skip to main content
10.1145/2671491.2671496acmotherconferencesArticle/Chapter ViewAbstractPublication PagesvizsecConference Proceedingsconference-collections
research-article

SEEM: a scalable visualization for comparing multiple large sets of attributes for malware analysis

Published: 10 November 2014 Publication History

Abstract

Recently, the number of observed malware samples has rapidly increased, expanding the workload for malware analysts. Most of these samples are not truly unique, but are related through shared attributes. Identifying these attributes can enable analysts to reuse analysis and reduce their workload. Visualizing malware attributes as sets could enable analysts to better understand the similarities and differences between malware. However, existing set visualizations have difficulty displaying hundreds of sets with thousands of elements, and are not designed to compare different types of elements between sets, such as the imported DLLs and callback domains across malware samples. Such analysis might help analysts, for example, to understand if a group of malware samples are behaviorally different or merely changing where they send data.
To support comparisons between malware samples' attributes we developed the Similarity Evidence Explorer for Malware (SEEM), a scalable visualization tool for simultaneously comparing a large corpus of malware across multiple sets of attributes (such as the sets of printable strings and function calls). SEEM's novel design breaks down malware attributes into sets of meaningful categories to compare across malware samples, and further incorporates set comparison overviews and dynamic filtering to allow SEEM to scale to hundreds of malware samples while still allowing analysts to compare thousands of attributes between samples. We demonstrate how to use SEEM by analyzing a malware sample from the Mandiant APT1 New York Times intrusion dataset. Furthermore, we describe a user study with five cyber security researchers who used SEEM to rapidly and successfully gain insight into malware after only 15 minutes of training.

References

[1]
Alper, B., Riche, N. H., Ramos, G. and Czerwinski, M. 2011. Design study of LineSets, a novel set visualization technique. TVCG. 17, 12 (Dec. 2011), 2259--67.
[2]
Alsallakh, B., Aigner, W., Miksch, S. and Hauser, H. 2013. Radial sets: interactive visual analysis of large overlapping sets. TVCG. 19, 12 (Dec. 2013), 496--505.
[3]
Bendix, F., Kosara, R. and Hauser, H. 2005. Parallel sets: visual analysis of categorical data. Symposium on Information Visualization (2005), 133--140.
[4]
Bertin, J. 1981. Graphics and Graphic Information Processing. de Gruyter.
[5]
Briones, I. and Gomez, A. 2008. Graphs, Entropy and Grid Computing: Automatic Comparison of Malware. Virus Bulletin (2008), 1--12.
[6]
Chow, S. and Ruskey, F. 2004. Drawing area-proportional Venn and Euler diagrams. Graph Drawing (2004), 466--477.
[7]
Collins, C., Penn, G. and Carpendale, S. 2009. Bubble sets: revealing set relations with isocontours over existing visualizations. TVCG. 15, 6 (2009), 1009--1016.
[8]
Conti, G., Dean, E., Sinda, M. and Sangster, B. 2008. Visual reverse engineering of binary and data files. VizSec (2008), 1--17.
[9]
Dinkla, K., van Kreveld, M. J., Speckmann, B. and Westenberg, M. a. 2012. Kelp Diagrams: Point Set Membership Visualization. Computer Graphics Forum. 31, 3pt1 (Jun. 2012), 875--884.
[10]
Domas, C. 2012. The Future of RE: Dynamic Binary Visualization. Derbycon (2012).
[11]
Freiler, W., Matković, K. and Hauser, H. 2002. Interactive visual analysis of set-typed data. TVCG. 14, 6 (2002), 1340--1347.
[12]
Gove, R., Bergamo, G., Saxe, J., Long, A. and Gold, S. 2014. Cynomix: Multi-Resolution Visualization of Malware at Scale for Insight and Triage. Malware Technical Exchange Meeting (2014).
[13]
Han, K., Lim, J. H. and Im, E. G. 2013. Malware analysis method using visualization of binary files. Research in Adaptive and Convergent Systems (2013), 317--321.
[14]
Kestler, H. A., Muller, A., Kraus, J. M., Buchholz, M., Gress, T. M., Liu, H., Kane, D. W., Zeeberg, B. R. and Weinstein, J. N. 2008. VennMaster: Area-proportional Euler diagrams for functional GO analysis of microarrays. BMC Bioinformatics. 9, 67 (2008).
[15]
Kim, B., Lee, B. and Seo, J. 2007. Visualizing Concordance of Sets. Interacting with Computers. 19, 5-6 (2007), 630--643.
[16]
Lex, A., Gehlenborg, N., Strobelt, H., Vuillemot, R. and Pfister, H. 2014. UpSet: Visualization of Intersecting Sets. TVCG. (2014).
[17]
Meulemans, W., Riche, N. H., Speckmann, B., Alper, B. and Dwyer, T. 2013. KelpFusion: a hybrid set visualization technique. TVCG. 19, 11 (Nov. 2013), 1846--1858.
[18]
Nataraj, L., Karthikeyan, S., Jacob, G. and Manjunath, B. S. 2011. Malware images: visualization and automatic classification. VizSec (2011).
[19]
Nielsen, J. 1993. A mathematical model of the finding of usability problems. Proceedings of the INTERACT'93 and CHI'93. (1993), 206--213.
[20]
Quist, D. A. and Liebrock, L. M. 2009. Visualizing compiled executables for malware analysis. VizSec (2009), 27--32.
[21]
Saxe, J., Mentis, D. and Greamo, C. 2012. Visualization of shared system call sequence relationships in large malware corpora. VizSec (New York, New York, USA, 2012), 33--40.
[22]
Saxe, J., Turner, R. and Blokhin, K. 2014. CrowdSource: Automated Inference of High Level Malware Functionality from Low-Level Symbols Using a Crowd Trained Machine Learning Model. MALCON (2014).
[23]
Stefaner, M. and Muller, B. 2007. Elastic lists for facet browsers. DEXA (2007), 217--221.
[24]
Trinius, P., Holz, T., Gobel, J. and Freiling, F. C. 2009. Visual analysis of malware behavior using treemaps and thread graphs. VizSec (2009), 33--38.
[25]
Verroust, A. and Viaud, M. 2004. Ensuring the drawability of extended Euler diagrams for up to 8 sets. Diagrammatic Representation and Inference (2004), 128--141.
[26]
Wilkinson, L. 2012. Exact and approximate area-proportional circular Venn and Euler diagrams. TVCG. 18, 2 (Feb. 2012), 321--31.

Cited By

View all
  • (2023)Malware Detection Using Binary Visualization and Neural NetworksE3S Web of Conferences10.1051/e3sconf/202339101107391(01107)Online publication date: 5-Jun-2023
  • (2022)MalView: Interactive Visual Analytics for Comprehending Malware BehaviorIEEE Access10.1109/ACCESS.2022.320778210(99909-99930)Online publication date: 2022
  • (2020)A Visual Analytics Approach to Debugging Cooperative, Autonomous Multi-Robot Systems’ Worldviews2020 IEEE Conference on Visual Analytics Science and Technology (VAST)10.1109/VAST50239.2020.00008(24-35)Online publication date: Oct-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
VizSec '14: Proceedings of the Eleventh Workshop on Visualization for Cyber Security
November 2014
105 pages
ISBN:9781450328265
DOI:10.1145/2671491
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 November 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. computer security
  2. malware
  3. sets
  4. venn diagrams
  5. visualization

Qualifiers

  • Research-article

Funding Sources

Conference

VizSec '14
VizSec '14: Visualization for Cyber Security
November 10, 2014
Paris, France

Acceptance Rates

VizSec '14 Paper Acceptance Rate 12 of 43 submissions, 28%;
Overall Acceptance Rate 39 of 111 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Malware Detection Using Binary Visualization and Neural NetworksE3S Web of Conferences10.1051/e3sconf/202339101107391(01107)Online publication date: 5-Jun-2023
  • (2022)MalView: Interactive Visual Analytics for Comprehending Malware BehaviorIEEE Access10.1109/ACCESS.2022.320778210(99909-99930)Online publication date: 2022
  • (2020)A Visual Analytics Approach to Debugging Cooperative, Autonomous Multi-Robot Systems’ Worldviews2020 IEEE Conference on Visual Analytics Science and Technology (VAST)10.1109/VAST50239.2020.00008(24-35)Online publication date: Oct-2020
  • (2020)Analysis of Visualization Techniques for Malware Detection2020 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus)10.1109/EIConRus49466.2020.9038910(337-340)Online publication date: Jan-2020
  • (2019)A Novel Malware Detection System Based on Machine Learning and Binary Visualization2019 IEEE International Conference on Communications Workshops (ICC Workshops)10.1109/ICCW.2019.8757060(1-6)Online publication date: May-2019
  • (2019)A Novel Solutions for Malicious Code Detection and Family Clustering Based on Machine LearningIEEE Access10.1109/ACCESS.2019.29464827(148853-148860)Online publication date: 2019
  • (2019)Malware visualization methods based on deep convolution neural networksMultimedia Tools and Applications10.1007/s11042-019-08310-9Online publication date: 16-Dec-2019
  • (2018)A set-based visual analytics approach to analyze retail dataProceedings of the EuroVis Workshop on Visual Analytics10.5555/3290753.3290762(37-41)Online publication date: 4-Jun-2018
  • (2018)ROPMate: Visually Assisting the Creation of ROP-based Exploits2018 IEEE Symposium on Visualization for Cyber Security (VizSec)10.1109/VIZSEC.2018.8709204(1-8)Online publication date: Oct-2018
  • (2018)Unmasking Android Obfuscation Tools Using Spatial Analysis2018 16th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2018.8514207(1-10)Online publication date: Aug-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media