Abstract

Malware classification and family identification are not new
problems. However, the rapid evolution of the malware attack/defense
ecosystem has enabled much more fruitful research. In this talk, our
contributions to the domain will be summarized by presenting two
systems that we at Verisign have named Chatter and AVMeter.

Chatter is a system for representing and leveraging the sequence of
events in a malware execution. Whereas calculating and exposing
low-level feature values might have ill scalability or gamesmanship
effects, Chatter tersely and efficiently captures execution
patterns. By creating an alphabet/language to represent runtime
behavior, techniques from n-gram processing are used to train a binary
classifier that is capable of distinguishing different malware samples
with high accuracy.

AVMeter is a system for evaluating the performance of antivirus scans
and labels. Researchers rely heavily on these outputs in establishing
ground-truth for their methods and companies use them to guide
mitigation and disinfection efforts. However, there is a lack of
research that validates the performance of these antivirus
vendors. Utilizing malware samples that have been manually labeled by
expert analysts, we reveal dramatic errors in the correctness,
coverage, and consistency of current antivirus offerings. We invite
the community to challenge assumptions about relying on AV scans and
labels as a ground truth for malware analysis and classification.

Speaker's Bio

Aziz Mohaisen is a research scientist at VeriSign Labs. His research
interests are broadly focused on the security, privacy, measurement,
and analysis of complex and emerging network systems. His recent work
has emphasized data-driven security and its applications in malware
analysis, network routing, information sharing, and Internet-scale
reputation. He obtained his Ph.D. in computer science from the
University of Minnesota in 2012 where he wrote his dissertation on
trustworthy social computing systems.