Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2016: Information Security pp 231–249Cite as

SKALD: A Scalable Architecture for Feature Extraction, Multi-user Analysis, and Real-Time Information Sharing

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9866))

Abstract

The inability of existing architectures to allow corporations to quickly process information at scale and share knowledge with peers makes it difficult for malware analysis researchers to present a clear picture of criminal activity. Hence, analysis is limited in effectively and accurately identify the full scale of adversaries’ activities and develop effective mitigation strategies. In this paper, we present Skald: a novel architecture which guides the creation of analysis systems to support the research of malicious activities plaguing computer systems. Our design provides the scalability, flexibility, and robustness needed to process current and future volumes of data. We show that our prototype is able to process millions of samples in only few milliseconds per sample with zero critical errors. Additionally, Skald enables the development of new methodologies for information sharing, enabling analysis across collective knowledge. Consequently, defenders can perform accurate investigations and real-time discovery, while reducing mitigation time and infrastructure cost.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alvarez, V.M.: Yara 3.3.0. VirusTotal (Google Inc.) (2015). http://plusvic.github.io/yara/

  2. Barack, O.: Executive Order No. 13691. Promoting Private Sector Cybersecurity Information Sharing (2015)

    Google Scholar 

  3. Bu, Z., Dirro, T., Greve, P., Lin, Y., Marcus, D., Paget, F., Pogulievsky, V., Schmugar, C., Shah, J., Sommer, D., et al.: McAfee Threats Report: Second Quarter 2012 (2012)

    Google Scholar 

  4. Choo, K.-K.R.: The cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)

    Article  Google Scholar 

  5. Cristian, F.: Understanding fault-tolerant distributed systems. Commun. ACM 34(2), 56–78 (1991)

    Article  Google Scholar 

  6. DARPA: Cyber Information Sharing - DARPA Cyber Forum, October 2015

    Google Scholar 

  7. Estublier, J.: Software configuration management: a roadmap. In: Conference on the Future of Software Engineering (2000)

    Google Scholar 

  8. Google: Protocol Buffers, November 2015. https://developers.google.com/protocol-buffers/

  9. Grobauer, B., Berger, S., Göbel, J., Schreck, T., Wallinger, J.: The MANTIS Framework: Cyber Threat Intelligence Management for CERTs, Boston, USA, June 2014

    Google Scholar 

  10. Guarnieri, C., Tanasi, A., Bremer, J., Schloesser, M.: The Cuckoo Sandbox (2012). http://cuckoosandbox.org

  11. Hanif, Z., Calhoun, T., Trost, J.: BinaryPig: scalable static binary analysis over Hadoop. In: Black Hat USA (2013)

    Google Scholar 

  12. HiveMQ: MQTT Essentials Part 6: Quality of Service 0, 1 & 2 (2015). http://www.hivemq.com/blog/mqtt-essentials-part-6-mqtt-quality-of-service-levels

  13. Jang, J., Brumley, D., Venkataraman, S.: BitShred: feature hashing malware for scalable triage and semantic analysis. In: Conference on Computer and Communications Security, CCS (2011)

    Google Scholar 

  14. Kolosnjaji, B., Zarras, A., Lengyel, T., Webster, G., Eckert, C.: Adaptive semantics-aware malware classification. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 419–439. Springer, Heidelberg (2016). doi:10.1007/978-3-319-40667-1_21

    Chapter  Google Scholar 

  15. Krafzig, D., Banke, K., Slama, D.: Enterprise SOA: Service-Oriented Architecture Best Practices. Prentice Hall Professional, Indianapolis (2005)

    Google Scholar 

  16. Lakshman, A., Malik, P.: Cassandra: a decentralized structured storage system. ACM SIGOPS Oper. Syst. Rev. 44(2), 35–40 (2010)

    Article  Google Scholar 

  17. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Annual Computer Security Applications Conference, ACSAC (2014)

    Google Scholar 

  18. Ollmann, G.: Behind todays crimeware installation lifecycle: how advanced malware morphs to remain stealthy and persistent. Technical report, Damballa (2011)

    Google Scholar 

  19. Papazoglou, M.P., Van Den Heuvel, W.-J.: Service oriented architectures: approaches, technologies and research issues. VLDB J. 16(3), 389–415 (2007)

    Article  Google Scholar 

  20. Parkour, M., DiMino, A.: Deepend Research - Yara Exchange, May 2015. http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.htm

  21. Shields, W.: Problems with PEHash Implementations, September 2014. https://gist.github.com/wxsBSD/07a5709fdcb59d346e9e

  22. Stamos, A.: The Failure of the Security Industry, April 2015. http://www.scmagazine.com/the-failure-of-the-security-industry/article/403261/

  23. The MITRE Corporation: Collaborative Research Into Threats (CRITs), June 2014. http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/collaborative-research-into-threats-crits

  24. Verma, A., Pedrosa, L., Korupolu, M.R., Oppenheimer, D., Tune, E., Wilkes, J.: Large-scale cluster management at Google with Borg. In: European Conference on Computer Systems, EuroSys (2015)

    Google Scholar 

  25. VirusTotal: File Statistics, May 2015. https://www.virustotal.com/en/statistics/

  26. Vixie, P.: Internet Security Marketing: Buyer Beware, April 2015. http://www.circleid.com/posts/20150420_internet_security_marketing_buyer_beware/

  27. Wicherski, G.: PEHash: a novel approach to fast malware clustering. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2009)

    Google Scholar 

  28. Zeltser, L.: SANS - Managing and Exploring Malware Samples with Viper, June 2014. https://digital-forensics.sans.org/blog/2014/06/04/managing-and-exploring-malware-samples-with-viper

Download references

Acknowledgments

We would like to thank the Technical University of Munich for providing ample infrastructure to support our prototype development. We would also like to thank the United States Air Force for sponsoring George Webster in his academic pursuit. In addition, we thank the German Federal Ministry of Education and Research for providing funding for hardware under grant 16KIS0328 (IUNO). Lastly, we would like to thank the members of VirusTotal, Yara Exchange, and DARPA for their valuable discussions and support.

Author information

Authors and Affiliations

  1. Technical University of Munich, Garching, Germany

    George D. Webster, Zachary D. Hanif, Andre L. P. Ludwig, Tamas K. Lengyel, Apostolis Zarras & Claudia Eckert

Authors
  1. George D. Webster
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zachary D. Hanif
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andre L. P. Ludwig
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tamas K. Lengyel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Apostolis Zarras
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Claudia Eckert
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to George D. Webster .

Editor information

Editors and Affiliations

  1. University of California , Davies, USA

    Matt Bishop

  2. University of Washington , Tacoma, Washington, USA

    Anderson C A Nascimento

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Webster, G.D., Hanif, Z.D., Ludwig, A.L.P., Lengyel, T.K., Zarras, A., Eckert, C. (2016). SKALD: A Scalable Architecture for Feature Extraction, Multi-user Analysis, and Real-Time Information Sharing. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45871-7_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45870-0

  • Online ISBN: 978-3-319-45871-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation