VAMO: towards a fully automated malware clustering validity analysis

Asia-Pacific Computer Systems Architecture Conference Pub Date : 2012-12-03 DOI:10.1145/2420950.2420999

R. Perdisci, U. ManChon

{"title":"VAMO: towards a fully automated malware clustering validity analysis","authors":"R. Perdisci, U. ManChon","doi":"10.1145/2420950.2420999","DOIUrl":null,"url":null,"abstract":"Malware clustering is commonly applied by malware analysts to cope with the increasingly growing number of distinct malware variants collected every day from the Internet. While malware clustering systems can be useful for a variety of applications, assessing the quality of their results is intrinsically hard. In fact, clustering can be viewed as an unsupervised learning process over a dataset for which the complete ground truth is usually not available. Previous studies propose to evaluate malware clustering results by leveraging the labels assigned to the malware samples by multiple anti-virus scanners (AVs). However, the methods proposed thus far require a (semi-)manual adjustment and mapping between labels generated by different AVs, and are limited to selecting a reference sub-set of samples for which an agreement regarding their labels can be reached across a majority of AVs. This approach may bias the reference set towards \"easy to cluster\" malware samples, thus potentially resulting in an overoptimistic estimate of the accuracy of the malware clustering results.\n In this paper we propose VAMO, a system that provides a fully automated quantitative analysis of the validity of malware clustering results. Unlike previous work, VAMO does not seek a majority voting-based consensus across different AV labels, and does not discard the malware samples for which such a consensus cannot be reached. Rather, VAMO explicitly deals with the inconsistencies typical of multiple AV labels to build a more representative reference set, compared to majority voting-based approaches. Furthermore, VAMO avoids the need of a (semi-)manual mapping between AV labels from different scanners that was required in previous work. Through an extensive evaluation in a controlled setting and a real-world application, we show that VAMO outperforms majority voting-based approaches, and provides a better way for malware analysts to automatically assess the quality of their malware clustering results.","PeriodicalId":397003,"journal":{"name":"Asia-Pacific Computer Systems Architecture Conference","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"65","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia-Pacific Computer Systems Architecture Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2420950.2420999","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 65

Abstract

Malware clustering is commonly applied by malware analysts to cope with the increasingly growing number of distinct malware variants collected every day from the Internet. While malware clustering systems can be useful for a variety of applications, assessing the quality of their results is intrinsically hard. In fact, clustering can be viewed as an unsupervised learning process over a dataset for which the complete ground truth is usually not available. Previous studies propose to evaluate malware clustering results by leveraging the labels assigned to the malware samples by multiple anti-virus scanners (AVs). However, the methods proposed thus far require a (semi-)manual adjustment and mapping between labels generated by different AVs, and are limited to selecting a reference sub-set of samples for which an agreement regarding their labels can be reached across a majority of AVs. This approach may bias the reference set towards "easy to cluster" malware samples, thus potentially resulting in an overoptimistic estimate of the accuracy of the malware clustering results. In this paper we propose VAMO, a system that provides a fully automated quantitative analysis of the validity of malware clustering results. Unlike previous work, VAMO does not seek a majority voting-based consensus across different AV labels, and does not discard the malware samples for which such a consensus cannot be reached. Rather, VAMO explicitly deals with the inconsistencies typical of multiple AV labels to build a more representative reference set, compared to majority voting-based approaches. Furthermore, VAMO avoids the need of a (semi-)manual mapping between AV labels from different scanners that was required in previous work. Through an extensive evaluation in a controlled setting and a real-world application, we show that VAMO outperforms majority voting-based approaches, and provides a better way for malware analysts to automatically assess the quality of their malware clustering results.

查看原文本刊更多论文

VAMO:迈向一个完全自动化的恶意软件聚类有效性分析

恶意软件聚类通常被恶意软件分析师用来处理每天从互联网上收集到的数量日益增长的不同恶意软件变体。虽然恶意软件集群系统可以用于各种应用程序，但评估其结果的质量本质上是困难的。事实上，聚类可以被看作是对一个数据集的无监督学习过程，对于这个数据集，通常无法获得完整的基础真理。以前的研究建议通过利用多个反病毒扫描器(av)分配给恶意软件样本的标签来评估恶意软件聚类结果。然而，迄今为止提出的方法需要(半)手动调整和映射不同自动驾驶汽车生成的标签，并且仅限于选择一个参考样本子集，该样本子集可以在大多数自动驾驶汽车中就其标签达成一致。这种方法可能会使参考集偏向于“容易聚类”的恶意软件样本，从而可能导致对恶意软件聚类结果的准确性的过于乐观的估计。在本文中，我们提出了VAMO，一个系统，提供了一个完全自动化的定量分析恶意软件聚类结果的有效性。与之前的工作不同，VAMO不会在不同的AV标签中寻求基于多数投票的共识，也不会丢弃无法达成共识的恶意软件样本。相反，与基于多数投票的方法相比，VAMO明确地处理多个AV标签的典型不一致性，以构建更具代表性的参考集。此外，VAMO避免了在以前的工作中需要在不同扫描仪的AV标签之间进行(半)手动映射的需要。通过在受控环境和实际应用中的广泛评估，我们表明VAMO优于基于多数投票的方法，并为恶意软件分析人员自动评估其恶意软件聚类结果的质量提供了更好的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Asia-Pacific Computer Systems Architecture Conference

自引率

0.00%

发文量