Poisoning behavioral malware clustering

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2014-November, Issue November, 2014, Pages 27-36

  Biggio, Battista ^a   Rieck, Konrad ^b   Ariu, Davide ^a   Wressnegger, Christian ^b   Corona, Igino ^a   Giacinto, Giorgio ^a   Roli, Fabio ^a  

^a UNIVERSITY OF CAGLIARI   (Italy)

^b UNIVERSITY OF GÖTTINGEN   (Germany)

Author keywords

Adversarial machine learning; Clustering; Computer security; Malware detection; Security evaluation; Unsupervised learning

Indexed keywords

ARTIFICIAL INTELLIGENCE; COMPUTER VIRUSES; INPUT OUTPUT PROGRAMS; NETWORK SECURITY; SECURITY OF DATA; SECURITY SYSTEMS; UNSUPERVISED LEARNING;

ANTI-VIRUS SYSTEMS; CLUSTERING; CLUSTERING APPROACH; MALWARE DETECTION; OPEN SOURCE TOOLS; POISONING ATTACKS; POISONING BEHAVIOR; SECURITY EVALUATION;

CLUSTERING ALGORITHMS;

EID: 84937712787     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2666652.2666666     Document Type: Conference Paper

References (35)

1. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classiffcation and analysis of internet malware. In Recent Adances in Intrusion Detection (RAID), pages 178{197, 2007.
2. M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. Can machine learning be secure? In ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 16{25, New York, NY, USA, 2006. ACM.
3. U. Bayer, P. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of Network and Distributed System Security Symposium (NDSS), 2009.
4. B. Biggio, S. R. Bulò, I. Pillai, M. Mura, E. Z. Mequanint, M. Pelillo, and F. Roli. Poisoning completelinkage hierarchical clustering. In Structural, Syntactic, and Statistical Pattern Recognition, 2014, In press.
5. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić , P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. In H. Blockeel, K. Kersting, S. Nijssen, and F. Železný, editors, European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECML PKDD), Part III, volume 8190 of Lecture Notes in Computer Science, pages 387{402. Springer Berlin Heidelberg, 2013.
6. B. Biggio, I. Corona, B. Nelson, B. Rubinstein, D. Maiorca, G. Fumera, G. Giacinto, and F. Roli. Security evaluation of support vector machines in adversarial environments. In Y. Ma and G. Guo, editors, Support Vector Machines Applications, pages 105{153. Springer International Publishing, 2014.
7. B. Biggio, G. Fumera, and F. Roli. Security evaluation of pattern classiffers under attack. IEEE Transactions on Knowledge and Data Engineering, 26(4):984{996, April 2014.
8. B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In J. Langford and J. Pineau, editors, 29th Int'l Conf. on Machine Learning. Omnipress, 2012.
9. B. Biggio, I. Pillai, S. R. Buló, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proceedings of the 2013 ACM Workshop on Arti-cial Intelligence and Security, AISec '13, pages 87{98, New York, NY, USA, 2013. ACM.
10. M. Brückner, C. Kanzow, and T. Scheffer. Static prediction games for adversarial learning problems. J. Mach. Learn. Res., 13:2617{2654, 2012.
11. M. Brunner, M. Epah, H. Ho-nger, C. Roblee, P. Schoo, and S. Todt. The fraunhofer aisec malware analysis laboratory. Technical report, Fraunhofer Institute AISEC, 2010.
12. P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic blending attacks. In USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
13. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- And Structure-Independent Botnet Detection. In Proc. of USENIX Security Symposium, 2008.
14. G. Gu, J. Zhang, and W. Lee. Bot Sniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008.
15. F. Guo, P. Ferrie, and T. Chiueh. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection, 2008.
16. X. Hu and K. G. Shin. DUET: Integration of dynamic and static analyses for malware clustering with cluster ensembles. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2013.
17. L. Huang, A. D. Joseph, B. Nelson, B. Rubinstein, and J. D. Tygar. Adversarial machine learning. In 4th ACM Workshop on Artifficial Intelligence and Security (AISec 2011), pages 43{57, Chicago, IL, USA, October 2011.
18. iSeclab. Anubis. http://anubis.iseclab.org, visited April, 2014.
19. A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: A review. ACM Comput. Surv., 31(3):264{323, Sept. 1999.
20. J. Jang, D. Brumley, and S. Venkataraman. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proc. of ACM Conference on Computer and Communications Security (CCS), pages 309{320, 2011.
21. Kaspersky Lab. KASPERSKY SECURITY BULLETIN 2013. http://media.kaspersky.com/pdf/KSB-2013-EN.pdf, 2014.
22. M. Kloft and P. Laskov. Online anomaly detection under adversarial impact. In Proceedings of the 13th International Conference on Artifficial Intelligence and Statistics (AISTATS), pages 405{412, 2010.
23. A. Kolcz and C. H. Teo. Feature weighting for improved classiffier robustness. In Sixth Conference on Email and Anti-Spam (CEAS), Mountain View, CA, USA, 16/07/2009 2009.
24. R. Perdisci, D. Ariu, and G. Giacinto. Scalable finegrained behavioral clustering of http-based malware. Computer Networks, 57(2):487 { 500, 2013.
25. R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In Proc. of USENIX Symposium on Networked Systems Design and Implementation (NSDI), pages 391{404, 2010.
26. R. Perdisci and M. U. VAMO: Towards a fully automated malware clustering validity analysis. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2012.
27. K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classiffication of malware behavior. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 108{125, July 2008.
28. K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. J. Comput. Secur., 19(4):639{668, 2011.
29. K. Tan, K. Killourhy, and R. Maxion. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Adances in Intrusion Detection (RAID), pages 54{73, 2002.
30. K. Tan and R. Maxion. \Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector. In Proc. of IEEE Symposium on Security and Privacy, pages 188{201, 2002.
31. P. Trinius, C. Willems, T. Holz, and K. Rieck. A malware instruction set for behavior-based analysis. In Proc. of GI Conference \Sicherheit" (Sicherheit, Schutz und Verlasslichkeit), pages 205{216, Oct. 2010.
32. C. J. van Rijsbergen. Information Retrieval. Butterworth, 1979.
33. VirusTotal. https://www.virustotal.com.
34. D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems. In Proc. of ACM Conference on Computer and Communications Security (CCS), pages 255{264, 2002.
35. C. Willems, T. Holz, and F. Freiling. CWSandbox: Towards automated dynamic binary analysis. IEEE Security and Privacy, 5(2):32{39, 2007.