Extraction of statistically significant malware behaviors

Sirinda Palahan; Domagoj Babic; Swarat Chaudhuri; Daniel Kifer

doi:10.1145/2523649.2523659

Extraction of statistically significant malware behaviors

Sirinda Palahan, Domagoj Babic, Swarat Chaudhuri, Daniel Kifer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

23 Scopus citations

Abstract

Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).

Original language	English (US)
Title of host publication	Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
Pages	69-78
Number of pages	10
DOIs	https://doi.org/10.1145/2523649.2523659
State	Published - 2013
Event	29th Annual Computer Security Applications Conference, ACSAC 2013 - New Orleans, LA, United States Duration: Dec 9 2013 → Dec 13 2013

Publication series

Name	ACM International Conference Proceeding Series

Other

Other	29th Annual Computer Security Applications Conference, ACSAC 2013
Country/Territory	United States
City	New Orleans, LA
Period	12/9/13 → 12/13/13

All Science Journal Classification (ASJC) codes

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/2523649.2523659

Cite this

@inproceedings{474206274b314a068bf7f72a0c432a01,

title = "Extraction of statistically significant malware behaviors",

abstract = "Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).",

author = "Sirinda Palahan and Domagoj Babic and Swarat Chaudhuri and Daniel Kifer",

year = "2013",

doi = "10.1145/2523649.2523659",

language = "English (US)",

isbn = "9781450320153",

series = "ACM International Conference Proceeding Series",

pages = "69--78",

booktitle = "Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013",

note = "29th Annual Computer Security Applications Conference, ACSAC 2013 ; Conference date: 09-12-2013 Through 13-12-2013",

}

Palahan, S, Babic, D, Chaudhuri, S & Kifer, D 2013, Extraction of statistically significant malware behaviors. in Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013. ACM International Conference Proceeding Series, pp. 69-78, 29th Annual Computer Security Applications Conference, ACSAC 2013, New Orleans, LA, United States, 12/9/13. https://doi.org/10.1145/2523649.2523659

TY - GEN

T1 - Extraction of statistically significant malware behaviors

AU - Palahan, Sirinda

AU - Babic, Domagoj

AU - Chaudhuri, Swarat

AU - Kifer, Daniel

PY - 2013

Y1 - 2013

N2 - Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).

AB - Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).

UR - http://www.scopus.com/inward/record.url?scp=84893321191&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84893321191&partnerID=8YFLogxK

U2 - 10.1145/2523649.2523659

DO - 10.1145/2523649.2523659

M3 - Conference contribution

AN - SCOPUS:84893321191

SN - 9781450320153

T3 - ACM International Conference Proceeding Series

SP - 69

EP - 78

BT - Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013

T2 - 29th Annual Computer Security Applications Conference, ACSAC 2013

Y2 - 9 December 2013 through 13 December 2013

ER -

Extraction of statistically significant malware behaviors

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this