TagVet: Vetting Malware Tags using Explainable Machine Learning

When managing large malware collections, it is common practice to use short tags for grouping and organizing samples. For example, collected malware is often tagged according to its origin, family, functionality, or clustering. While these simple tags are essential for keeping abreast of the rapid malware development, they can become disconnected from the actual behavior of the samples and, in the worst case, mislead the analyst. In particular, if tags are automatically assigned, it is often unclear whether they indeed align with the malware functionality. In this paper, we propose a method for vetting tags in malware collections. Our method builds on recent techniques of explainable machine learning, which enable us to automatically link tags to behavioral patterns observed during dynamic analysis. To this end, we train a neural network to classify different tags and trace back its decision to individual system calls and arguments. We empirically evaluate our method on tags for malware functionality, families, and clusterings. Our results demonstrate the utility of this approach and pinpoint interesting relations of malware tags in practice.

[1]  S. Teo,et al.  Advanced Windows Methods on Malware Detection and Classification , 2020, ACSAC.

[2]  Juan Caballero,et al.  AVclass2: Massive Malware Tag Extraction from AV Labels , 2020, ACSAC.

[3]  Ting Wang,et al.  Interpretable Deep Learning under Fire , 2018, USENIX Security Symposium.

[4]  Konrad Rieck,et al.  Evaluating Explanation Methods for Deep Learning in Computer Security , 2020 .

[5]  Klaus-Robert Müller,et al.  Explanations can be manipulated and geometry is to blame , 2019, NeurIPS.

[6]  Richard E. Harang,et al.  ALOHA: Auxiliary Loss Optimization for Hypothesis Augmentation , 2019, USENIX Security Symposium.

[7]  Davide Balzarotti,et al.  A Close Look at a Daily Dataset of Malware Samples , 2019, ACM Trans. Priv. Secur..

[8]  Jun Zhang,et al.  A3CM: Automatic Capability Annotation for Android Malware , 2019, IEEE Access.

[9]  Gang Wang,et al.  LEMNA: Explaining Deep Learning based Security Applications , 2018, CCS.

[10]  Cengiz Öztireli,et al.  Towards better understanding of gradient-based attribution methods for Deep Neural Networks , 2017, ICLR.

[11]  Claudia Eckert,et al.  Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage , 2017, DIMVA.

[12]  Jacques Klein,et al.  Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[13]  Bernd Grobauer,et al.  Mining Attributed Graphs for Threat Intelligence , 2017, CODASPY.

[14]  Ankur Taly,et al.  Axiomatic Attribution for Deep Networks , 2017, ICML.

[15]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[16]  Leyla Bilge,et al.  Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services , 2016, USENIX Security Symposium.

[17]  Jacques Klein,et al.  On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware , 2016, DIMVA.

[18]  Carlos Guestrin,et al.  "Why Should I Trust You?": Explaining the Predictions of Any Classifier , 2016, ArXiv.

[19]  Alexander Binder,et al.  On Pixel-Wise Explanations for Non-Linear Classifier Decisions by Layer-Wise Relevance Propagation , 2015, PloS one.

[20]  Andrew Zisserman,et al.  Deep Inside Convolutional Networks: Visualising Image Classification Models and Saliency Maps , 2013, ICLR.

[21]  Kang G. Shin,et al.  MutantX-S: Scalable Malware Clustering Based on Static Features , 2013, USENIX Annual Technical Conference.

[22]  Roberto Perdisci,et al.  VAMO: towards a fully automated malware clustering validity analysis , 2012, ACSAC '12.

[23]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Christopher Krügel,et al.  FORECAST: skimming off the malware cream , 2011, ACSAC '11.

[25]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[26]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[27]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[28]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[29]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[30]  Georg Wicherski,et al.  peHash: A Novel Approach to Fast Malware Clustering , 2009, LEET.

[31]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[32]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[33]  Wenke Lee,et al.  McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[34]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[35]  Vinod Yegneswaran,et al.  Eureka: A Framework for Enabling Static Malware Analysis , 2008, ESORICS.

[36]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[37]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.