Daniel Scofield
ABSTRACT
Modern cyber attacks are often conducted by distributing digital documents that contain malware. The approach detailed herein, which consists of a classifier that uses features derived from dynamic analysis of a document viewer as it renders the document in question, is capable of classifying the disposition of digital documents with greater than 98% accuracy even when its model is trained on just small amounts of data. To keep the classification model itself small and thereby to provide scalability, we employ an entity resolution strategy that merges syntactically disparate features that are thought to be semantically equivalent but vary due to programmatic randomness. Entity resolution enables construction of a comprehensive model of benign functionality using relatively few training documents, and the model does not improve significantly with additional training data.
- Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel JG Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The economics of information security and privacy. Springer, 265--300.Google Scholar
- Michael Bailey, Jon Oberheide, Jon Andersen, Z Morley Mao, Farnam Jahanian, and Jose Nazario. 2007. Automated classification and analysis of internet malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 178--197. Google ScholarDigital Library
- Ahmad Bazzi and Yoshikuni Onozato. 2013. IDS for detecting malicious nonexecutable files using dynamic analysis.. In APNOMS. 1--3.Google Scholar
- Rudi Cilibrasi and Paul MB Vitányi. 2005. Clustering by compression. IEEE Transactions on Information theory 51, 4 (2005), 1523--1545. Google ScholarDigital Library
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 51--62. Google ScholarDigital Library
- M Engleberth, Carsten Willems, and Thorsten Holz. 2009. Detecting malicious documents with combined static and dynamic analysis (Powerpoint Presentation). Virus Bulletin (2009).Google Scholar
- Tal Garfinkel, Mendel Rosenblum, et al. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection.. In NDSS, Vol. 3. 191--206.Google Scholar
- Kent Griffin, Scott Schneider, Xin Hu, and Tzi-Cker Chiueh. 2009. Automatic generation of string signatures for malware detection. In International Workshop on Recent Advances in Intrusion Detection. Springer, 101--120. Google ScholarDigital Library
- Galen Hunt and Doug Brubacher. 1999. DETOURS: BINARY INTERCEPTION OF WIN 32 FUNCTIONS. In 3rd Usenix Windows NT Symposium. Google ScholarDigital Library
- Rafiqul Islam, Ronghua Tian, Lynn Batten, and Steve Versteeg. 2010. Classification of malware based on string and function feature selection. In Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second. IEEE, 9--17. Google ScholarDigital Library
- Jiyong Jang, David Brumley, and Shobha Venkataraman. 2011. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 309--320. Google ScholarDigital Library
- Joint Task Force Transformation Initiative Interagency Working Group. 2013. NIST Special Publication 800-53 Revision 4 - Security and Privacy Controls for Federal Information Systems and Organizations. Technical Report. National Institute of Science and Technology (NIST).Google Scholar
- Suleyman Kondakci. 2009. A concise cost analysis of Internet malware. Computers & Security 28, 7 (2009), 648--659. Google ScholarDigital Library
- Pavel Laskov and Nedim Šrndić. 2011. Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 373--382. Google ScholarDigital Library
- Vladimir I Levenshtein. 1966. Binary codes capable of correcting deletions, insertions and reversals. In Soviet physics doklady, Vol. 10. 707.Google Scholar
- Yun Li and Bao-Liang Lu. 2009. Feature selection based on loss-margin of nearest neighbor classification. Pattern Recognition 42, 9 (2009), 1914--1921. Google ScholarDigital Library
- Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices, Vol. 40. ACM, 190--200. Google ScholarDigital Library
- Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious PDF files detection. In International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524. Google ScholarDigital Library
- Nir Nissim, Aviad Cohen, Chanan Glezer, and Yuval Elovici. 2015. Detection of malicious PDF files and directions for enhancements: a state-of-the art survey. Computers & Security 48 (2015), 246--266. Google ScholarDigital Library
- Himanshu Pareek, P Eswari, N Sarat Chandra Babu, and C Bangalore. 2013. Entropy and n-gram analysis of malicious PDF documents. Int J Eng Res Tech 2, 2 (2013).Google Scholar
- Karthik Selvaraj and Nino Fred Gutierrez. 2010. The rise of PDF malware. Symantec Security Response (2010).Google Scholar
- Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 239--248. Google ScholarDigital Library
- Nedim Šrndic and Pavel Laskov. 2013. Detection of malicious PDF files based on hierarchical document structure. In Proceedings of the 20th Annual Network & Distributed System Security Symposium.Google Scholar
- Cristina Vatamanu, Dragoş Gavriluţ, and Răzvan Benchea. 2012. A practical approach on clustering malicious PDF documents. Journal in Computer Virology 8, 4 (2012), 151--163. Google ScholarDigital Library
Index Terms
- Fast Model Learning for the Detection of Malicious Digital Documents
Recommendations
Automated Model Learning for Accurate Detection of Malicious Digital Documents
Field NotesModern cyber attacks are often conducted by distributing digital documents that contain malware. The approach detailed herein, which consists of a classifier that uses features derived from dynamic analysis of a document viewer as it renders the ...
Static detection of malicious JavaScript-bearing PDF documents
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications ConferenceDespite the recent security improvements in Adobe's PDF viewer, its underlying code base remains vulnerable to novel exploits. A steady flow of rapidly evolving PDF malware observed in the wild substantiates the need for novel protection instruments ...
Detection of injected, dynamically generated, and obfuscated malicious code
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcodeThis paper presents DOME, a host-based technique for detecting several general classes of malicious code in software executables. DOME uses static analysis to identify the locations (virtual addresses) of system calls within the software executables, ...
Comments