDF
229.42 kB Adobe PDF

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1415263
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 9
  • ???jsp.display-item.citation.isi??? ND
social impact