Browse > Article
http://dx.doi.org/10.7472/jksii.2019.20.2.9

Automatic Malware Detection Rule Generation and Verification System  

Kim, Sungho (Security Technology Research Division, National Security Research Institute)
Lee, Suchul (Dept. of Computer Science and Information Engineering, Korea National University of Transportation)
Publication Information
Journal of Internet Computing and Services / v.20, no.2, 2019 , pp. 9-19 More about this Journal
Abstract
Service and users over the Internet are increasing rapidly. Cyber attacks are also increasing. As a result, information leakage and financial damage are occurring. Government, public agencies, and companies are using security systems that use signature-based detection rules to respond to known malicious codes. However, it takes a long time to generate and validate signature-based detection rules. In this paper, we propose and develop signature based detection rule generation and verification systems using the signature extraction scheme developed based on the LDA(latent Dirichlet allocation) algorithm and the traffic analysis technique. Experimental results show that detection rules are generated and verified much more quickly than before.
Keywords
Malware; Detection rule; Snort; LDA; network threat;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Shabtai, A. Menahem, E. and Elovici, Y. "F-Sign: Automatic, Function-Based Signature Generation for Malware", Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, Vol.41, no.4, pp. 494-508, 2011. http://doi.org/10.1109/TSMCC.2010.2068544   DOI
2 G. Tahan, C. Glezer, Y. Elovici and L. Rokach, "Auto-Sign: an automatic signature generator for high-speed malware filtering devices", Journal in Computer Virology, Vol.6, no.2. pp. 91-103, 2010. https://doi.org/10.1007/s11416-009-0119-3   DOI
3 K. Griffin, S. Schneider, X. Hu and T. Chiueh, "Automatic Generation of String Signatures for Malware Detection", 12th International Symposium, RAID 2009, pp. 101-120, 2009. https://doi.org/10.1007/978-3-642-04342-0_6   DOI
4 Mohammed, M.M.Z.E., Chan, H.A. and Ventura, N., "Honeycyber: Automated signature generation for zero-day polymorphic worms", in Military Communications Conference, MILCOM 2008, pp. 1-6, Novemver, 2008. http://doi.org/10.1109/MILCOM.2008.4753178   DOI
5 H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier, "Shield: Vulnerability-driven network filters for preventing known vulnerability exploits." ACM SIGCOMM, 2004. http://doi.org/10.1145/1015467.1015489   DOI
6 D. M. Blei, "Probabilistic Topic Models", Communications of th ACM, Vol.55, pp. 77-84, 2012. https://doi.org/10.1145/2133806.2133826   DOI
7 T. N. Rubin, A. Chambers, P. Smyth, M. Steyvers, "Statistical topic models for multi-label document classification", in Machine Learning, Vol.88, pp. 157-208, 2003. https://doi.org/10.100k7/s10994-011-5272-5   DOI
8 S. M. Gerrish, and D. M. Blei, "A language-based approach to measuring scholarly impact", ICML'10 Proceedings, pp. 375-382, 2010. https://dl.acm.org/citation.cfm?id=3104371
9 G.Salton, A.Wong, and C. S. Yang, "A Vector space model for automatic indexing", Communications of the ACM, Vol.18(11), pp. 613-620, 1975. https://doi.org/10.1145/361219.361220   DOI
10 D. J. Newman, and S. Block, "Probabilistic topic decomposition of an eighteenth-century American newspaper", in the journal of American Society for Information Science and Technology, Vol.57, pp. 753-767, 2006. https://doi.org/10.1002/asi.v57:6   DOI
11 S.Deerwester, S. T. Dumais, G. W. Furnas, T. K. Landauer, and R. Harshman, "Indexing by latent semantic analysis", Journal of the American Society for Information Science banner, 1990. https://doi.org/10.1002/(SICI)1097-4571(199009)41:6<3 91::AID-ASI1>3.0.CO;2-9   DOI
12 C. C. Zou, D. Towsley and W. Gong, "Modeling and simulation study of the propagation and defense of internet e-mail worms", Dependable and Secure Computing, IEEE Transactions on Vol.4(2), pp. 105-118, 2007. https://doi.org/10.1109/TDSC.2007.1001   DOI
13 T. Hofmann, "Probabilistic latent semantic analysis", UAI'pp Proceedings of the Fifteenth conference on Uncertainty in srtificial intelligence, pp. 289-296, 1999. https://dl.acm.org/citation.cfm?id=2073829
14 D. M. Blei, A. Y. Ng and M. I. Jordan, "Latent dirichlet allocation", in the journal of Machine Learning Research, Vol.3, pp. 993-1022, 2003. https://dl.acm.org/citation.cfm?id=944937
15 T. N. Rubin, A.Chambers, P. Smyth, and M. Steyvers, "Statistical topic models for multi-label document classification", Machine Learning, Vol.88(1-2), pp. 157-208, 2012. https://doi.org/10.1007/s10994-011-5272-5   DOI
16 S. Lee, S. Kim, S. Lee, J, Choi, H. Yoon, D. Lee, and J. Lee "LARGen: Automatic Signature Generation for Malwares Using Latent Dirichlet Allocation", IEEE TDSC Vol.15(5), pp. 771- 783, 2018. https://doi.org/10.1109/TDSC.2016.2609907   DOI
17 NETRESEC, "Capture files from Mid-Atlantic CCDC" http://www.netresec.com/?page=MACCDC
18 Wikipedia, "SpyEye" https://en.wikipedia.org/wiki/SpyEye
19 M. Parkour, "contagio malware dump" http://contagiodump.blogspot.com
20 CAIDA, "Data Collection, Curation and Sharing" http://www.caida.org/data/
21 SNORT, http://www.snort.org/
22 Zhuo. Zhang, Zhibin Zhang, Patrick P.C.Lee, Yunjie Liu and Gaogang Xie "ProWord: An unsupervised approach to protocol feature word extraction", in INFOCOM, 2014 Proceedings IEEE, pp. 1393-1401, July, 2014. http://doi.org/10.1109/INFOCOM.2014.6848073   DOI
23 Omid E. David and Nathan S. Netanahu, "DeepSign: Deep learning for automatic malware signature generation and classification", International Joint Conference on Neural Networks, July, 2015. http://doi.org/10.1109/IJCNN.2015.7280815   DOI
24 Fabrizio Biondi, Francois Dechelle and Axel Legay "MASSE: Modular Automated Syntactic Signature Extraction", IEEE International Symposium on Software REliability Enginerring Workshops, Oct, 2017. http://doi.org/10.1109/ISSREW.2017.74   DOI
25 Kaspersky Lab, "Kaspersky Lab Number of the Year: 360,000 Malicious Files Detected Daily in 2017", 2017. https://www.kaspersky.com/about/press-releases/2017_ka spersky-lab-detects-360000-new-malicious-files-daily
26 McAfee Lab, "McAfee Labs Threats Report", 2018. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-mar-2018.pdf
27 TTA, "Snort 기반 침입탐지시스템 참지 규칙 요구사항", TTAK.KO-12.0283, 2015.
28 Y. Tang S. Chen, "Defending Against Internet Worms: A Signature-Based Approach", in INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, Vol.2, pp. 1384-1394, 2005. http://doi.org/10.1109/INFCOM.2005.1498363   DOI