ABSTRACT
In recent years, network security has become the main factor that threatens the development of the Internet. Among the network security threats, advanced persistent threat (APT) is one of the most representative attacks and has brought unprecedented security challenges. APT attacks mainly depend on malicious code. At present, the homology analysis of malicious code for APT mainly converts the malicious code into a gray image or semantic fragment, which is realized by pre-training models such as neural network. The effect of the method based on pre-training depends heavily on the training process of the model and the form of the data set, which may lead to misjudgment of the organization of the malicious code in an APT real-time attack. In this paper, we propose a homology analysis of malicious code for APT groups based on Asm2Vec. The basic function blocks are obtained by disassembling and removing unimportant functions from the malicious code. The semantic representation model Asm2Vec is used to analyze and find out the possible APT group for targeted malware. The experimental results show that the Energetic Bear group classification accuracy of this paper is 91.30% and the F1-Score is 95.46%.
- Stojanović Branka, Hofer-Schmitz Katharina, and Kleb Ulrike. 2020. APT datasets and attack modeling for automated detection methods: A review. Computers & Security, 92, 101734. https://doi.org/10.1016/j.cose.2020.101734Google ScholarCross Ref
- Kun Lv, Yun Chen, and Changzhen Hu. 2019. Dynamic defense strategy against advanced persistent threat under heterogeneous network. Information Fusion, 49, 216-226. https://doi.org/10.1016/j.inffus.2019.01.001Google ScholarDigital Library
- Ahmad Atif, Webb Jeb, C. Desouza Kevin, and Boorman James. 2019. Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack. Computers & Security, 86, 402-418. https://doi.org/10.1016/j.cose.2019.07.001Google ScholarDigital Library
- Jianyi Liu; Yansheng Qu; Jiaqi Li; Yunxiao Wang; Jing Zhang; and Hongshan Yin. 2021. Malicious Code Family Classification Method Based on Spatial Pyramid Pooling and Deep Residual Network. In 2021 IEEE 7th International Conference on Cloud Computing and Intelligent Systems (CCIS). IEEE, Xian, China, 260-264. https://doi.org/10.1109/CCIS53392.2021.9754597.Google Scholar
- Abdo Rassam Murad and Aizaini Maarof Mohd.. 2012. Artificial Immune Network Clustering approach for Anomaly Intrusion Detection. Journal of Advances in Information Technology, 3(3), 147-154. https://doi.org/10.4304/jait.3.3.147-154Google Scholar
- Al-Jarrah Omar and Arafat Ahmad. 2015. Network Intrusion Detection System Using Neural Network Classification of Attack Behavior. 6(1), 1-8. https://doi.org/10.12720/jait.6.1.1-8Google Scholar
- Md. Badiuzzaman Pranto, Md. Hasibul Alam Ratul, Md. Mahidur Rahman, Ishrat Jahan Diya, and Zunayeed-Bin Zahir. 2022. Performance of Machine Learning Techniques in Anomaly Detection with Basic Feature Selection Strategy -A Network Intrusion Detection System. Journal of Advances in Information Technology, 13(1), 36-44. https://doi.org/10.12720/jait.13.1.36-44Google Scholar
- Bilal Mehdi, Faraz Ahmed, Syed Ali Khayyam, and Muddassar Farooq. 2010. Towards a theory of generalizing system call representation for in-execution malware detection. In Proceedings of the IEEE International Conference on Communications (ICC). IEEE, Cape Town, South Africa, 1–5. https://doi.org/10.1109/ICC.2010.5501969Google ScholarCross Ref
- Ned Moran and James T. Bennett. 2013. Supply chain analysis: From quarter master to sunshop. Technical Report, Fire Eye Labs, 2013. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-malware-supply-chain.pdfGoogle Scholar
- Yanchen Qiao, Xiaochun Yun, Yupeng Tuo, and Yongzheng Zhang. 2016. Fast reused code tracing method based on simhash and inverted index. Journal on Communications, 37(11), 104−113. https://doi.org/10.11959/j.issn.1000-436x.2016225Google Scholar
- Caliskan Aylin, Yamaguchi Fabian, Dauber Edwin, Harang Richard, Rieck Konrad, Greenstadt Rachel, and Narayanan Arvind. 2018. When coding style survives compilation:De-anonymizing programmers from executables binaries. In: Proc. of the Network and Distributed Systems Security (NDSS). Symp, San Diego, CA, USA, 1−15. http://dx.doi.org/10.14722/ndss.2018.23304.Google Scholar
- Steven H. H. Ding, Benjamin C. M. Fung, and Philippe Charland. 2019. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, 472-489. https://doi.org/10.1109/SP.2019.00003Google ScholarCross Ref
- IDA pro. Website. https://www.hex-rays.com/products/ida/Google Scholar
- Le Quoc and Mikolov Tomas. 2014. Distributed representations of sentences and documents. In Proceedings of the 31st International Conference on Machine Learning. PMLR, Beijing, China, 1188–1196. https://doi.org/10.48550/arXiv.1405.4053Google Scholar
- Weixiang Chen, Xiaohan Helu, Chengjie Jin, Man Zhang, Hui Lu, Yanbin Sun, and Zhihong Tian. 2020. Advanced persistent threat organization identificationbased on software gene of malware. Transactions on Emerging Telecommunications Technologies, 31. https://doi.org/10.1002/ett.3884Google ScholarDigital Library
- Shudong Li, Qianqing Zhang, Xiaobo Wu, Weihong Han, Zhihong Tian, 2021. Attribution Classification Method of APT Malware in IoT Using Machine Learning Techniques. Security and Communication Networks, 2021. https://doi.org/10.1155/2021/9396141Google ScholarCross Ref
Index Terms
- Malicious Code Classification Method of Advanced Persistent Threat Based on Asm2Vec
Recommendations
Transforming malicious code to ROP gadgets for antivirus evasion
This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to ...
Combating advanced persistent threats
An advanced persistent threat (also known as APT) is a deliberately slow-moving cyberattack that is applied to quietly compromise interconnected information systems without revealing itself. APTs often use a variety of attack methods to get unauthorized ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
Comments