DeepAI AI Chat
Log In Sign Up

The Shape of Alerts: Detecting Malware Using Distributed Detectors by Robustly Amplifying Transient Correlations

by   Mikhail Kazdagli, et al.
The University of Texas at Austin

We introduce a new malware detector - Shape-GD - that aggregates per-machine detectors into a robust global detector. Shape-GD is based on two insights: 1. Structural: actions such as visiting a website (waterhole attack) by nodes correlate well with malware spread, and create dynamic neighborhoods of nodes that were exposed to the same attack vector. However, neighborhood sizes vary unpredictably and require aggregating an unpredictable number of local detectors' outputs into a global alert. 2. Statistical: feature vectors corresponding to true and false positives of local detectors have markedly different conditional distributions - i.e. their shapes differ. The shape of neighborhoods can identify infected neighborhoods without having to estimate neighborhood sizes - on 5 years of Symantec detectors' logs, Shape-GD reduces false positives from 1M down to 110K and raises alerts 345 days (on average) before commercial anti-virus products; in a waterhole attack simulated using Yahoo web-service logs, Shape-GD detects infected machines when only 100 of 550K are compromised.


page 1

page 2

page 3

page 4


Getting Passive Aggressive About False Positives: Patching Deployed Malware Detectors

False positives (FPs) have been an issue of extreme importance for anti-...

DroidMorph: Are We Ready to Stop the Attack of Android Malware Clones?

The number of Android malware variants (clones) are on the rise and, to ...

WebAssembly Diversification for Malware Evasion

WebAssembly is a binary format that has become an essential component of...

XMD: An Expansive Hardware-telemetry based Malware Detector to enhance Endpoint Detection

Hardware-based Malware Detectors (HMDs) have shown promise in detecting ...

The Naked Sun: Malicious Cooperation Between Benign-Looking Processes

Recent progress in machine learning has generated promising results in b...

PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets

Domain generation algorithms (DGAs) can be categorized into three types:...

Pulse processing routines for neutron time-of-flight data

A pulse shape analysis framework is described, which was developed for n...