Capturing Malware Behaviour with Ontology-based Knowledge Graphs

Abstract

Exponential rise of Internet increases the risk of cyber attack related incidents which are generally caused by wide spread frequency of new malware generation. Different types of malware families have complex, dynamic behaviours and characteristics which can cause a novel and targeted attack in a cyber-system. Existence of large volume of malware types with frequent new additions hinders cyber resilience effort. To address the gap, we propose a new ontology driven framework that captures recent malware behaviours. According to code structure malware can be divided into three categories: basic, polymorphic and metamorphic. Packing or code obfuscation is also a technique adopted by the malware developers to make the code unreadable and avoid detection. Given that ontology techniques are useful to express the domain knowledge meaningfully, this paper aims to develop an ontology for dynamic analysis of malware behaviour and to capture metamorphic and polymorphic malware behaviour. This will be helpful to understand malicious behaviour exhibited by new generation malware samples and changes in their code structure. The proposed framework includes 14 malware families with their sub-families and 3 types of malware code-structure with their individuals. With a focus on malware behaviour the proposed ontology depicts the relations among malware families and malware code-structures with their respective behaviour.