Exploiting Latent Attack Semantics for Intelligent Malware Detection

We introduce a newmalware detector – Shape-GD – that aggregates per-machine detectors into a robust global detector. Shape-GD is based on two insights: 1. Structural: actions such as visiting a website (waterhole attack) or membership in a shared email thread (phishing attack) by nodes correlate well with malware spread, and create dynamic neighborhoods of nodes that were exposed to the same attack vector. However, neighborhoods vary unpredictably and require aggregating an unpredictable number of local detectors’ outputs into a global alert. 2. Statistical: feature vectors corresponding to true and false positives of local detectors have markedly different conditional distributions – i.e. their shapes differ. We show that the shape of neighborhoods can identify infected neighborhoods without having to estimate the number of local detectors in the neighborhood. We evaluate Shape-GD by emulating a large community of Windows systems – using system call traces from a few thousand malware and benign applications – and simulating a waterhole attack through a popular website and a phishing attack in a corporate email network. In both these scenarios, we show that Shape-GD detects malware early (∼100 infected nodes in a ∼100K node system for waterhole and ∼10 of 1000 for phishing) and robust (with ∼100% global true positive and ∼1% global false positive rates). At such early stages of infection, existing algorithms that cluster feature vectors are ineffective (have an AUC metric of close to 0.5), and others that count the fraction of alert-generating local detectors require (the weakly correlated) neighborhoods’ sizes to be estimated to within 1% accuracy.