Malvidence - a cognitive malware characterization framework

Loading...
Thumbnail Image
Date
2018-12-13
Authors
Khan, Muhammad Salman
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The challenges of cyber security have outpaced the advantages of cyber tools and technologies. In 2018, World Economic Forum has already placed cyber security in the top five risks faced by the world. Cyber threats are evolving and can cripple economies and nations. The major tools of cyber threats are anonymity, deception and uncertainty. Current state of the art research is also evolving into addressing these challenges by applying new and proactive threat hunting approaches instead of doing reactive cyber defense, which is proving futile. Malware is an indispensable tool of cyber threat actors to accomplish malicious activities i.e. exfiltration, espionage and disruption. Using advanced obfuscation and mutation methods, malware adversaries are able to remain ahead of cyber defenders. Most malware detection technologies are based on finding a-priori known signatures of malware payload or known patterns of malware behavior. This dissertation addresses the challenge of hunting unknown behaviorally mutated malware inside a host computer by proposing a proof of concept framework named Malvidence for characterizing malware behavior within a host operating system process tree using cognitive machine intelligence. Using Malvidence framework, tools and techniques can be derived for variety of cyber security methods for threat detection. Cognitive Computing is a promising domain of machine intelligence which explores and develops new tools to incorporate human cognitive characteristics so that the performance of existing domain of artificial intelligence and machine learning can be improved. Therefore, cognitive complexity based fractal analysis is demonstrated and a methodology of extracting inherent but hidden patterns of malware dynamics using a temporal graph theoretical approach is proposed. Further, a set of graph theoretical features is analyzed and proposed for an effective characterization of malware behavior which can be subsequently used for malware hunting and detection. In addition, the proposed features are tested for their mathematical validity. Finally, using proposed cognitive complexity analysis, characterization performance of an unsupervised clustering algorithm is provided to demonstrate the validity of Malvidence framework.
Description
Keywords
Fractals, Malware mutation, Anomaly detection, Clustering, Unsupervised machine learning, Malware characterization framework, Endpoint threat detection, EDR, Endpoint detection and response, Microsoft Windows, Process tree, Polymorphism, Metamorphism, Class imbalance, Class inseparability, Variance fractal dimension, Correlation fractal dimension, Information fractal dimension, Spectral fractal dimension, Graph theory, Time graphs, Cognitive machine intelligence, Cognitive computing, Cyber kill chain, Cognitive and concurrent cyber kill chain, Semantic analysis, Features, Attributes, k-means, fBm, Fractional Brownian motion process, Cyber security, Behavioral analytics, Host anomaly detection, Malware data set, Semantics, Cyber threat hunting, Threat model, Feature elicitation, Cyber defense, Cyber event triage, CSOC, Cyber Security Operation Center, Multiscale Analysis, Multifractal, Advanced Persistent Threats, APT, Obfuscation, Cyber deception, Cognitive informatics, Computational intelligence, SIEM, Security information and event management, Penetration testing, Proactive cyber security
Citation
Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, (2015) “A cognitive multifractal approach to characterize complexity of non-stationary and malicious DNS data traffic using adaptive sliding window”, in proceedings of IEEE 14th Intl. Conf. Cognitive Informatics & Cognitive Computing (ICCI*CC15), Beijing, China, 2015. (doi: 10.1109/icci-cc.2015.7259368).
Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, (2015) “A polyscale autonomous sliding window for cognitive machine classification of malicious Internet traffic”, in proceedings of 14th International Conference on Security and Management (SAM'15), WorldComp 2015, Las Vegas, USA, 2015.
Muhammad Salman Khan, Sana Siddiqui, Ken Ferens, & Witold Kinsner, (2016) "Spectral Fractal Dimension Trajectory (SFDT) to measure complexity of malicious attacks”, in proceedings of the International Conference on Security and Management (SAM’16), WorldComp 2016, Las Vegas, USA, 2016.
Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, (2015) “Multifractal singularity spectrum for cognitive cyber defence in Internet time series”, in International Journal of Software Science and Computational Intelligence (IJSSCI), 2015 (doi: 10.4018/IJSSCI.2015070102).
Muhammad Salman Khan, Sana Siddiqui Robert D. McLeod, Ken Ferens, & Witold Kinsner, (2016) "Fractal based adaptive boosting algorithm for cognitive detection of computer malware”, in proceedings of 15th IEEE International Conference on Cognitive Informatics and Cognitive Computing (IEEE ICCI*CC 2016), Stanford University, USA. (doi: 10.1109/ICCI-CC.2016.7862074).
Muhammad Salman Khan, Sana Siddiqui, Ken Ferens, “Cognitive modeling of polymorphic malwares using fractal based semantic characterization”, in proceedings of IEEE 2017 International Conference on Technologies for Homeland Security (HST), pp. 1-7, April 2017, Waltham, MA, USA. (doi: 10.1109/THS.2017.7943487).
Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, “Fractal based cognitive neural network to detect obfuscated and indistinguishable Internet threats”, in proceedings of the 16th IEEE International Conference on Cognitive Informatics and Cognitive Computing (IEEE ICCI*CC 2017), July 2017, University of Oxford, UK.
Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, “Cognitive computing and multiscale analysis for cyber security” in Computer and Network Security Essentials Book, pp. 507-519, Ed. Kevin Daimi, Springer, 2017. (doi: 10.1007/978-3-319-58424-9_29).
Muhammad Salman Khan, Sana Siddiqui, Ken Ferens, “A cognitive and concurrent cyber kill chain model” in Computer and Network Security Essentials Book, pp. 585-602, Ed. Kevin Daimi, Springer, 2017. (doi: 10.1007/978-3-319-58424-9_34).