Cognitively-Inspired Inference for Malware Task Identification

Date

2020-08-01

Journal Title

Journal ISSN

Volume Title

Publisher

Springer International Publishing

Abstract

Malware reverse-engineering, specifically, identifying the tasks a given piece of malware was designed to perform (e.g., logging keystrokes, recording video, establishing remote access) is a largely human-driven process that is a difficult and time-consuming operation. In this chapter, we present an automated method to identify malware tasks using two different approaches based on the ACT-R cognitive architecture, a popular implementation of a unified theory of cognition. Using three different malware collections, we explore various evaluations for each of an instance-based and rule-based model—including cases where the training data differs significantly from test; where the malware being evaluated employs packing to thwart analytical techniques; and conditions with sparse training data. We find that our approach based on cognitive inference consistently out-performs the current state-of-the art software for malware task identification as well as standard machine learning approaches—often achieving an unbiased F1 score of over 0.9.

Description

Keywords

malware identification, instance-based learning, ACT-R, cognitive modeling

Citation

Nunes, E., Buto, C., Shakarian, P., Lebiere, C., Bennati, S., Thomson, R. (2020). Cognitively-Inspired Inference for Malware Task Identification. In: Tayebi, M.A., Glässer, U., Skillicorn, D.B. (eds) Open Source Intelligence and Cyber Crime. Lecture Notes in Social Networks. Springer, Cham. https://doi.org/10.1007/978-3-030-41251-7_7