Detecting malware communities using socio-cultural cognitive mapping
- PDF / 1,243,323 Bytes
- 13 Pages / 439.37 x 666.142 pts Page_size
- 28 Downloads / 166 Views
Detecting malware communities using socio‑cultural cognitive mapping Iain Cruickshank1 · Anthony Johnson2 · Timothy Davison2 · Matthew Elder2 · Kathleen M. Carley1
© Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract We apply a variation of socio-cultural cognitive mapping (SCM) to computer malware features explored previously by Saxe and Berlin that characterized malware binaries as benign or malicious based on 1024 program features derived from a deep neural network-based detection system. In this work, we model the features as attributes within a latent spatial domain using a weighted consensus graph representation to visualize and analyze the malware binary communities. The data used in our analysis is extracted from a Remote Access Trojan family named Sakula that first appeared in 2012, and has been used to enable an adversary to run interactive commands and execute remote program functions. Our results show that by SCM we were able to identify distinct malware communities within the malware family, which revealed insights into the overall structure of the various binaries as well as possible temporal relationships between the binaries. Keywords Malware analysis · Social network analysis · Cognitive mapping · Graph learning
* Iain Cruickshank [email protected] Anthony Johnson [email protected] Timothy Davison [email protected] Matthew Elder [email protected] Kathleen M. Carley [email protected] 1
Institute for Software Research, Carnegie Mellon University, Pittsburgh, PA, USA
2
Applied Physics Laboratory, Johns Hopkins University, Laurel, MD, USA
13
Vol.:(0123456789)
I. Cruickshank et al.
1 Introduction Cyber-attacks are a critical problem for society, and malware is used by attackers in a large class of cyber-attacks. The volume of malware produced is overwhelming, with hundreds of thousands of new samples discovered every day. The vast majority of malware samples are actually variants of existing malware, produced by transforming or obfuscating an existing sample in such a way that it can evade detection by security products and other defenses. As such, many malware samples could be characterized as being a malware community or family with distinct relations between samples. Categorizing related malware into families and understanding communities of samples within a malware family can aid malware analysts and security operations in prioritizing responses and defenses for new malware samples. While there are a number of existing techniques for analyzing malware (Ye et al. 2017), one approach that has not been explored significantly involves analyzing features from malware samples using social network analysis techniques. Social Network Analysis (SNA) involves structural intuition based on ties linking social actors (McCulloh and Johnson 2013). If we view malware binary samples as individual actors in a network, then we can harness many of the SNA methods to analyze commonalities within the binaries. SNA methods are useful beca
Data Loading...
