Skip to main content
SpringerLink
Log in

tLab: A System Enabling Malware Clustering Based on Suspicious Activity Trees

  • Conference paper
  • First Online:
Computer Network Security (MMM-ACNS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10446))

Abstract

We present a new approach for malware clustering in the domain of their behavior. To this end, we use a system called tLab that offers analysis and detection of modern complex malware including user-oriented and targeted attacks. Due to technologies used, tLab identifies and describes malware behavior at various levels of semantics, which makes it very instrumental in cluster analysis.

Technically, the system employs secure containers enabling user-dependent execution environment in malicious activity analysis. To provide effective malware detection, tLab has a technology for deep dynamic inspection of system-wide behavior, which allows for structural analysis and construction of so-called activity trees defined in the domain of system functionalities. Modified Hierarchical Colored Petri Nets are used for run-time recognition of system functionalities including obfuscated and distributed ones.

In this paper, we perform cluster analysis at the level of activity trees, which provide highly semantic representation of malicious behavior. Our clustering approach is evaluated with corpus of real malware families. Results demonstrated that the used activity tree domain enables excellent behavior clustering and provides better and more consistent results compared to antiviruses vendors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Malware Statistics Report by AV-Test Institute. https://www.av-test.org/en/statistics/malware/

  2. Cohen, F.: Computer Viruses Theory and Experiments, Computers and Security, v. 6 (1987)

    Google Scholar 

  3. The Increased Use of PowerShell in Attacks. Whitepaper by Semantic Corporation (2016). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/

  4. Tokhtabayev, A.G., Skormin, V.A., Dolgikh, A.M.: Expressive, efficient and obfuscation resilient behavior based IDS. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 698–715. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15497-3_42

    Chapter  Google Scholar 

  5. tLab (Version 1.5) [computer software], T&T Security LLP, Astana, Kazakhstan (2017)

    Google Scholar 

  6. Tokhtabayev, A., Skormin, V., Dolgikh, A.: Detection of worm propagation engines in the system call domain using colored petri nets. In: Proceedings of the IEEE IPCCC ’07, USA, December 2008

    Google Scholar 

  7. Jensen, K.: Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use, vol. 1, Springer, Berlin (1996)

    Google Scholar 

  8. Zhang, K., Shasha, D.: Simple fast algorithms for the editing distance between trees and related problems. SIAM J. Comput. 18(6), 1245–1262 (1989)

    Article  MathSciNet  MATH  Google Scholar 

  9. Pawlik, M., Augsten, N.: RTED: a robust algorithm for the tree edit distance. Proc. VLDB Endow. 5(4), 334–345 (2011)

    Google Scholar 

  10. Bailey, M., Oberheide, J., Andersen, J., Morley Mao, Z., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware (2007)

    Google Scholar 

  11. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)

    Google Scholar 

  12. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)

    Google Scholar 

  13. Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier (2011). www.symantec.com White paper 2011

  14. Gusfield, D.: Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology. Cambridge University Press (1997)

    Google Scholar 

  15. Reversal and Analysis of Zeus and SpyEye Banking Trojans. Technical report, IOActive (2012)

    Google Scholar 

  16. Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy. J. Comput. Virol. 4, 251–266 (2008)

    Article  Google Scholar 

  17. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 309–320. ACM (2011)

    Google Scholar 

  18. The flame: Questions and answers, May 2012. www.securelist.com

  19. New malware classification system. www.securelist.com. Accessed June 2012

  20. Rules for naming detected objects. www.securelist.com. Accessed 2012

  21. Kirillov, I., Beck, D., Chase, P., Martin, R.: Malware attribute enumeration and characterization, MITRE (2011)

    Google Scholar 

  22. Langfelder, P., Zhang, B., Horvath, S.: Defining clusters from a hierarchical cluster tree: the dynamic tree cut package for r. Bioinformatics 24(5), 719–720 (2008)

    Article  Google Scholar 

  23. Li, P., Liu, L., Gao, D., Reiter, M.K.: On challenges in evaluating malware clustering. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 238–255. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15512-3_13

    Chapter  Google Scholar 

  24. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  25. RSA. The Current State of Cybercrime and What to Expect in 2012. Technical report, RSA (2012)

    Google Scholar 

  26. Trinius, P., Holz, T., Gobel, J., Freiling, F.C.: Visual analysis of malware behavior using tree maps and thread graphs. In: 2009 6th International Workshop on Visualization for Cyber Security, pp. 33–38 (2009)

    Google Scholar 

  27. Ukkonen, E.: Constructing suffix trees on-line in linear time. In: IFIP Congress, pp. 484–492 (1992)

    Google Scholar 

  28. Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virology 4(4), 279–287 (2007)

    Google Scholar 

  29. Ye, Y., Li, T., Chen, Y., Jiang, Y.: Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and data mining, KDD 2010, pp. 95–104. ACM, New York (2010)

    Google Scholar 

Download references

Acknowledgment

The tLab system was fully funded and developed by T&T Security LLP. The malware behavioral clustering research effort is funded by T&T Security LLP and is partially supported by scientific projects of L.N. Gumilyov Eurasian National University, Kazakhstan managed by the authors of this paper.

Author information

Authors and Affiliations

  1. L.N. Gumilyov Eurasian National University, Astana, Kazakhstan

    Anton Kopeikin, Nurlan Tashatov & Dina Satybaldina

  2. T&T Security LLP, Astana, Kazakhstan

    Arnur Tokhtabayev

Authors
  1. Anton Kopeikin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arnur Tokhtabayev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nurlan Tashatov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dina Satybaldina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arnur Tokhtabayev .

Editor information

Editors and Affiliations

  1. Gdansk University of Technology , Gdansk, Poland

    Jacek Rak

  2. Binghamton University , Binghamton, New York, USA

    John Bay

  3. St. Petersburg Institute for Informatics and Automation, St. Petersburg, Russia

    Igor Kotenko

  4. Utica College , Utica, New York, USA

    Leonard Popyack

  5. Binghamton University , Binghamton, New York, USA

    Victor Skormin

  6. Warsaw University of Technology , Warsaw, Poland

    Krzysztof Szczypiorski

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Kopeikin, A., Tokhtabayev, A., Tashatov, N., Satybaldina, D. (2017). tLab: A System Enabling Malware Clustering Based on Suspicious Activity Trees. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds) Computer Network Security. MMM-ACNS 2017. Lecture Notes in Computer Science(), vol 10446. Springer, Cham. https://doi.org/10.1007/978-3-319-65127-9_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65127-9_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65126-2

  • Online ISBN: 978-3-319-65127-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation