1 research outputs found
Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering
Using runtime execution artifacts to identify malware and its associated
family is an established technique in the security domain. Many papers in the
literature rely on explicit features derived from network, file system, or
registry interaction. While effective, the use of these fine-granularity data
points makes these techniques computationally expensive. Moreover, the
signatures and heuristics are often circumvented by subsequent malware authors.
In this work, we propose Chatter, a system that is concerned only with the
order in which high-level system events take place. Individual events are
mapped onto an alphabet and execution traces are captured via terse
concatenations of those letters. Then, leveraging an analyst labeled corpus of
malware, n-gram document classification techniques are applied to produce a
classifier predicting malware family. This paper describes that technique and
its proof-of-concept evaluation. In its prototype form, only network events are
considered and eleven malware families are used. We show the technique achieves
83%-94% accuracy in isolation and makes non-trivial performance improvements
when integrated with a baseline classifier of combined order features to reach
an accuracy of up to 98.8%.Comment: 14 page