Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security最新文献_第2页

Automatic Yara Rule Generation Using Biclustering 使用双聚类自动生成雅拉规则

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-09-06 DOI: 10.1145/3411508.3421372

Edward Raff, Richard Zak, Gary Lopez Munoz, William Fleming, H. Anderson, Bobby Filar, Charles K. Nicholas, James Holt

{"title":"Automatic Yara Rule Generation Using Biclustering","authors":"Edward Raff, Richard Zak, Gary Lopez Munoz, William Fleming, H. Anderson, Bobby Filar, Charles K. Nicholas, James Holt","doi":"10.1145/3411508.3421372","DOIUrl":"https://doi.org/10.1145/3411508.3421372","url":null,"abstract":"Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor- and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams (n ≥ 8) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, AutoYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts.In addition, real-world testing by malware analysts indicates AutoYara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. Code will be made available at https://github.com/NeuromorphicComputationResearchProgram.","PeriodicalId":132987,"journal":{"name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129791508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 13

Flow-based Detection and Proxy-based Evasion of Encrypted Malware C2 Traffic 基于流量检测和代理规避加密恶意软件C2流量

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-09-02 DOI: 10.1145/3411508.3421379

Carlos Novo, Ricardo Morla

{"title":"Flow-based Detection and Proxy-based Evasion of Encrypted Malware C2 Traffic","authors":"Carlos Novo, Ricardo Morla","doi":"10.1145/3411508.3421379","DOIUrl":"https://doi.org/10.1145/3411508.3421379","url":null,"abstract":"State of the art deep learning techniques are known to be vulnerable to evasion attacks where an adversarial sample is generated from a malign sample and misclassified as benign. Detection of encrypted malware command and control traffic based on TCP/IP flow features can be framed as a learning task and is thus vulnerable to evasion attacks. However, unlike e.g. in image processing where generated adversarial samples can be directly mapped to images, going from flow features to actual TCP/IP packets requires crafting the sequence of packets, with no established approach for such crafting and a limitation on the set of modifiable features that such crafting allows.In this paper we discuss learning and evasion consequences of the gap between generated and crafted adversarial samples. We exemplify with a deep neural network detector trained on a public C2 traffic dataset, white-box adversarial learning, and a proxy-based approach for crafting longer flows. Our results show 1) the high evasion rate obtained by using generated adversarial samples on the detector can be significantly reduced when using crafted adversarial samples; 2) robustness against adversarial samples by model hardening varies according to the crafting approach and corresponding set of modifiable features that the attack allows for; 3) incrementally training hardened models with adversarial samples can produce a level playing field where no detector is best against all attacks and no attack is best against all detectors, in a given set of attacks and detectors. To the best of our knowledge this is the first time that level playing field feature set- and iteration-hardening are analyzed in encrypted C2 malware traffic detection.","PeriodicalId":132987,"journal":{"name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126192745","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 15

The Robust Malware Detection Challenge and Greedy Random Accelerated Multi-Bit Search 鲁棒恶意软件检测挑战与贪婪随机加速多比特搜索

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-08-24 DOI: 10.1145/3411508.3421374

S. Verwer, A. Nadeem, Christian A. Hammerschmidt, Laurens Bliek, Abdullah Al-Dujaili, Una-May O’Reilly

{"title":"The Robust Malware Detection Challenge and Greedy Random Accelerated Multi-Bit Search","authors":"S. Verwer, A. Nadeem, Christian A. Hammerschmidt, Laurens Bliek, Abdullah Al-Dujaili, Una-May O’Reilly","doi":"10.1145/3411508.3421374","DOIUrl":"https://doi.org/10.1145/3411508.3421374","url":null,"abstract":"Training classifiers that are robust against adversarially modified examples is becoming increasingly important in practice. In the field of malware detection, adversaries modify malicious binary files to seem benign while preserving their malicious behavior. We report on the results of a recently held robust malware detection challenge. There were two tracks in which teams could participate: the attack track asked for adversarially modified malware samples and the defend track asked for trained neural network classifiers that are robust to such modifications. The teams were unaware of the attacks/defenses they had to detect/evade. Although only 9 teams participated, this unique setting allowed us to make several interesting observations. We also present the challenge winner: GRAMS, a family of novel techniques to train adversarially robust networks that preserve the intended (malicious) functionality and yield high-quality adversarial samples. These samples are used to iteratively train a robust classifier. We show that our techniques, based on discrete optimization techniques, beat purely gradient-based methods. GRAMS obtained first place in both the attack and defend tracks of the competition.","PeriodicalId":132987,"journal":{"name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","volume":"247 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115951242","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 6

Towards Certifiable Adversarial Sample Detection 面向可认证的对抗性样本检测

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-02-20 DOI: 10.1145/3411508.3421381

Ilia Shumailov, Yiren Zhao, R. Mullins, Ross Anderson

引用次数: 12