TY - JOUR
T1 - Malware modeling and experimentation through parameterized behavior
AU - Celik, Z. Berkay
AU - McDaniel, Patrick
AU - Bowen, Thomas
N1 - Funding Information:
The authors declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: Research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on.
Publisher Copyright:
© 2017, © The Author(s) 2017.
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Experimentation is critical to understanding the malware operation and to evaluating potential defenses. However, constructing the controlled environments needed for this experimentation is both time-consuming and error-prone. In this study, we highlight several common mistakes made by researchers and conclude that existing evaluations of malware detection techniques often lack in both flexibility and transparency. For instance, we show that small variations in the malware’s behavioral parameters can have a significant impact on the evaluation results. These variations, if unexplored, may lead to overly optimistic conclusions and detection systems that are ineffective in practice. To overcome these issues, we propose a framework to model malware behavior and guide systematic parameter selection. We evaluate our framework using a synthetic botnet executed within the CyberVAN testbed. Our study is intended to foster critical evaluation of proposed detection techniques and stymie unintentionally erroneous experimentation.
AB - Experimentation is critical to understanding the malware operation and to evaluating potential defenses. However, constructing the controlled environments needed for this experimentation is both time-consuming and error-prone. In this study, we highlight several common mistakes made by researchers and conclude that existing evaluations of malware detection techniques often lack in both flexibility and transparency. For instance, we show that small variations in the malware’s behavioral parameters can have a significant impact on the evaluation results. These variations, if unexplored, may lead to overly optimistic conclusions and detection systems that are ineffective in practice. To overcome these issues, we propose a framework to model malware behavior and guide systematic parameter selection. We evaluate our framework using a synthetic botnet executed within the CyberVAN testbed. Our study is intended to foster critical evaluation of proposed detection techniques and stymie unintentionally erroneous experimentation.
UR - http://www.scopus.com/inward/record.url?scp=85040037039&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85040037039&partnerID=8YFLogxK
U2 - 10.1177/1548512917721755
DO - 10.1177/1548512917721755
M3 - Article
AN - SCOPUS:85040037039
SN - 1548-5129
VL - 15
SP - 31
EP - 48
JO - Journal of Defense Modeling and Simulation
JF - Journal of Defense Modeling and Simulation
IS - 1
ER -