Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Bae, Chanwoo, Tao, Guanhong, Zhang, Zhuo, Zhang, Xiangyu
Format: Preprint
Veröffentlicht: 2024
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2404.10944
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866929318075039744
author Bae, Chanwoo
Tao, Guanhong
Zhang, Zhuo
Zhang, Xiangyu
author_facet Bae, Chanwoo
Tao, Guanhong
Zhang, Zhuo
Zhang, Xiangyu
contents Cyber attacks cause over \$1 trillion loss every year. An important task for cyber security analysts is attack forensics. It entails understanding malware behaviors and attack origins. However, existing automated or manual malware analysis can only disclose a subset of behaviors due to inherent difficulties (e.g., malware cloaking and obfuscation). As such, analysts often resort to text search techniques to identify existing malware reports based on the symptoms they observe, exploiting the fact that malware samples share a lot of similarity, especially those from the same origin. In this paper, we propose a novel malware behavior search technique that is based on graph isomorphism at the attention layers of Transformer models. We also compose a large dataset collected from various agencies to facilitate such research. Our technique outperforms state-of-the-art methods, such as those based on sentence embeddings and keywords by 6-14%. In the case study of 10 real-world malwares, our technique can correctly attribute 8 of them to their ground truth origins while using Google only works for 3 cases.
format Preprint
id arxiv_https___arxiv_org_abs_2404_10944
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Threat Behavior Textual Search by Attention Graph Isomorphism
Bae, Chanwoo
Tao, Guanhong
Zhang, Zhuo
Zhang, Xiangyu
Information Retrieval
Cyber attacks cause over \$1 trillion loss every year. An important task for cyber security analysts is attack forensics. It entails understanding malware behaviors and attack origins. However, existing automated or manual malware analysis can only disclose a subset of behaviors due to inherent difficulties (e.g., malware cloaking and obfuscation). As such, analysts often resort to text search techniques to identify existing malware reports based on the symptoms they observe, exploiting the fact that malware samples share a lot of similarity, especially those from the same origin. In this paper, we propose a novel malware behavior search technique that is based on graph isomorphism at the attention layers of Transformer models. We also compose a large dataset collected from various agencies to facilitate such research. Our technique outperforms state-of-the-art methods, such as those based on sentence embeddings and keywords by 6-14%. In the case study of 10 real-world malwares, our technique can correctly attribute 8 of them to their ground truth origins while using Google only works for 3 cases.
title Threat Behavior Textual Search by Attention Graph Isomorphism
topic Information Retrieval
url https://arxiv.org/abs/2404.10944