In the last decade, a new class of cyber-threats, known with the name of “Advanced Persistent Threat” (APT) has emerged and is referred to as different organizations performing dangerous and effective attacks against financial and politic entities, critical infrastructures, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step has the duty to early identify incoming APT samples, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the paper, authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this paper, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.
Malware triage for early identification of Advanced Persistent Threat activities / Laurenza, Giuseppe; Lazzeretti, Riccardo; Mazzotti, Luca. - In: DIGITAL THREATS. - ISSN 2692-1626. - 1:3(2020). [10.1145/3386581]
Malware triage for early identification of Advanced Persistent Threat activities
Giuseppe Laurenza
;Riccardo Lazzeretti
;
2020
Abstract
In the last decade, a new class of cyber-threats, known with the name of “Advanced Persistent Threat” (APT) has emerged and is referred to as different organizations performing dangerous and effective attacks against financial and politic entities, critical infrastructures, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step has the duty to early identify incoming APT samples, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the paper, authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this paper, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.| File | Dimensione | Formato | |
|---|---|---|---|
|
Laurenza_postprint_Malware_2020.pdf
accesso aperto
Note: https://dl.acm.org/doi/pdf/10.1145/3386581
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
577.02 kB
Formato
Adobe PDF
|
577.02 kB | Adobe PDF | |
|
Laurenza_Malware_2020.pdf
accesso aperto
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
229.42 kB
Formato
Adobe PDF
|
229.42 kB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
