雷达:一个基于ttp的可扩展、可解释和有效的网络流量分析和恶意软件检测系统

Yashovardhan Sharma, S. Birnbach, I. Martinovic
{"title":"雷达:一个基于ttp的可扩展、可解释和有效的网络流量分析和恶意软件检测系统","authors":"Yashovardhan Sharma, S. Birnbach, I. Martinovic","doi":"10.1145/3590777.3590804","DOIUrl":null,"url":null,"abstract":"Network analysis and machine learning techniques have been widely applied for building malware detection systems. Though these systems attain impressive results, they often are (i) not extensible, being monolithic, well tuned for the specific task they have been designed for but very difficult to adapt and/or extend to other settings, and (ii) not interpretable, being black boxes whose inner complexity makes it impossible to link the result of detection with its root cause, making further analysis of threats a challenge. In this paper we present RADAR, an extensible and explainable system that exploits the popular TTP (Tactics, Techniques, and Procedures) ontology of adversary behaviour described in the industry-standard MITRE ATT&CK framework in order to unequivocally identify and classify malicious behaviour using network traffic. We evaluate RADAR on a very large dataset comprising of 2,286,907 malicious and benign samples, representing a total of 84,792,452 network flows. The experimental analysis confirms that the proposed methodology can be effectively exploited: RADAR’s ability to detect malware is comparable to other state-of-the-art non-interpretable systems’ capabilities. To the best of our knowledge, RADAR is the first TTP-based system for malware detection that uses machine learning while being extensible and explainable.","PeriodicalId":231403,"journal":{"name":"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"RADAR: A TTP-based Extensible, Explainable, and Effective System for Network Traffic Analysis and Malware Detection\",\"authors\":\"Yashovardhan Sharma, S. Birnbach, I. Martinovic\",\"doi\":\"10.1145/3590777.3590804\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network analysis and machine learning techniques have been widely applied for building malware detection systems. Though these systems attain impressive results, they often are (i) not extensible, being monolithic, well tuned for the specific task they have been designed for but very difficult to adapt and/or extend to other settings, and (ii) not interpretable, being black boxes whose inner complexity makes it impossible to link the result of detection with its root cause, making further analysis of threats a challenge. In this paper we present RADAR, an extensible and explainable system that exploits the popular TTP (Tactics, Techniques, and Procedures) ontology of adversary behaviour described in the industry-standard MITRE ATT&CK framework in order to unequivocally identify and classify malicious behaviour using network traffic. We evaluate RADAR on a very large dataset comprising of 2,286,907 malicious and benign samples, representing a total of 84,792,452 network flows. The experimental analysis confirms that the proposed methodology can be effectively exploited: RADAR’s ability to detect malware is comparable to other state-of-the-art non-interpretable systems’ capabilities. To the best of our knowledge, RADAR is the first TTP-based system for malware detection that uses machine learning while being extensible and explainable.\",\"PeriodicalId\":231403,\"journal\":{\"name\":\"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-12-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3590777.3590804\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3590777.3590804","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

网络分析和机器学习技术已广泛应用于构建恶意软件检测系统。虽然这些系统获得了令人印象深刻的结果,但它们通常是(i)不可扩展的,是单一的,对特定任务进行了很好的调整,但很难适应和/或扩展到其他设置,以及(ii)不可解释的,是黑盒子,其内部复杂性使得不可能将检测结果与其根本原因联系起来,使进一步分析威胁成为一项挑战。在本文中,我们提出了RADAR,这是一个可扩展和可解释的系统,它利用行业标准MITRE ATT&CK框架中描述的对手行为的流行TTP(战术,技术和程序)本体,以便明确识别和分类使用网络流量的恶意行为。我们在一个非常大的数据集上评估RADAR,该数据集包括2,286,907个恶意和良性样本,总共代表84,792,452个网络流。实验分析证实,所提出的方法可以有效地利用:雷达检测恶意软件的能力与其他最先进的不可解释系统的能力相当。据我们所知,RADAR是第一个基于ttp的恶意软件检测系统,它使用机器学习,同时具有可扩展性和可解释性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
RADAR: A TTP-based Extensible, Explainable, and Effective System for Network Traffic Analysis and Malware Detection
Network analysis and machine learning techniques have been widely applied for building malware detection systems. Though these systems attain impressive results, they often are (i) not extensible, being monolithic, well tuned for the specific task they have been designed for but very difficult to adapt and/or extend to other settings, and (ii) not interpretable, being black boxes whose inner complexity makes it impossible to link the result of detection with its root cause, making further analysis of threats a challenge. In this paper we present RADAR, an extensible and explainable system that exploits the popular TTP (Tactics, Techniques, and Procedures) ontology of adversary behaviour described in the industry-standard MITRE ATT&CK framework in order to unequivocally identify and classify malicious behaviour using network traffic. We evaluate RADAR on a very large dataset comprising of 2,286,907 malicious and benign samples, representing a total of 84,792,452 network flows. The experimental analysis confirms that the proposed methodology can be effectively exploited: RADAR’s ability to detect malware is comparable to other state-of-the-art non-interpretable systems’ capabilities. To the best of our knowledge, RADAR is the first TTP-based system for malware detection that uses machine learning while being extensible and explainable.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信