Clustering analysis of malware behavior using Self Organizing Map

Radu-Stefan Pirscoveanu, Matija Stevanovic, Jens Myrup Pedersen

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

6 Citations (Scopus)

Abstract

For the time being, malware behavioral classification is performed by means of Anti-Virus (AV) generated labels. The paper investigates the inconsistencies associated with current practices by evaluating the identified differences between current vendors. In this paper we rely on Self Organizing Map, an unsupervised machine learning algorithm, for generating clusters that capture the similarities between malware behavior. A data set of approximately 270,000 samples was used to generate the behavioral profile of malicious types in order to compare the outcome of the proposed clustering approach with the labels collected from 57 Antivirus vendors using VirusTotal. Upon evaluating the results, the paper concludes on shortcomings of relying on AV vendors for labeling malware samples. In order to solve the problem, a cluster-based classification is proposed, which should provide more accurate results based on the clusters created by competitive and cooperative algorithms like Self Organizing Map that better describe the behavioral profile of malware.
Original languageEnglish
Title of host publication2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)
Number of pages6
PublisherIEEE
Publication dateJul 2016
ISBN (Electronic)978-1-5090-0703-5
DOIs
Publication statusPublished - Jul 2016
EventInternational Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), 2016 - Stratton Suite Holiday Inn London Mayfair 3 Berkeley Street, London, United Kingdom
Duration: 13 Jun 201614 Jun 2016
http://www.c-mric.com/csa2016

Conference

ConferenceInternational Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), 2016
LocationStratton Suite Holiday Inn London Mayfair 3 Berkeley Street
CountryUnited Kingdom
CityLondon
Period13/06/201614/06/2016
Internet address
SeriesInternational Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)

Fingerprint

Self organizing maps
Labels
Viruses
Labeling
Learning algorithms
Learning systems
Malware

Keywords

  • Anti-Virus labels
  • Behavioral Clustering
  • Dynamic Analysis
  • Malware
  • Self Organizing Map

Cite this

Pirscoveanu, R-S., Stevanovic, M., & Pedersen, J. M. (2016). Clustering analysis of malware behavior using Self Organizing Map. In 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA) IEEE. International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA) https://doi.org/10.1109/CyberSA.2016.7503289
Pirscoveanu, Radu-Stefan ; Stevanovic, Matija ; Pedersen, Jens Myrup. / Clustering analysis of malware behavior using Self Organizing Map. 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE, 2016. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)).
@inproceedings{d9b134a34d534e08a525db9af6ff5636,
title = "Clustering analysis of malware behavior using Self Organizing Map",
abstract = "For the time being, malware behavioral classification is performed by means of Anti-Virus (AV) generated labels. The paper investigates the inconsistencies associated with current practices by evaluating the identified differences between current vendors. In this paper we rely on Self Organizing Map, an unsupervised machine learning algorithm, for generating clusters that capture the similarities between malware behavior. A data set of approximately 270,000 samples was used to generate the behavioral profile of malicious types in order to compare the outcome of the proposed clustering approach with the labels collected from 57 Antivirus vendors using VirusTotal. Upon evaluating the results, the paper concludes on shortcomings of relying on AV vendors for labeling malware samples. In order to solve the problem, a cluster-based classification is proposed, which should provide more accurate results based on the clusters created by competitive and cooperative algorithms like Self Organizing Map that better describe the behavioral profile of malware.",
keywords = "Anti-Virus labels, Behavioral Clustering, Dynamic Analysis, Malware, Self Organizing Map",
author = "Radu-Stefan Pirscoveanu and Matija Stevanovic and Pedersen, {Jens Myrup}",
year = "2016",
month = "7",
doi = "10.1109/CyberSA.2016.7503289",
language = "English",
booktitle = "2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)",
publisher = "IEEE",
address = "United States",

}

Pirscoveanu, R-S, Stevanovic, M & Pedersen, JM 2016, Clustering analysis of malware behavior using Self Organizing Map. in 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE, International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA), International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), 2016 , London, United Kingdom, 13/06/2016. https://doi.org/10.1109/CyberSA.2016.7503289

Clustering analysis of malware behavior using Self Organizing Map. / Pirscoveanu, Radu-Stefan; Stevanovic, Matija; Pedersen, Jens Myrup.

2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE, 2016.

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

TY - GEN

T1 - Clustering analysis of malware behavior using Self Organizing Map

AU - Pirscoveanu, Radu-Stefan

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

PY - 2016/7

Y1 - 2016/7

N2 - For the time being, malware behavioral classification is performed by means of Anti-Virus (AV) generated labels. The paper investigates the inconsistencies associated with current practices by evaluating the identified differences between current vendors. In this paper we rely on Self Organizing Map, an unsupervised machine learning algorithm, for generating clusters that capture the similarities between malware behavior. A data set of approximately 270,000 samples was used to generate the behavioral profile of malicious types in order to compare the outcome of the proposed clustering approach with the labels collected from 57 Antivirus vendors using VirusTotal. Upon evaluating the results, the paper concludes on shortcomings of relying on AV vendors for labeling malware samples. In order to solve the problem, a cluster-based classification is proposed, which should provide more accurate results based on the clusters created by competitive and cooperative algorithms like Self Organizing Map that better describe the behavioral profile of malware.

AB - For the time being, malware behavioral classification is performed by means of Anti-Virus (AV) generated labels. The paper investigates the inconsistencies associated with current practices by evaluating the identified differences between current vendors. In this paper we rely on Self Organizing Map, an unsupervised machine learning algorithm, for generating clusters that capture the similarities between malware behavior. A data set of approximately 270,000 samples was used to generate the behavioral profile of malicious types in order to compare the outcome of the proposed clustering approach with the labels collected from 57 Antivirus vendors using VirusTotal. Upon evaluating the results, the paper concludes on shortcomings of relying on AV vendors for labeling malware samples. In order to solve the problem, a cluster-based classification is proposed, which should provide more accurate results based on the clusters created by competitive and cooperative algorithms like Self Organizing Map that better describe the behavioral profile of malware.

KW - Anti-Virus labels

KW - Behavioral Clustering

KW - Dynamic Analysis

KW - Malware

KW - Self Organizing Map

U2 - 10.1109/CyberSA.2016.7503289

DO - 10.1109/CyberSA.2016.7503289

M3 - Article in proceeding

BT - 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)

PB - IEEE

ER -

Pirscoveanu R-S, Stevanovic M, Pedersen JM. Clustering analysis of malware behavior using Self Organizing Map. In 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE. 2016. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)). https://doi.org/10.1109/CyberSA.2016.7503289