DeepAI AI Chat
Log In Sign Up

The Shape of Alerts: Detecting Malware Using Distributed Detectors by Robustly Amplifying Transient Correlations

03/01/2018
by   Mikhail Kazdagli, et al.
The University of Texas at Austin
0

We introduce a new malware detector - Shape-GD - that aggregates per-machine detectors into a robust global detector. Shape-GD is based on two insights: 1. Structural: actions such as visiting a website (waterhole attack) by nodes correlate well with malware spread, and create dynamic neighborhoods of nodes that were exposed to the same attack vector. However, neighborhood sizes vary unpredictably and require aggregating an unpredictable number of local detectors' outputs into a global alert. 2. Statistical: feature vectors corresponding to true and false positives of local detectors have markedly different conditional distributions - i.e. their shapes differ. The shape of neighborhoods can identify infected neighborhoods without having to estimate neighborhood sizes - on 5 years of Symantec detectors' logs, Shape-GD reduces false positives from 1M down to 110K and raises alerts 345 days (on average) before commercial anti-virus products; in a waterhole attack simulated using Yahoo web-service logs, Shape-GD detects infected machines when only 100 of 550K are compromised.

READ FULL TEXT

page 1

page 2

page 3

page 4

10/22/2020

Getting Passive Aggressive About False Positives: Patching Deployed Malware Detectors

False positives (FPs) have been an issue of extreme importance for anti-...
06/17/2021

DroidMorph: Are We Ready to Stop the Attack of Android Malware Clones?

The number of Android malware variants (clones) are on the rise and, to ...
12/16/2022

WebAssembly Diversification for Malware Evasion

WebAssembly is a binary format that has become an essential component of...
06/24/2022

XMD: An Expansive Hardware-telemetry based Malware Detector to enhance Endpoint Detection

Hardware-based Malware Detectors (HMDs) have shown promise in detecting ...
11/06/2019

The Naked Sun: Malicious Cooperation Between Benign-Looking Processes

Recent progress in machine learning has generated promising results in b...
12/08/2022

PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets

Domain generation algorithms (DGAs) can be categorized into three types:...
01/18/2016

Pulse processing routines for neutron time-of-flight data

A pulse shape analysis framework is described, which was developed for n...