TrustSign: Trusted Malware Signature Generation in Private Clouds Using Deep Feature Transfer Learning

This paper presents TrustSign, a novel, trusted automatic malware signature generation method based on high-level deep features transferred from a VGG-19 neural network model pre-trained on the ImageNet dataset. While traditional automatic malware signature generation techniques rely on static or dynamic analysis of the malware’s executable, our method overcomes the limitations associated with these techniques by producing signatures based on the presence of the malicious process in the volatile memory. Signatures generated using TrustSign well represent the real malware behavior during runtime. By leveraging the cloud’s virtualization technology, TrustSign analyzes the malicious process in a trusted manner, since the malware is unaware and cannot interfere with the inspection procedure. Additionally, by removing the dependency on the malware’s executable, our method is capable of signing fileless malware. Thus, we focus our research on in-browser cryptojacking attacks, which current antivirus solutions have difficulty to detect. However, TrustSign is not limited to cryptojacking attacks, as our evaluation included various ransomware samples. TrustSign’s signature generation process does not require feature engineering or any additional model training, and it is done in a completely unsupervised manner, obviating the need for a human expert. Therefore, our method has the advantage of dramatically reducing signature generation and distribution time. The results of our experimental evaluation demonstrate TrustSign’s ability to generate signatures invariant to the process state over time. By using the signatures generated by TrustSign as input for various supervised classifiers, we achieved 99.5% classification accuracy.

[1]  Lawrence D. Jackel,et al.  Backpropagation Applied to Handwritten Zip Code Recognition , 1989, Neural Computation.

[2]  Hao Yang,et al.  Time-Asymmetric 3d Convolutional Neural Networks for Action Recognition , 2019, 2019 IEEE International Conference on Image Processing (ICIP).

[3]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[4]  Li Fei-Fei,et al.  ImageNet: Constructing a large-scale image database , 2010 .

[5]  Justin Ferguson Reverse engineering code with IDA Pro , 2008 .

[6]  Yuval Elovici,et al.  Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework , 2016, Security Informatics.

[7]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[8]  Yuval Shahar,et al.  Inter-labeler and intra-labeler variability of condition severity classification models using active and passive learning methods , 2017, Artif. Intell. Medicine.

[9]  Lior Rokach,et al.  Auto-Sign: an automatic signature generator for high-speed malware filtering devices , 2009, Journal in Computer Virology.

[10]  Pascal Vincent,et al.  Representation Learning: A Review and New Perspectives , 2012, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[11]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Robert Moskovitch,et al.  Acquisition of Malicious Code Using Active Learning , 2008 .

[13]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[14]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[15]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[16]  Nir Nissim,et al.  Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory , 2018, Expert Syst. Appl..

[17]  Mohd Aizaini Maarof,et al.  Malware behavior image for malware variant identification , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[18]  Hayit Greenspan,et al.  Chest pathology identification using deep feature selection with non-medical training , 2018, Comput. methods Biomech. Biomed. Eng. Imaging Vis..

[19]  Yuval Elovici,et al.  Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining , 2018, Knowl. Based Syst..

[20]  Hao Wang,et al.  NetSpy: Automatic Generation of Spyware Signatures for NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[21]  Bram van Ginneken,et al.  Off-the-shelf convolutional neural network features for pulmonary nodule detection in computed tomography scans , 2015, 2015 IEEE 12th International Symposium on Biomedical Imaging (ISBI).

[22]  Karl Sigler Crypto-jacking: how cyber-criminals are exploiting the crypto-currency boom , 2018 .

[23]  Yuval Shahar,et al.  Improving condition severity classification with an efficient active learning based framework , 2016, J. Biomed. Informatics.

[24]  Lior Rokach,et al.  ALDROID: efficient update of Android anti-virus software using designated active learning methods , 2016, Knowledge and Information Systems.

[25]  Mangal Sain,et al.  Survey on malware evasion techniques: State of the art and challenges , 2012, 2012 14th International Conference on Advanced Communication Technology (ICACT).

[26]  Nathan S. Netanyahu,et al.  DeepSign: Deep learning for automatic malware signature generation and classification , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[27]  Yuval Elovici,et al.  F-Sign: Automatic, Function-Based Signature Generation for Malware , 2011, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[28]  Geoffrey E. Hinton,et al.  Rectified Linear Units Improve Restricted Boltzmann Machines , 2010, ICML.

[29]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[30]  Vinod Yegneswaran,et al.  A comparative assessment of malware classification using binary texture analysis and dynamic analysis , 2011, AISec '11.

[31]  Nitish Srivastava,et al.  Dropout: a simple way to prevent neural networks from overfitting , 2014, J. Mach. Learn. Res..

[32]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[33]  Taghi M. Khoshgoftaar,et al.  A survey of transfer learning , 2016, Journal of Big Data.

[34]  Yuval Elovici,et al.  Malicious Code Detection and Acquisition Using Active Learning , 2007, 2007 IEEE Intelligence and Security Informatics.

[35]  Lior Rokach,et al.  SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods , 2016, Expert Syst. Appl..