Abstract
Recently, the sophistication and varieties of advanced persistent threat (APT) based attacks have risen exponentially on global scale. Accurate prediction decisions related to the detection of APT malware are an ongoing challenge due to the use of zero-day attacks to exploit target assets. Signatures of zero-day malware are mostly non-existent and APT-based attacks remain undetected under the scanning of standard signature based methods. We require a set of distinguishable features of APT malware as traditional hybrid analysis techniques may not identify zero-day vulnerabilities. In this paper, we prepare a novel feature-set of malware having both traditional “static” and “dynamic” features and an additional novel feature of “Origin information”. We argue that the additional information regarding the source of the executable, running on the target system provides important information about the activity of the malware in the initial penetration phase. With adequate experimentation, we evaluated the performance of the proposed approach using Support Vector Machines (SVM), Random Forest (RF), K-nearest Neighbors (KNN), Decision Tree (DT), and Gradient Boosting (GB) and achieved up to 92.31% prediction accuracy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Any.run sandbox: Interactive malware Hunting service. https://any.run/. Accessed 12 Apr 2021
APT1- Mandiant report. https://www.fireeye.com/blog/threat- research/2013/02/mandiant-exposes-apt1-chinas-cyber-espionage-units.html. Accessed 08 May 2021
APT28. https://www.fireeye.com/content/dam/fireeye-www/global/en/current- threats/pdfs/rpt-apt28.pdf. Accessed 11 Feb 2021
APT29. https://attack.mitre.org/groups/G0016/. Accessed 11 Feb 2021
APT34. FireEye.Advancedpersistentthreats/apt-groups.html. Accessed 11 Feb 2021
Chronicle. Yara signature: The pattern matching swiss knife for malware researchers. https://virustotal.github.io/yara/. Accessed 22 June 2021
Contagio APT-malware. http://contagiodump.blogspot.com/. Accessed 11 Dec 2020
Cuckoo sandbox. https://cuckoo.cert.ee/. Accessed 12 Apr 2021
FireEye. https://www.fireeye.com/. Accessed 18 May 2021
Kaspersky Lab: Targeted cyberattacks logbook. https://apt.securelist.com/. Accessed 03 May 2021
Mitre-Attack. https://attack.mitre.org/groups/. Accessed 19 May 2021
Virustotal. https://www.virustotal.com/gui/. Accessed 12 Apr 2021
VMware server. https://my.vmware.com/web/vmware/details/wkst_800_win /dCVkYnQqdGhiZEBAdA==. Accessed 30 Mar 2021
Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutor. 21(2), 1851–1877 (2019)
Azaria, A., Richardson, A., Kraus, S., Subrahmanian, V.: Behavioral analysis of insider threat: a survey and bootstrapped prediction in imbalanced data. IEEE Trans. Comput. Soc. Syst. 1(2), 135–155 (2014)
Bai, J., Wang, J., Zou, G.: A malware detection scheme based on mining format information. Sci. World J. 2014, 1–11 (2014)
Bat-Erdene, M., Park, H., Li, H., Lee, H., Choi, M.-S.: Entropy analysis to classify unknown packing algorithms for malware detection. Int. J. Inf. Secur. 16(3), 227–248 (2017). https://doi.org/10.1007/s10207-016-0330-4
Bhatt, P., Yano, E.T., Gustavsson, P.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 390–395. IEEE (2014)
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4
Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G.: Behavioral analysis of botnets for threat intelligence. IseB 10(4), 491–519 (2012). https://doi.org/10.1007/s10257-011-0171-7
Dhanabal, L., Shantharajah, S.: A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. Int. J. Adv. Res. Comput. Commun. Eng. 4(6), 446–452 (2015)
Friedberg, I., Skopik, F., Settanni, G., Fiedler, R.: Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur. 48, 35–57 (2015)
Garcia, F.C.C., Muga II, F.P.: Random forest for malware classification. arXiv preprint arXiv:1609.07770 (2016)
Ghafir, I., et al.: Detection of advanced persistent threat using machine-learning correlation analysis. Futur. Gener. Comput. Syst. 89, 349–359 (2018)
Greitzer, F.L., Frincke, D.A.: Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds.) Insider Threats in Cyber Security. ADIS, vol. 49, pp. 85–113. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-7133-3_5
Han, W., Xue, J., Wang, Y., Zhang, F., Gao, X.: APTMalinsight: identify and cognize APT malware based on system call information and ontology knowledge framework. Inf. Sci. 546, 633–664 (2021)
Han, W., Xue, J., Wang, Y., Zhu, S., Kong, Z.: Build a roadmap for stepping into the field of anti-malware research smoothly. IEEE Access 7, 143573–143596 (2019)
Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_24
Khouzani, M., Sarkar, S., Altman, E.: A dynamic game solution to malware attack. In: 2011 Proceedings of the IEEE INFOCOM, pp. 2138–2146. IEEE (2011)
Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 102–109. IEEE (2011)
Lin, J.-C., Chen, J.-M., Chen, C.-C., Chien, Y.-S.: A game theoretic approach to decision and analysis in strategies of attack and defense. In: 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 75–81. IEEE (2009)
Marchetti, M., Pierazzi, F., Colajanni, M., Guido, A.: Analysis of high volumes of network traffic for advanced persistent threat detection. Comput. Netw. 109, 127–141 (2016)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: HOLMES: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)
Mohaisen, A., Alrawi, O., Mohaisen, M.: AMAL: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)
Myneni, S., et al.: DAPT 2020 - constructing a benchmark dataset for advanced persistent threats. In: Wang, G., Ciptadi, A., Ahmadzadeh, A. (eds.) MLHat 2020. CCIS, vol. 1271, pp. 138–163. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59621-7_8
Osborne, M.J., et al.: An Introduction to Game Theory, vol. 3. Oxford University Press, New York (2004)
Qamar, S., Anwar, Z., Rahman, M.A., Al-Shaer, E., Chu, B.-T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)
Radkani, E., Hashemi, S., Keshavarz-Haddad, A., Haeri, M.A.: An entropy-based distance measure for analyzing and detecting metamorphic malware. Appl. Intell. 48(6), 1536–1546 (2018). https://doi.org/10.1007/s10489-017-1045-6
Roundy, K.A., Miller, B.P.: Hybrid analysis and control of malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 317–338. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_17
Sabir, B., Ullah, F., Babar, M.A., Gaire, R.: Machine learning for detecting data exfiltration: a review. ACM Comput. Surv. (CSUR) 54(3), 1–47 (2021)
Shang, L., Guo, D., Ji, Y., Li, Q.: Discovering unknown advanced persistent threat using shared features mined by neural networks. Comput. Netw. 189, 107937 (2021)
Sharafaldin, I., Habibi Lashkari, A., Ghorbani, A.A.: A detailed analysis of the CICIDS2017 data set. In: Mori, P., Furnell, S., Camp, O. (eds.) ICISSP 2018. CCIS, vol. 977, pp. 172–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25109-3_9
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)
Stiborek, J., Pevnỳ, T., Rehák, M.: Multiple instance learning for malware classification. Expert Syst. Appl. 93, 346–357 (2018)
Tajoddin, A., Jalili, S.: HM3alD: polymorphic malware detection using program behavior-aware hidden Markov model. Appl. Sci. 8(7), 1044 (2018)
Yang, L.-X., Li, P., Yang, X., Tang, Y.Y.: A risk management approach to defending against the advanced persistent threat. IEEE Trans. Dependable Secure Comput. 17(6), 1163–1172 (2018)
Yang, L.-X., Li, P., Zhang, Y., Yang, X., Xiang, Y., Zhou, W.: Effective repair strategy against advanced persistent threat: a differential game approach. IEEE Trans. Inf. Forensics Secur. 14(7), 1713–1728 (2018)
Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kumar, T., Somani, G. (2021). Origin Information Assisted Hybrid Analysis to Detect APT Malware. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds) Information Systems Security. ICISS 2021. Lecture Notes in Computer Science(), vol 13146. Springer, Cham. https://doi.org/10.1007/978-3-030-92571-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-92571-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92570-3
Online ISBN: 978-3-030-92571-0
eBook Packages: Computer ScienceComputer Science (R0)