Chatter

Classifying malware families using system event ordering

Aziz Mohaisen, Andrew G. West, Allison Mankin, Omar Alrawi

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    12 Citations (Scopus)

    Abstract

    Using runtime execution artifacts to identify malware and its associated 'family' is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniquse computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors. To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and three malware families are highlighted. We show the technique achieves roughly 80% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of non-ordered features (with an accuracy of roughly 95%).

    Original languageEnglish
    Title of host publication2014 IEEE Conference on Communications and Network Security, CNS 2014
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages283-291
    Number of pages9
    ISBN (Print)9781479958900
    DOIs
    Publication statusPublished - 23 Dec 2014
    Event2014 IEEE Conference on Communications and Network Security, CNS 2014 - San Francisco
    Duration: 29 Oct 201431 Oct 2014

    Other

    Other2014 IEEE Conference on Communications and Network Security, CNS 2014
    CitySan Francisco
    Period29/10/1431/10/14

    Fingerprint

    Classifiers
    Malware

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Cite this

    Mohaisen, A., West, A. G., Mankin, A., & Alrawi, O. (2014). Chatter: Classifying malware families using system event ordering. In 2014 IEEE Conference on Communications and Network Security, CNS 2014 (pp. 283-291). [6997496] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS.2014.6997496

    Chatter : Classifying malware families using system event ordering. / Mohaisen, Aziz; West, Andrew G.; Mankin, Allison; Alrawi, Omar.

    2014 IEEE Conference on Communications and Network Security, CNS 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 283-291 6997496.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Mohaisen, A, West, AG, Mankin, A & Alrawi, O 2014, Chatter: Classifying malware families using system event ordering. in 2014 IEEE Conference on Communications and Network Security, CNS 2014., 6997496, Institute of Electrical and Electronics Engineers Inc., pp. 283-291, 2014 IEEE Conference on Communications and Network Security, CNS 2014, San Francisco, 29/10/14. https://doi.org/10.1109/CNS.2014.6997496
    Mohaisen A, West AG, Mankin A, Alrawi O. Chatter: Classifying malware families using system event ordering. In 2014 IEEE Conference on Communications and Network Security, CNS 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 283-291. 6997496 https://doi.org/10.1109/CNS.2014.6997496
    Mohaisen, Aziz ; West, Andrew G. ; Mankin, Allison ; Alrawi, Omar. / Chatter : Classifying malware families using system event ordering. 2014 IEEE Conference on Communications and Network Security, CNS 2014. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 283-291
    @inproceedings{53e6d5321e044c8e8bc360ff9b52fcbf,
    title = "Chatter: Classifying malware families using system event ordering",
    abstract = "Using runtime execution artifacts to identify malware and its associated 'family' is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniquse computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors. To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and three malware families are highlighted. We show the technique achieves roughly 80{\%} accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of non-ordered features (with an accuracy of roughly 95{\%}).",
    author = "Aziz Mohaisen and West, {Andrew G.} and Allison Mankin and Omar Alrawi",
    year = "2014",
    month = "12",
    day = "23",
    doi = "10.1109/CNS.2014.6997496",
    language = "English",
    isbn = "9781479958900",
    pages = "283--291",
    booktitle = "2014 IEEE Conference on Communications and Network Security, CNS 2014",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",

    }

    TY - GEN

    T1 - Chatter

    T2 - Classifying malware families using system event ordering

    AU - Mohaisen, Aziz

    AU - West, Andrew G.

    AU - Mankin, Allison

    AU - Alrawi, Omar

    PY - 2014/12/23

    Y1 - 2014/12/23

    N2 - Using runtime execution artifacts to identify malware and its associated 'family' is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniquse computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors. To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and three malware families are highlighted. We show the technique achieves roughly 80% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of non-ordered features (with an accuracy of roughly 95%).

    AB - Using runtime execution artifacts to identify malware and its associated 'family' is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniquse computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors. To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and three malware families are highlighted. We show the technique achieves roughly 80% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of non-ordered features (with an accuracy of roughly 95%).

    UR - http://www.scopus.com/inward/record.url?scp=84921442582&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84921442582&partnerID=8YFLogxK

    U2 - 10.1109/CNS.2014.6997496

    DO - 10.1109/CNS.2014.6997496

    M3 - Conference contribution

    SN - 9781479958900

    SP - 283

    EP - 291

    BT - 2014 IEEE Conference on Communications and Network Security, CNS 2014

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -