TY - GEN
T1 - Supervised detection of infected machines using anti-virus induced labels
AU - Cohen, Tomer
AU - Hendler, Danny
AU - Potashnik, Dennis
N1 - Publisher Copyright:
© Springer International Publishing AG 2017.
PY - 2017/1/1
Y1 - 2017/1/1
N2 - Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade. We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.
AB - Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade. We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.
UR - http://www.scopus.com/inward/record.url?scp=85021754724&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-60080-2_3
DO - 10.1007/978-3-319-60080-2_3
M3 - Conference contribution
AN - SCOPUS:85021754724
SN - 9783319600796
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 34
EP - 49
BT - Cyber Security Cryptography and Machine Learning - 1st International Conference, CSCML 2017, Proceedings
A2 - Dolev, Shlomi
A2 - Lodha, Sachin
PB - Springer Verlag
T2 - 1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017
Y2 - 29 June 2017 through 30 June 2017
ER -