You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, Haifeng Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or “stealthy malware” makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenance-based approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average F1 score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

Original languageEnglish (US)
Title of host publication27th Annual Network and Distributed System Security Symposium, NDSS 2020
PublisherThe Internet Society
ISBN (Electronic)1891562614, 9781891562617
DOIs
StatePublished - 2020
Event27th Annual Network and Distributed System Security Symposium, NDSS 2020 - San Diego, United States
Duration: Feb 23 2020Feb 26 2020

Publication series

Name27th Annual Network and Distributed System Security Symposium, NDSS 2020

Conference

Conference27th Annual Network and Distributed System Security Symposium, NDSS 2020
Country/TerritoryUnited States
CitySan Diego
Period2/23/202/26/20

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis'. Together they form a unique fingerprint.

Cite this