Intelligent Agents for Active Malware Analysis

The main contribution of this thesis is to give a novel perspective on Active Malware Analysis modeled as a decision making process between intelligent agents. We propose solutions aimed at extracting the behaviors of malware agents with advanced Artificial Intelligence techniques. In particular, we devise novel action selection strategies for the analyzer agents that allow to analyze malware by selecting sequences of triggering actions aimed at maximizing the information acquired. The goal is to create informative models representing the behaviors of the malware agents observed while interacting with them during the analysis process. Such models can then be used to effectively compare a malware against others and to correctly identify the malware famil

Noisy mean field game model for malware propagation in opportunistic networks

International audienceIn this paper we present analytical mean eld techniques that can be used to better understand the behavior of malware propagation in opportunistic large networks. We develop a modeling methodology based on stochastic mean eld optimal control that is able to capture many aspects of the problem, especially the impact of the control and heterogeneity of the system on the spreading characteristics of malware. The stochastic large process characterizing the evolution of the total number of infected nodes is examined with a noisy mean eld limit and compared to a deterministic one. The stochastic nature of the wireless environment make stochastic approaches more realistic for such types of networks. By introducing control strategies, we show that the fraction of infected nodes can be maintained below some threshold. In contrast to most of the existing results on mean eld propagation models which focus on deterministic equations, we show that the mean eld limit is stochastic if the second moment of the number of object transitions per time slot is unbounded with the size of the system. This allows us to compare one path of the fraction of infected nodes with the stochastic trajectory of its mean eld limit. In order to take into account the heterogeneity of opportunistic networks, the analysis is extended to multiple types of nodes. Our numerical results show that the heterogeneity can help to stabilize the system. We verify the results through simulation showing how to obtain useful approximations in the case of very large systems

Bayesian Active Malware Analysis

We propose a novel technique for Active Malware Analysis (AMA) formalized as a Bayesian game between an analyzer agent and a malware agent, focusing on the decision making strategy for the analyzer. In our model, the analyzer performs an action on the system to trigger the malware into showing a malicious behavior, i.e., by activating its payload. The formalization is built upon the link between malware families and the notion of types in Bayesian games. A key point is the design of the utility function, which reflects the amount of uncertainty on the type of the adversary after the execution of an analyzer action. This allows us to devise an algorithm to play the game with the aim of minimizing the entropy of the analyzer's belief at every stage of the game in a myopic fashion. Empirical evaluation indicates that our approach results in a significant improvement both in terms of learning speed and classification score when compared to other state-of-the-art AMA techniques