Up-High to Down-Low: Applying Machine Learning to an Exploit Database
Today machine learning is primarily applied to low level features such as machine code and measurable behaviors. However, a great asset for exploit type classifications is public exploit databases. Unfortunately, these databases contain only meta-data (high level or abstract data) of these exploits. Considering that classification depends on the raw measurements found in the field, these databases have been overlooked. In this study, we offer two usages for these high level datasets and evaluate their performance. The first usage is classification by using meta-data as a bridge (supervised), and the second usage is the study of exploits’ relations using clustering and Self Organizing Maps (unsupervised). Both offer insights into exploit detection and can be used as a means to better define exploit classes.
KeywordsExploit database Machine learning Supervised Unsupervised Pattern abstraction Data mining
This research was supported by the Ministry of Science and Technology, Israel.
- 1.Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp 8–11. Citeseer (2009)Google Scholar
- 5.Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, DTIC Document (2006)Google Scholar
- 11.Sung, A.H., Xu, J., Chavez, P., Mukkamala, S.: Static analyzer of vicious executables (save). In: 20th Annual Computer Security Applications Conference, pp. 326–334. IEEE (2004)Google Scholar
- 12.Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 156–168. IEEE (2001)Google Scholar
- 13.Walenstein, A., Venable, M., Hayes, M., Thompson, C., Lakhotia, A.: Exploiting similarity between variants to defeat malware. In: Proceedings of the BlackHat DC Conference (2007)Google Scholar
- 14.Wespi, A., Debar, H.: Building an intrusion-detection system to detect suspicious process behavior. In: Recent Advances in Intrusion Detection (1999)Google Scholar