To TTP or not to TTP?: Exploiting TTPs to Improve ML-based Malware Detection
In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely demonstrated their effectiveness, they still present limitations, some of which are a consequence of their purely data-driven nature. In this paper, w...
Saved in:
| Published in | 2023 IEEE International Conference on Cyber Security and Resilience (CSR) pp. 8 - 15 |
|---|---|
| Main Authors | , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
IEEE
31.07.2023
|
| Subjects | |
| Online Access | Get full text |
| DOI | 10.1109/CSR57506.2023.10225000 |
Cover
| Abstract | In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely demonstrated their effectiveness, they still present limitations, some of which are a consequence of their purely data-driven nature. In this paper, we show how the MITRE ATT&CK framework of tactics, techniques, and procedures (TTPs) can be exploited to overcome such limitations and improve their ability to detect malware on networks. We conduct an extensive experimental analysis, testing 7 ML models on 5 large datasets comprising over 37 million flows. Our results clearly demonstrate that adding TTP-based features for training the models robustly improves their performance. Our models outperform the standard ones 922 times out of a total of 952, (i.e., 96.8% of the time), with the biggest improvements (up to 84.9% in terms of FPR) being observed in situations designed to be challenging for ML models. |
|---|---|
| AbstractList | In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely demonstrated their effectiveness, they still present limitations, some of which are a consequence of their purely data-driven nature. In this paper, we show how the MITRE ATT&CK framework of tactics, techniques, and procedures (TTPs) can be exploited to overcome such limitations and improve their ability to detect malware on networks. We conduct an extensive experimental analysis, testing 7 ML models on 5 large datasets comprising over 37 million flows. Our results clearly demonstrate that adding TTP-based features for training the models robustly improves their performance. Our models outperform the standard ones 922 times out of a total of 952, (i.e., 96.8% of the time), with the biggest improvements (up to 84.9% in terms of FPR) being observed in situations designed to be challenging for ML models. |
| Author | Martinovic, Ivan Sharma, Yashovardhan Birnbach, Simon Giunchiglia, Eleonora |
| Author_xml | – sequence: 1 givenname: Yashovardhan surname: Sharma fullname: Sharma, Yashovardhan email: yashovardhan.sharma@cs.ox.ac.uk organization: University of Oxford,Department of Computer Science – sequence: 2 givenname: Eleonora surname: Giunchiglia fullname: Giunchiglia, Eleonora email: eleonora.giunchiglia@tuwien.ac.at organization: Institute of Logic and Computation, TU Wien – sequence: 3 givenname: Simon surname: Birnbach fullname: Birnbach, Simon email: simon.birnbach@cs.ox.ac.uk organization: University of Oxford,Department of Computer Science – sequence: 4 givenname: Ivan surname: Martinovic fullname: Martinovic, Ivan email: ivan.martinovic@cs.ox.ac.uk organization: University of Oxford,Department of Computer Science |
| BookMark | eNo1j11LwzAYhSPohc79A5H8gdY3yfLljcjcdNChaL0eSfNWAl1T2uDHv5f5cXU4z4EHzhk57lOPhFwyKBkDe7V8eZZagio5cFEy4FwCwBGZW22NkCAY02BPSVUnWtdPNI20T5nmn3ZzTVefQ5dijv3bAUyHYbMfxvSOdFsV3k0Y6NZ1H25EeocZmxxTf05OWtdNOP_LGXldr-rlQ1E93m-Wt1UROSxy4aVyzAThhPbBWaUNNoELwMbbhWyRNcK2bQjOK-NUsAKV9sajAQNcm0bMyMWvNyLibhjj3o1fu_-T4hvjHErd |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/CSR57506.2023.10225000 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 9798350311709 |
| EndPage | 15 |
| ExternalDocumentID | 10225000 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IL CBEJK RIE RIL |
| ID | FETCH-LOGICAL-i204t-b56a18d3a37bda9678ecd230ecb945fe1c39ffddab68a6d93e67b8be8080278c3 |
| IEDL.DBID | RIE |
| IngestDate | Thu Jan 18 11:14:25 EST 2024 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i204t-b56a18d3a37bda9678ecd230ecb945fe1c39ffddab68a6d93e67b8be8080278c3 |
| PageCount | 8 |
| ParticipantIDs | ieee_primary_10225000 |
| PublicationCentury | 2000 |
| PublicationDate | 2023-July-31 |
| PublicationDateYYYYMMDD | 2023-07-31 |
| PublicationDate_xml | – month: 07 year: 2023 text: 2023-July-31 day: 31 |
| PublicationDecade | 2020 |
| PublicationTitle | 2023 IEEE International Conference on Cyber Security and Resilience (CSR) |
| PublicationTitleAbbrev | CSR |
| PublicationYear | 2023 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| Score | 1.8930607 |
| Snippet | In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 8 |
| SubjectTerms | Data models Intrusion Detection Machine learning Malware Measurement MITRE ATT&CK Networks Task analysis Telecommunication traffic Training |
| Title | To TTP or not to TTP?: Exploiting TTPs to Improve ML-based Malware Detection |
| URI | https://ieeexplore.ieee.org/document/10225000 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LSwMxEA7akycVK77JwWu2u5vdbOLFQ7UUaUvRLfRW8piFouxKTRH89SbZVlEQvOUFCTOHLzP5vglC1xDHkiYKiFI-dVPFOeFCawKQGSnSXJqgch1P2HCWPczz-UasHrQwABDIZxD5ZnjLN41e-1RZz0cnvoD_LtotOGvFWhvVbxKLXv_p0V0-Yk88SGm0Xfzj25SAGoN9NNnu15JFnqO1VZH--FWK8d8HOkDdb4Eenn5BzyHagfoIjcoGl-UUNytcNxbb0Lu9wYFmt_T0Zj_w5ifaVALg8Yh4GDN4LF_e5QrwHdjAzaq7aDa4L_tDsvksgSzTOLNE5Uwm3FBJC-Ws7DAItHHxBWglsryCRFNRVcZIxbhkRlBgheIKfF3JtOCaHqNO3dRwgrDgLshIGRgoTKZ5JVMKwlDIY2C5u26coq43xeK1rYex2Frh7I_xc7TnPdJmRC9Qx67WcOmg3Kqr4MJPTjuenA |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3NS8MwFA86D3pSceK3OXht1zZJ23jxMB1T2zG0g91GPl5BlFZmhuBfb5NuioLgLV-Q8N7hl_fy-70gdAFBIEgowZPSpm7KgHkpV8oDoFrwiAntVK75KB5O6N2UTZdidaeFAQBHPgPfNt1bvq7VwqbKejY6sQX819EGo5SyVq611P2GAe_1Hx-a60dgqQcR8VfLf3yc4nBjsI1Gqx1busizvzDSVx-_ijH--0g7qPst0cPjL_DZRWtQ7aGsqHFRjHE9x1VtsHG9q0vsiHZPluBsB97sRJtMAJxnngUyjXPx8i7mgK_BOHZW1UWTwU3RH3rL7xK8pyigxpMsFmGqiSCJbOzcoBAo3UQYoCSnrIRQEV6WWgsZpyLWnECcyFSCrSwZJaki-6hT1RUcIMzTJsyIYtCQaKrSUkQEuCbAAohZc-E4RF1ritlrWxFjtrLC0R_j52hzWOTZLLsd3R-jLeudNj96gjpmvoDTBtiNPHPu_ATPH6Hp |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2023+IEEE+International+Conference+on+Cyber+Security+and+Resilience+%28CSR%29&rft.atitle=To+TTP+or+not+to+TTP%3F%3A+Exploiting+TTPs+to+Improve+ML-based+Malware+Detection&rft.au=Sharma%2C+Yashovardhan&rft.au=Giunchiglia%2C+Eleonora&rft.au=Birnbach%2C+Simon&rft.au=Martinovic%2C+Ivan&rft.date=2023-07-31&rft.pub=IEEE&rft.spage=8&rft.epage=15&rft_id=info:doi/10.1109%2FCSR57506.2023.10225000&rft.externalDocID=10225000 |