Open Access. Powered by Scholars. Published by Universities.®
Physical Sciences and Mathematics Commons™
Open Access. Powered by Scholars. Published by Universities.®
Articles 1 - 2 of 2
Full-Text Articles in Physical Sciences and Mathematics
Chatter: Classifying Malware Families Using System Event Ordering, Aziz Mohaisen, Andrew G. West, Allison Mankin, Omar Alrawi
Chatter: Classifying Malware Families Using System Event Ordering, Aziz Mohaisen, Andrew G. West, Allison Mankin, Omar Alrawi
Andrew G. West
Using runtime execution artifacts to identify malware and its associated "family" is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors.
To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse …
Metadata-Driven Threat Classification Of Network Endpoints Appearing In Malware, Andrew G. West, Aziz Mohaisen
Metadata-Driven Threat Classification Of Network Endpoints Appearing In Malware, Andrew G. West, Aziz Mohaisen
Andrew G. West
Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.
Leveraging 28,000 expert-labeled endpoints derived from ~100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints' static metadata properties …