Pub Date : 2014-10-01DOI: 10.1109/WATER.2014.7015757
Zane Markel, Michael Bilzor
Current signature-based antivirus software is ineffective against many modern malicious software threats. Machine learning methods can be used to create more effective antimalware software, capable of detecting even zero-day attacks. Some studies have investigated the plausibility of applying machine learning to malware detection, primarily using features from n-grams of an executables file's byte code. We propose an approach that primarily learns from metadata, mostly contained in the headers of executable files, specifically the Windows Portable Executable 32-bit (PE32) file format. Our experiments indicate that executable file metadata is highly discriminative between malware and benign software. We also employ various machine learning methods, finding that Decision Tree classifiers outperform Logistic Regression and Naive Bayes in this setting. We analyze various features of the PE32 header and identify those most suitable for machine learning classifiers. Finally, we evaluate changes in classifier performance when the malware prevalence (fraction of malware versus benign software) is varied.
{"title":"Building a machine learning classifier for malware detection","authors":"Zane Markel, Michael Bilzor","doi":"10.1109/WATER.2014.7015757","DOIUrl":"https://doi.org/10.1109/WATER.2014.7015757","url":null,"abstract":"Current signature-based antivirus software is ineffective against many modern malicious software threats. Machine learning methods can be used to create more effective antimalware software, capable of detecting even zero-day attacks. Some studies have investigated the plausibility of applying machine learning to malware detection, primarily using features from n-grams of an executables file's byte code. We propose an approach that primarily learns from metadata, mostly contained in the headers of executable files, specifically the Windows Portable Executable 32-bit (PE32) file format. Our experiments indicate that executable file metadata is highly discriminative between malware and benign software. We also employ various machine learning methods, finding that Decision Tree classifiers outperform Logistic Regression and Naive Bayes in this setting. We analyze various features of the PE32 header and identify those most suitable for machine learning classifiers. Finally, we evaluate changes in classifier performance when the malware prevalence (fraction of malware versus benign software) is varied.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114800128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-10-01DOI: 10.1109/WATER.2014.7015755
Tarun Moni, Sameer Salahudeen, Anil Somayaji
Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.
{"title":"The malware author testing challenge","authors":"Tarun Moni, Sameer Salahudeen, Anil Somayaji","doi":"10.1109/WATER.2014.7015755","DOIUrl":"https://doi.org/10.1109/WATER.2014.7015755","url":null,"abstract":"Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127669378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-10-01DOI: 10.1109/WATER.2014.7015753
Paul Bot, Cristina Vatamanu, Dragos Gavrilut, Razvan Benchea
The world we live in now is defined by the word “speed” and any device, technology, or system that doesn't keep up is rejected or replaced immediately. Because of this, one of the biggest concerns today is “optimization”. Its purpose is to reduce the impact on the user's device. The Anti-Virus industry is also confronting with this challenge. Although the first concern is to keep the user safe, providing a flawless protection, it is crucial to reduce the impact brought on the user's system, preventing him to disable or uninstall the AV solution and thus remaining unprotected. The increased number of malware types/families as well as their complexity generated the need for complicated detection methods, which means a constant evaluation is needed. Because of these reasons, our antimalware laboratory has developed a generic framework for measuring the impact that the AV solutions have on the system they are installed on. This system was designed to be easily configurable, managing the big number of changes that occur every day and fast so that every update released to the users can be tested. Also, this framework is used to test and develop new technologies that improve the performance of our AV product.
{"title":"Performance testing framework: Evaluating the impact on the system speed","authors":"Paul Bot, Cristina Vatamanu, Dragos Gavrilut, Razvan Benchea","doi":"10.1109/WATER.2014.7015753","DOIUrl":"https://doi.org/10.1109/WATER.2014.7015753","url":null,"abstract":"The world we live in now is defined by the word “speed” and any device, technology, or system that doesn't keep up is rejected or replaced immediately. Because of this, one of the biggest concerns today is “optimization”. Its purpose is to reduce the impact on the user's device. The Anti-Virus industry is also confronting with this challenge. Although the first concern is to keep the user safe, providing a flawless protection, it is crucial to reduce the impact brought on the user's system, preventing him to disable or uninstall the AV solution and thus remaining unprotected. The increased number of malware types/families as well as their complexity generated the need for complicated detection methods, which means a constant evaluation is needed. Because of these reasons, our antimalware laboratory has developed a generic framework for measuring the impact that the AV solutions have on the system they are installed on. This system was designed to be easily configurable, managing the big number of changes that occur every day and fast so that every update released to the users can be tested. Also, this framework is used to test and develop new technologies that improve the performance of our AV product.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127015844","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-10-01DOI: 10.1109/WATER.2014.7015754
R. Ford, M. Carvalho
Despite ongoing improvements in the quality of antimalware tests, the way in which test results are handled often shows a low level of sophistication. In this paper, we introduce the simple concept of confidence intervals and statistical significance to these tests, and show that many of the “best practice” approaches common in other fields are lacking in the security-software testing industry. Further, we argue that the lack of these techniques harms the industry as a whole, and provide a road map for broader adoption of well-known statistical techniques for estimating the confidence interval on measurements.
{"title":"A significant improvement for anti-malware tests","authors":"R. Ford, M. Carvalho","doi":"10.1109/WATER.2014.7015754","DOIUrl":"https://doi.org/10.1109/WATER.2014.7015754","url":null,"abstract":"Despite ongoing improvements in the quality of antimalware tests, the way in which test results are handled often shows a low level of sophistication. In this paper, we introduce the simple concept of confidence intervals and statistical significance to these tests, and show that many of the “best practice” approaches common in other fields are lacking in the security-software testing industry. Further, we argue that the lack of these techniques harms the industry as a whole, and provide a road map for broader adoption of well-known statistical techniques for estimating the confidence interval on measurements.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"131 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122763831","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-10-01DOI: 10.1109/WATER.2014.7015756
Z. Balázs, Sveta Miladinov, Chris Pickard
Traditional antivirus systems, firewalls, intrusion detection or prevention systems, mail and web proxies have been bypassed by determined attackers for a long time. In order to fight these new threats, vendors started to develop new systems, called breach detection systems. Because the end-goal of these systems is detection, those can be considered as next generation intrusion detection systems. In order to measure the effectiveness of these breach detection systems, we propose a new type of test methodology. Our approach is based on that advanced attackers who can bypass the existing layers of security have the time, skill and resources to create unknown malware, with advanced bypass capabilities. We will evaluate a hybrid approach, where the IP / domain of the attacker C&C server is simulated in one case, and real in another case. Our approach uses only RAT (Remote Admin Tools / Remote Access Trojans) functionality, using both in-the-wild and custom developed RAT.
{"title":"Breach detection system testing methodology","authors":"Z. Balázs, Sveta Miladinov, Chris Pickard","doi":"10.1109/WATER.2014.7015756","DOIUrl":"https://doi.org/10.1109/WATER.2014.7015756","url":null,"abstract":"Traditional antivirus systems, firewalls, intrusion detection or prevention systems, mail and web proxies have been bypassed by determined attackers for a long time. In order to fight these new threats, vendors started to develop new systems, called breach detection systems. Because the end-goal of these systems is detection, those can be considered as next generation intrusion detection systems. In order to measure the effectiveness of these breach detection systems, we propose a new type of test methodology. Our approach is based on that advanced attackers who can bypass the existing layers of security have the time, skill and resources to create unknown malware, with advanced bypass capabilities. We will evaluate a hybrid approach, where the IP / domain of the attacker C&C server is simulated in one case, and real in another case. Our approach uses only RAT (Remote Admin Tools / Remote Access Trojans) functionality, using both in-the-wild and custom developed RAT.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123310583","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: