Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis

Behavior-based analysis of emerging malware families involves finding suspicious patterns in large collections of execution traces. This activity cannot be automated for previously unknown malware families and thus malware analysts would benefit greatly from integrating visual analytics methods in their process. However existing approaches are limited to fairly static representations of data and there is no systematic characterization and abstraction of this problem domain. Therefore we performed a systematic literature study, conducted a focus group as well as semi-structured interviews with 10 malware analysts to elicit a problem abstraction along the lines of data, users, and tasks. The requirements emerging from this work can serve as basis for future design proposals to visual analytics-supported malware pattern analysis.

[1]  Ben Shneiderman,et al.  The eyes have it: a task by data type taxonomy for information visualizations , 1996, Proceedings 1996 IEEE Symposium on Visual Languages.

[2]  Daniel A. Keim,et al.  Mastering the Information Age - Solving Problems with Visual Analytics , 2010 .

[3]  M. Sedlmair Requirements for a MDE System to Support Collaborative In-Car Communication Diagnostics , 2008 .

[4]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[5]  Tamara Munzner,et al.  A Nested Model for Visualization Design and Validation , 2009, IEEE Transactions on Visualization and Computer Graphics.

[6]  Guy Pujolle,et al.  An Intelligent IN , 1992, Int. J. Netw. Manag..

[7]  Fei Wang,et al.  ICDA: A Platform for Intelligent Care Delivery Analytics , 2012, AMIA.

[8]  Sheryl Staub-French,et al.  Qualitative analysis of visualization: a building design field study , 2008, BELIV.

[9]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[10]  Matthew O. Ward,et al.  Multivariate Network Visualization , 2014, Lecture Notes in Computer Science.

[11]  Tamara Munzner,et al.  MizBee: A Multiscale Synteny Browser , 2009, IEEE Transactions on Visualization and Computer Graphics.

[12]  Gavriel Salvendy,et al.  The cognitive task analysis methods for job and task design: review and reappraisal , 2004, Behav. Inf. Technol..

[13]  Martin Wattenberg,et al.  Arc diagrams: visualizing structure in strings , 2002, IEEE Symposium on Information Visualization, 2002. INFOVIS 2002..

[14]  Tamara Munzner,et al.  Design Study Methodology: Reflections from the Trenches and the Stacks , 2012, IEEE Transactions on Visualization and Computer Graphics.

[15]  Harry Hochheiser,et al.  Research Methods for Human-Computer Interaction , 2008 .

[16]  Martin Wattenberg,et al.  Parallel Tag Clouds to explore and analyze faceted text corpora , 2009, 2009 IEEE Symposium on Visual Analytics Science and Technology.

[17]  Austin Henderson,et al.  Interaction design: beyond human-computer interaction , 2002, UBIQ.

[18]  Daniel A. Keim,et al.  Designing Pixel-Oriented Visualization Techniques: Theory and Applications , 2000, IEEE Trans. Vis. Comput. Graph..

[19]  Tamara Munzner,et al.  A Multi-Level Typology of Abstract Visualization Tasks , 2013, IEEE Transactions on Visualization and Computer Graphics.

[20]  Heidrun Schumann,et al.  Visualization of Time-Oriented Data , 2011, Human-Computer Interaction Series.

[21]  Sri Hastuti Kurniawan,et al.  Review of Interaction design , 2003 .

[22]  M. Sheelagh T. Carpendale,et al.  Empirical Studies in Information Visualization: Seven Scenarios , 2012, IEEE Transactions on Visualization and Computer Graphics.

[23]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[24]  Silvia Miksch,et al.  A matter of time: Applying a data-users-tasks design triangle to visual analytics of time-oriented data , 2014, Comput. Graph..

[25]  Krist Wongsuphasawat,et al.  Outflow : Visualizing Patient Flow by Symptoms and Outcome , 2011 .

[26]  Ian H. Witten,et al.  Identifying Hierarchical Structure in Sequences: A linear-time algorithm , 1997, J. Artif. Intell. Res..

[27]  Yuval Shahar,et al.  An intelligent, interactive tool for exploration and visualization of time-oriented security data , 2006, VizSEC '06.

[28]  Martin Wattenberg,et al.  The Word Tree, an Interactive Visual Concordance , 2008, IEEE Transactions on Visualization and Computer Graphics.

[29]  Kristin A. Cook,et al.  Illuminating the Path: The Research and Development Agenda for Visual Analytics , 2005 .

[30]  Mahamod Ismail,et al.  A static and dynamic visual debugger for malware analysis , 2012, 2012 18th Asia-Pacific Conference on Communications (APCC).

[31]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[32]  Kuinam J. Kim,et al.  A Study on Malicious Codes Pattern Analysis Using Visualization , 2011, 2011 International Conference on Information Science and Applications.

[33]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[34]  Lorie M. Liebrock,et al.  Visualizing compiled executables for malware analysis , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[35]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[36]  Ali Hamzeh,et al.  A survey on heuristic malware detection techniques , 2013, The 5th Conference on Information and Knowledge Technology.

[37]  Yvonne Rogers,et al.  Interaction Design: Beyond Human-Computer Interaction , 2002 .

[38]  Henry L. Owen,et al.  Visual Analysis of Program Flow Data with Data Propagation , 2008, VizSEC.

[39]  Roberto Tamassia,et al.  Visualization of automated trust negotiation , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[40]  上官晓丽,et al.  SP 800-30《风险评估实施指南》研究 , 2011 .

[41]  Robert Luh,et al.  Malicious Behavior Patterns , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[42]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[43]  PlaisantCatherine,et al.  Empirical Studies in Information Visualization , 2012 .

[44]  Andreas Butz,et al.  RelEx: Visualization for Actively Changing Overlay Network Specifications , 2012, IEEE Transactions on Visualization and Computer Graphics.

[45]  Wayne G. Lutters,et al.  The Work of Intrusion Detection: Rethinking the Role of Security Analysts , 2004, AMCIS.

[46]  Felix C. Freiling,et al.  Visual analysis of malware behavior using treemaps and thread graphs , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[47]  P. S. Sastry,et al.  A survey of temporal data mining , 2006 .

[48]  Greg,et al.  Security data visualization : graphical techniques for network analysis , 2007 .