Feature analysis for data-driven APT-related malware discrimination

Abstract

Advanced Persistent Threats (APTs) have become a major concern for IT security professionals around the world. These attacks are characterized by the use of both highly sophisticated, evasive and cautious human and technical resources. It is very common to notice the combined use of different malware in long APT campaigns. This fact makes it interesting to investigate the malware that has been used in APT campaigns. Different approaches have been proposed to find discriminatory features to detect APT malware. Features from either static, dynamic and network-related analyses have been separately proposed for that aim. The new approach considered in this study aims to identify the most discriminatory features to distinguish APT-campaign-belonging malware from non-APT malware executables. This approach suggests to identify the discriminatory features from not one but all three groups of these analyses by using domain knowledge and with a purpose of interpretability. As a result, a set with the most discriminatory features of each type is provided. To achieve this set, well-known machine learning techniques have been used. One of the most important limitations in the use of these learning techniques is the availability of a relevant amount of data. In this paper, a large dataset of 19,457 malware samples is publicly provided, including both malware known to be related with APTs and generic non-APT-belonging malware samples. In order to analyze the discrimination ability of the features, the proposed approach follows several steps. First, an exploratory analysis is conducted to obtain knowledge about the data structure. Later, feature selection is performed using different discriminatory techniques. The resulting selection of features is assessed by means of four well-known binary classification techniques. The high accuracy of the results shows that the proposed features are discriminative enough for the stated purpose. Finally, these results are interpreted and the findings are discussed from the perspective of prior knowledge and assumptions about APT-related malware.