poster

Poster: PGPNet: Classify APT Malware Using Prediction-Guided Prototype Network

Authors:

Feng LiuAuthors Info & Claims

CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Pages 5063 - 5065

https://doi.org/10.1145/3658644.3691396

Published: 09 December 2024 Publication History

Abstract

As the popularity of Advanced Persistent Threat (APT) grows, APT malware group classification has attracted more attention recently. However, most of previous methods use simple classifiers for group classification, ignoring the bias caused by the sparse number of revealed malware and the differences in functionality distribution of most groups. In this paper, we propose a Prediction-Guided Prototype Network (PGPNet) that could quickly adapt to new classification tasks with limited supervised samples based on the meta-learning architecture. Adding malware functionality classification as an auxiliary task is beneficial for feature learning, and the bias of distribution differences is eliminated by intervening the predicted results into the group classifier. Experimental results on a APT malware dataset show that PGPNet successfully exploits the contextual information and predictions of the auxiliary task and achieves state-of-the-art performance.

References

[1]

Eslam Amer and Ivan Zelinka. A dynamic windows malware detection and prediction method based on contextual understanding of api call sequence. Computers & Security, 92:101760, 2020.

[2]

Huaifeng Bao, Wen Wang, and Feng Liu. Towards open-set apt malware classification under few-shot setting. In GLOBECOM 2023--2023 IEEE Global Communications Conference, pages 6844--6849. IEEE, 2023.

[3]

Weijie Han, Jingfeng Xue, Yong Wang, Fuquan Zhang, and Xianwei Gao. Aptmalinsight: Identify and cognize apt malware based on system call information and ontology knowledge framework. Information Sciences, 546:633--664, 2021.

[4]

Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. Unicorn: Runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525, 2020.

[5]

Gregory Koch, Richard Zemel, Ruslan Salakhutdinov, et al. Siamese neural networks for one-shot image recognition. In ICML deep learning workshop, volume 2, page 0. Lille, 2015.

[6]

Giuseppe Laurenza and Riccardo Lazzeretti. daptaset: A comprehensive mapping of apt-related data. In Computer Security, pages 217--225. Springer, 2019.

Digital Library

[7]

B. Ndibanje, K. Kim, Y. Kang, H. Kim, Tae Kim, and H. Lee. Cross-method-based analysis and classification of malicious behavior by api calls extraction. Applied Sciences, 9(2), 2019.

[8]

Wei-Na Niu, Jiao Xie, Xiao-Song Zhang, Chong Wang, Xin-Qiang Li, Rui-Dong Chen, and Xiao-Lei Liu. HTTP-based apt malware infection detection using url correlation analysis. Security and Communication Networks, 2021, 2021.

[9]

Sebastian Ruder. An overview of multi-task learning in deep neural networks. arXiv preprint arXiv:1706.05098, 2017.

[10]

Joseph Sexton, Curtis Storlie, and Blake Anderson. Subroutine based detection of apt malware. Journal of Computer Virology and Hacking Techniques, 12(4):225--233, 2016.

[11]

Jake Snell, Kevin Swersky, and Richard S Zemel. Prototypical networks for few-shot learning. arXiv preprint arXiv:1703.05175, 2017.

[12]

Flood Sung, Yongxin Yang, Li Zhang, Tao Xiang, Philip HS Torr, and Timothy M Hospedales. Learning to compare: Relation network for few-shot learning. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1199--1208, 2018.

[13]

Kien Tran, Hiroshi Sato, and Masao Kubo. Mannware: A malware classification approach with a few samples using a memory augmented neural network. Information, 11(1):51, 2020.

[14]

Nilesh Tripuraneni, Michael Jordan, and Chi Jin. On the theory of transfer learning: The importance of task diversity. Advances in Neural Information Processing Systems, 33:7852--7862, 2020.

[15]

Peng Wang, Zhijie Tang, and Junfeng Wang. A novel few-shot malware classification approach for unknown family recognition with multi-prototype modeling. Computers & Security, 106:102273, 2021.

Digital Library

[16]

Chaoxian Wei, Qiang Li, Dong Guo, and Xiangyu Meng. Toward identifying apt malware through api system calls. Security and Communication Networks, 2021, 2021.

Index Terms

Poster: PGPNet: Classify APT Malware Using Prediction-Guided Prototype Network
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

A few-shot malware classification approach for unknown family recognition using malware feature visualization
Abstract
With the ever-increasing threat of malware attacks, building an effective malware classifier to detect malware promptly is of utmost importance. Malware visualization approaches and deep learning techniques have proven effective in ...
HTTP-Based APT Malware Infection Detection Using URL Correlation Analysis
APT malware exploits HTTP to establish communication with a C & C server to hide their malicious activities. Thus, HTTP-based APT malware infection can be discovered by analyzing HTTP traffic. Recent methods have been dependent on the extraction of ...
Toward Identifying APT Malware through API System Calls
Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

December 2024

5188 pages

ISBN:9798400706363

DOI:10.1145/3658644

General Chairs:
Bo Luo
University of Kansas, USA
,
Xiaojing Liao
Indiana University Bloomington, USA
,
Jun Xu
University of Utah, USA
,
Program Chairs:
Engin Kirda
Northeastern University, USA
,
David Lie
University of Toronto, Canada

Copyright © 2024 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2024

Check for updates

Author Tags

Qualifiers

Poster

Conference

CCS '24

Sponsor:

SIGSAC

CCS '24: ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

UT, Salt Lake City, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
179
Total Downloads

Downloads (Last 12 months)179
Downloads (Last 6 weeks)92

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten