Agrupamento de malware por comportamento de execução usando lógica fuzzy
Abstract
The threat of malware variants continuously increases. Several approaches have been applied to malware clustering for a better understanding on how to characterize families. Among them, behavioral analysis is one that can use supervised or unsupervised learning methods. This type of analysis is mainly based on conventional (crisp) logic, in which a particular sample must belong only to one malware family. In this work, we propose a behavioral clustering approach using fuzzy logic, which assigns a relevance degree to each sample and consequently enables it to be part of more than one family. This approach enables to check other behaviors of the samples, not visualized in conventional logic. We compare the chosen fuzzy logic algorithm — Fuzzy CMeans (FCM) — with K-Means so as to analyze their similarities and show the advantages of FCM for malware behavioral analysis.
References
Andrade, C. A. B., de Mello, C. G., and Duarte, J. C. (2013). Malware automatic analysis. In 2013 BRICS Congress on Computational Intelligence and 11th Brazilian Congress on Computational Intelligence, pages 681 – 686. IEEE.
Bezdek, J. C. (1981). Pattern Recognition with Fuzzy Objective Function Algorithms. Kluwer Academic Publishers Norwell, MA, USA, Utah State University, Logan, Utah, USA, 1 edition.
Bezdek, J. C., Ehrlich, R., and Full, W. (1984). FCM: The fuzzy c-means clustering algorithm. Computers & Geosciences, 10(2–3):191–203.
Borges, V. R. P. (2010). Comparação entre as Técnicas de Agrupamento K-Means e Fuzzy C-Means para Segmentação de Imagens Coloridas. XII Encontro Anual de Computação (EnAComp).
Damballa (2009). 3% to 5% of enterprise assets are compromised by bot-driven targeted attack malware. [link]. Acessado em junho de 2016.
Duarte, J. C., de Almeida Oliveira, F., dos Santos, J. C., and de Oliveira Neto, G. A. (2012). Framework de Aprendizado de Máquina (FAMA). https://code.google.com/archive/p/fama/. Acessado em junho de 2016.
Duda, R. O., Hart, P. E., and Stork, D. G. (2001). Pattern Classification. Wiley-Interscience, New York, USA, 2 edition.
Dunn, J. C. (1974). A Fuzzy Relative of the ISODATA Process and Its Use in Detecting Compact Well-Separated Clusters. Journal of Cybernetics, 3(3):32–57.
Firdausi, I., lim, C., Erwin, A., and Nugroho, A. S. (2010). Analysis of machine learning techniques used in behavior-based malware detection. In Proceedings of the 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies, ACT’10, pages Pages 201 – 203.
Huang, H.-D., Acampora, G., Loia, V., Lee, C.-S., Hagras, H., Wang, M.-H., Kao, H.-Y., and Chang, J.-G. (2013). Fuzzy markup language for malware behavioral analysis. In On the Power of Fuzzy Markup Language, pages 113–132. Springer.
Intel Security (2014). Relatório do mcafee labs sobre ameaças. http://www.mcafee.com/br/resources/reports/rp-quarterlythreat-q3-2014.pdf. Acessado em junho de 2016.
Iseclab (2015). Anubis - Analyzing Unknown Binaries. http://analysis.iseclab.org/. Acessado em junho de 2015.
MacQueen, J. (1967). Some Methods for Classification and Analysis of Multivariate Observations. 5-th Berkeley Symposium on Mathematical Statistics and Probability, pages 281 – 297.
Mangialardo, R. J. (2015). Integrando as análises estática e dinâmica na identificação de malwares utilizando aprendizado de máquina. Master’s thesis, Mestrado em Sistemas e Computação, Instituto Militar de Engenharia, Rio de Janeiro.
Mohaisen, A. and Alrawi, O. (2013). Unveiling zeus: automated classification of malware samples. In Proceedings of the 22nd International Conference on World Wide Web, pages 829–832. ACM.
Pirscoveanu, R.-S. (2015). Clustering Analysis of Malware Behavior. Master’s thesis, Institute of Electronic Systems Department of Communication Technology at Aalborg University, Denmark.
Provataki, A. and Katos, V. (2013). Differential malware forensics. Digital Investigation: The International Journal of Digital Forensics & Incident Response, 10(4):Pages 311– 322.
Rousseeuw, P. J. (1987). Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics, 20:53–65.
Salehi, Z., Ghiasi, M., and Sami, A. (2012). A Miner for Malware Detection Based on API Function Calls and Their Arguments. In Salehi, Z., editor, Artificial Intelligence and Signal Processing (AISP), pages 563 – 568. IEEE.
Sami, A., Yadegari, B., Rahimi, H., Hamzeh, A., Hashemi, S., and Hamzeh, A. (2010). Malware detection based on mining api calls. In Proceedings of the 2010 ACM Symposium on Applied Computing, SAC’10, pages 1020 – 1025. ACM New York, NY, USA.
Swieskowski, P. and Kuzins, S. (2016). Ninite. https://ninite.com/. Acessado em fevereiro de 2016.
Thorndike, R. L. (1953). Who Belongs in the Family? Pyschometrika, 18(4):267–276.
VirusBulletin (2016). Vb100. https://www.virusbulletin.com/testing/vb100/. Acessado em fevereiro de 2016.
Bezdek, J. C. (1981). Pattern Recognition with Fuzzy Objective Function Algorithms. Kluwer Academic Publishers Norwell, MA, USA, Utah State University, Logan, Utah, USA, 1 edition.
Bezdek, J. C., Ehrlich, R., and Full, W. (1984). FCM: The fuzzy c-means clustering algorithm. Computers & Geosciences, 10(2–3):191–203.
Borges, V. R. P. (2010). Comparação entre as Técnicas de Agrupamento K-Means e Fuzzy C-Means para Segmentação de Imagens Coloridas. XII Encontro Anual de Computação (EnAComp).
Damballa (2009). 3% to 5% of enterprise assets are compromised by bot-driven targeted attack malware. [link]. Acessado em junho de 2016.
Duarte, J. C., de Almeida Oliveira, F., dos Santos, J. C., and de Oliveira Neto, G. A. (2012). Framework de Aprendizado de Máquina (FAMA). https://code.google.com/archive/p/fama/. Acessado em junho de 2016.
Duda, R. O., Hart, P. E., and Stork, D. G. (2001). Pattern Classification. Wiley-Interscience, New York, USA, 2 edition.
Dunn, J. C. (1974). A Fuzzy Relative of the ISODATA Process and Its Use in Detecting Compact Well-Separated Clusters. Journal of Cybernetics, 3(3):32–57.
Firdausi, I., lim, C., Erwin, A., and Nugroho, A. S. (2010). Analysis of machine learning techniques used in behavior-based malware detection. In Proceedings of the 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies, ACT’10, pages Pages 201 – 203.
Huang, H.-D., Acampora, G., Loia, V., Lee, C.-S., Hagras, H., Wang, M.-H., Kao, H.-Y., and Chang, J.-G. (2013). Fuzzy markup language for malware behavioral analysis. In On the Power of Fuzzy Markup Language, pages 113–132. Springer.
Intel Security (2014). Relatório do mcafee labs sobre ameaças. http://www.mcafee.com/br/resources/reports/rp-quarterlythreat-q3-2014.pdf. Acessado em junho de 2016.
Iseclab (2015). Anubis - Analyzing Unknown Binaries. http://analysis.iseclab.org/. Acessado em junho de 2015.
MacQueen, J. (1967). Some Methods for Classification and Analysis of Multivariate Observations. 5-th Berkeley Symposium on Mathematical Statistics and Probability, pages 281 – 297.
Mangialardo, R. J. (2015). Integrando as análises estática e dinâmica na identificação de malwares utilizando aprendizado de máquina. Master’s thesis, Mestrado em Sistemas e Computação, Instituto Militar de Engenharia, Rio de Janeiro.
Mohaisen, A. and Alrawi, O. (2013). Unveiling zeus: automated classification of malware samples. In Proceedings of the 22nd International Conference on World Wide Web, pages 829–832. ACM.
Pirscoveanu, R.-S. (2015). Clustering Analysis of Malware Behavior. Master’s thesis, Institute of Electronic Systems Department of Communication Technology at Aalborg University, Denmark.
Provataki, A. and Katos, V. (2013). Differential malware forensics. Digital Investigation: The International Journal of Digital Forensics & Incident Response, 10(4):Pages 311– 322.
Rousseeuw, P. J. (1987). Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics, 20:53–65.
Salehi, Z., Ghiasi, M., and Sami, A. (2012). A Miner for Malware Detection Based on API Function Calls and Their Arguments. In Salehi, Z., editor, Artificial Intelligence and Signal Processing (AISP), pages 563 – 568. IEEE.
Sami, A., Yadegari, B., Rahimi, H., Hamzeh, A., Hashemi, S., and Hamzeh, A. (2010). Malware detection based on mining api calls. In Proceedings of the 2010 ACM Symposium on Applied Computing, SAC’10, pages 1020 – 1025. ACM New York, NY, USA.
Swieskowski, P. and Kuzins, S. (2016). Ninite. https://ninite.com/. Acessado em fevereiro de 2016.
Thorndike, R. L. (1953). Who Belongs in the Family? Pyschometrika, 18(4):267–276.
VirusBulletin (2016). Vb100. https://www.virusbulletin.com/testing/vb100/. Acessado em fevereiro de 2016.
Published
2016-11-07
How to Cite
LEITE, Lindeberg; SILVA, Daniel G.; GRÉGIO, André.
Agrupamento de malware por comportamento de execução usando lógica fuzzy. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 408-421.
DOI: https://doi.org/10.5753/sbseg.2016.19323.
