Title: Improving the Understanding of Malware using Machine Learning

Date: Wednesday, May 10th 2023

Time: 1:00 PM -- 2:30 PM EDT

Location: Coda C1003 Adair

Zoom link: Click here

Committee:

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Mustaque Ahamad (School of Cybersecurity and Privacy, Georgia Institute of Technology)

Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology)

Dr. Fabian Monrose (School of Electrical and Computer Engineering, Georgia Institute of Technology)

Abstract:

Malicious software continues to threaten users who rely on computational devices. From destruction to the monetization of their victims' information, malware authors seek to cause harm for their personal gain. Over the past few decades, automated solutions have been developed to catch and prevent malicious code from infecting and spreading throughout cyberspace. These solutions rely on statistical properties (and domain knowledge) of what distinguishes a malicious behavior from a benign behavior. However, these solutions are often blackbox, requiring end users and experts alike to trust their verdicts. This often leads to experts manually crafting their own features and tools that they can more intuitively control and tune over time.

To address these challenges, I propose using humans-in-the-loop, which combines the best of both worlds by allowing expert analysts to both learn new insights from the results of malware detection models and provide feedback to improve the results of those models. This leads to a partnership, rather than a competition between humans and algorithms. To demonstrate the effectiveness of my approach, I first introduce DeepReflect, a system which identifies malicious functionality within malware binaries. DeepReflect increases the AUC value by 6-10% compared to four state-of-the-art approaches on a dataset of 36k unique, unpacked malware binaries. This helps analysts understand what a malware is capable of doing before they execute it. Next, I present BCRAFTY, a system which automatically crafts, abstracts, and combines FP-prone behaviors to improve detecting malware: increasing TPR by almost 10% while keeping the FPR under 0.5% compared to using dynamic features alone from a state-of-the-art AV proprietary sandbox. Using the analysts' feedback, they gain an understanding of novel behaviors the model learns. Finally, I propose Drifter, a system which addresses FPR performance decrease (due to concept drift) by combining existing benign-prone features. Using a taxonomy customized by analysts, they understand what the model learns and how to adjust for novel samples.