Machine Learning Aided Static Malware Analysis: A Survey and Tutorial

Malware analysis and detection techniques have been evolving during the last decade as a reflection to development of different malware techniques to evade network-based and host-based security protections. The fast growth in variety and number of malware species made it very difficult for forensics investigators to provide an on time response. Therefore, Machine Learning (ML) aided malware analysis became a necessity to automate different aspects of static and dynamic malware investigation. We believe that machine learning aided static analysis can be used as a methodological approach in technical Cyber Threats Intelligence (CTI) rather than resource-consuming dynamic malware analysis that has been thoroughly studied before. In this paper, we address this research gap by conducting an in-depth survey of different machine learning methods for classification of static characteristics of 32-bit malicious Portable Executable (PE32) Windows files and develop taxonomy for better understanding of these techniques. Afterwards, we offer a tutorial on how different machine learning techniques can be utilized in extraction and analysis of a variety of static characteristic of PE binaries and evaluate accuracy and practical generalization of these techniques. Finally, the results of experimental study of all the method using common data was given to demonstrate the accuracy and complexity. This paper may serve as a stepping stone for future researchers in cross-disciplinary field of machine learning aided malware forensics.Comment: 37 Page

Annual Report: 2009

I submit herewith the annual report from the Agricultural and Forestry Experiment Station, School of Natural Resources and Agricultural Sciences, University of Alaska Fairbanks, for the period ending December 31, 2009. This is done in accordance with an act of Congress, approved March 2, 1887, entitled, “An act to establish agricultural experiment stations, in connection with the agricultural college established in the several states under the provisions of an act approved July 2, 1862, and under the acts supplementary thereto,” and also of the act of the Alaska Territorial Legislature, approved March 12, 1935, accepting the provisions of the act of Congress. The research reports are organized according to our strategic plan, which focuses on high-latitude soils, high-latitude agriculture, natural resources use and allocation, ecosystems management, and geographic information. These areas cross department and unit lines, linking them and unifying the research. We have also included in our financial statement information on the special grants we receive. These special grants allow us to provide research and outreach that is targeted toward economic development in Alaska. Research conducted by our graduate and undergraduate students plays an important role in these grants and the impact they make on Alaska.Financial statement -- Grants -- Students -- Research Reports: Partners, Facilities, and Programs; Geography; High-Latitude Agriculture; High-Latitude Soils; Management of Ecosystems; Natural Resources Use and Allocation; Index to Reports -- Publications -- Facult

Reviewer Integration and Performance Measurement for Malware Detection

We present and evaluate a large-scale malware detection system integrating machine learning with expert reviewers, treating reviewers as a limited labeling resource. We demonstrate that even in small numbers, reviewers can vastly improve the system's ability to keep pace with evolving threats. We conduct our evaluation on a sample of VirusTotal submissions spanning 2.5 years and containing 1.1 million binaries with 778GB of raw feature data. Without reviewer assistance, we achieve 72% detection at a 0.5% false positive rate, performing comparable to the best vendors on VirusTotal. Given a budget of 80 accurate reviews daily, we improve detection to 89% and are able to detect 42% of malicious binaries undetected upon initial submission to VirusTotal. Additionally, we identify a previously unnoticed temporal inconsistency in the labeling of training datasets. We compare the impact of training labels obtained at the same time training data is first seen with training labels obtained months later. We find that using training labels obtained well after samples appear, and thus unavailable in practice for current training data, inflates measured detection by almost 20 percentage points. We release our cluster-based implementation, as well as a list of all hashes in our evaluation and 3% of our entire dataset.Comment: 20 papers, 11 figures, accepted at the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2016

Annual Report: 2008

I submit herewith the annual report from the Agricultural and Forestry Experiment Station, School of Natural Resources and Agricultural Sciences, University of Alaska Fairbanks, for the period ending December 31, 2008. This is done in accordance with an act of Congress, approved March 2, 1887, entitled, “An act to establish agricultural experiment stations, in connection with the agricultural college established in the several states under the provisions of an act approved July 2, 1862, and under the acts supplementary thereto,” and also of the act of the Alaska Territorial Legislature, approved March 12, 1935, accepting the provisions of the act of Congress. The research reports are organized according to our strategic plan, which focuses on high-latitude soils, high-latitude agriculture, natural resources use and allocation, ecosystems management, and geographic information. These areas cross department and unit lines, linking them and unifying the research. We have also included in our financial statement information on the special grants we receive. These special grants allow us to provide research and outreach that is targeted toward economic development in Alaska. Research conducted by our graduate and undergraduate students plays an important role in these grants and the impact they make on Alaska.Financial statement -- Grants -- Students -- Research reports: Partners, Facilities, and Programs; Geographic Information; High-Latitude Agriculture; High-Latitude Soils, Management of Ecosystems; Natural Resources Use and Allocation; Index to Reports -- Publications -- Facult

Blocking Zika virus vertical transmission.

The outbreak of the Zika virus (ZIKV) has been associated with increased incidence of congenital malformations. Although recent efforts have focused on vaccine development, treatments for infected individuals are needed urgently. Sofosbuvir (SOF), an FDA-approved nucleotide analog inhibitor of the Hepatitis C (HCV) RNA-dependent RNA polymerase (RdRp) was recently shown to be protective against ZIKV both in vitro and in vivo. Here, we show that SOF protected human neural progenitor cells (NPC) and 3D neurospheres from ZIKV infection-mediated cell death and importantly restored the antiviral immune response in NPCs. In vivo, SOF treatment post-infection (p.i.) decreased viral burden in an immunodeficient mouse model. Finally, we show for the first time that acute SOF treatment of pregnant dams p.i. was well-tolerated and prevented vertical transmission of the virus to the fetus. Taken together, our data confirmed SOF-mediated sparing of human neural cell types from ZIKV-mediated cell death in vitro and reduced viral burden in vivo in animal models of chronic infection and vertical transmission, strengthening the growing body of evidence for SOF anti-ZIKV activity