Cluster analysis for deobfuscation of malware variants during ransomware attacks

2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA) Pub Date : 2018-06-01 DOI:10.1109/CyberSA.2018.8551432

A. Arrott, Arun Lakhotia, F. Leitold, Charles LeDoux

{"title":"Cluster analysis for deobfuscation of malware variants during ransomware attacks","authors":"A. Arrott, Arun Lakhotia, F. Leitold, Charles LeDoux","doi":"10.1109/CyberSA.2018.8551432","DOIUrl":null,"url":null,"abstract":"Risk managers attempting to reduce cyber-security vulnerability in enterprise IT networks rely on the \"malware detection rate\" as a primary measure at each layer of protection (e.g., network firewalls, breach detection systems, secure mail-servers, endpoint security suites). However, to be directly usable in risk assessments, separate malware detection rates are required for different malware categories that are quantitatively related to specific impacts of infection. A three-tier hierarchy of malware classification is formulated to assist cyber-risk decision-making. Malware is first categorized by victim impact (e.g., adware, data exfiltration, ransomware); second by malware technique (e.g., malware families), and third by evasion and obfuscation variants within individual malware families (e.g., polymorphs, metamorphs). The three-tier hierarchy is applied to a specific vertical: ransomware (impact); ransomware family (technique); and malware binary variants within one family, WannaCry (obfuscation and evasion).","PeriodicalId":352813,"journal":{"name":"2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CyberSA.2018.8551432","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Risk managers attempting to reduce cyber-security vulnerability in enterprise IT networks rely on the "malware detection rate" as a primary measure at each layer of protection (e.g., network firewalls, breach detection systems, secure mail-servers, endpoint security suites). However, to be directly usable in risk assessments, separate malware detection rates are required for different malware categories that are quantitatively related to specific impacts of infection. A three-tier hierarchy of malware classification is formulated to assist cyber-risk decision-making. Malware is first categorized by victim impact (e.g., adware, data exfiltration, ransomware); second by malware technique (e.g., malware families), and third by evasion and obfuscation variants within individual malware families (e.g., polymorphs, metamorphs). The three-tier hierarchy is applied to a specific vertical: ransomware (impact); ransomware family (technique); and malware binary variants within one family, WannaCry (obfuscation and evasion).

查看原文本刊更多论文

在勒索软件攻击期间对恶意软件变体进行解混淆的聚类分析

试图减少企业IT网络中的网络安全漏洞的风险管理人员依赖于“恶意软件检测率”作为每一层保护(例如，网络防火墙、漏洞检测系统、安全邮件服务器、端点安全套件)的主要措施。然而，为了直接用于风险评估，需要对不同的恶意软件类别进行单独的恶意软件检测率，这些恶意软件类别与感染的具体影响在数量上相关。恶意软件分类的三层层次结构被制定，以协助网络风险决策。恶意软件首先根据受害者影响进行分类(例如，广告软件，数据泄露，勒索软件);其次是恶意软件技术(例如，恶意软件家族)，第三是单个恶意软件家族中的逃避和混淆变体(例如，多态性，变形)。三层层次结构适用于特定的垂直领域:勒索软件(影响);勒索软件家族(技术);恶意软件的二进制变种属于一个家族，WannaCry(混淆和逃避)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA)

自引率

0.00%

发文量