SRI Logo
About Us|R and D Divisions|Careers|Newsroom|Contact Us|SRI Home
     
  SRI Logo

Malware Characterization through Alert Pattern Discovery
 by Dr. Steven Cheung & Alfonso Valdes.

From Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent Threats.
Boston, MA,
April 2009.


Abstract
We present a novel alert correlation approach based on the factor analysis statistical technique for malware characterization. Our approach involves mechanically computing a set of abstract quantities, called factors, for expressing the intrusion detection system (IDS) alerts pertaining to malware instances. These factors correspond to patterns of alerts, and can be used to succinctly characterize malware. Unlike most existing alert correlation approaches for multistep attacks, our approach does not require predefined attack models for characterizing complex multistep attacks, and discovers potentially unknown relationships among alert types. Moreover, it requires relatively little alert information. As such, this approach is suitable for analysis pertaining to large-scale, privacy-preserving alert repositories. Initial experimental results indicate that our approach is useful in facilitating automated IDS alert pattern discovery, and in characterizing malware that manifests as multiple attack steps. Also, it may be used in identifying redundant signatures, enabling IDS performance tuning. Specifically, we examined the Snort rule identifiers (SIDs) of the alerts generated by the BotHunter tool, developed in the Cyber-Threat Analytics project, considering which SIDs co-occur pertaining to the same identified bot instance. Our exploratory analysis indicates that IDS alerts corresponding to bots can be expressed in terms of a small number of factors. Also, some bot families have distinguishing factor patterns.
BibTEX Entry
@InProceedings{Cheung:2009:LEET,
    author = "Steven Cheung and Alfonso Valdes",
    title = "Malware Characterization through Alert Pattern Discovery",
    booktitle = "Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent Threats",
    year = 2009,
    month = apr,
    address = "Boston, MA",
    url = "http://www.usenix.org/events/leet09/tech/"
}

Available at USENIX's LEET Webpage.

 













 

About Us  |  R&D Divisions  |  Careers  |  Newsroom  |  Contact Us
© 2017 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy