Multi-dimensional Hybrid Bayesian Belief Network Based Approach for APT Malware Detection in Various Systems

Abstract

AbstractWe are living in a digital world where information flows in the form of bits. The world is witnessing rapid transformation in easy of living by utilizing smart devices ranging from Inter of Things (IoT), personal computing to advanced super computers for solving complex problems in domains like medical, transportation, banking and day-to-day living etc. So protecting the digital assets is an important aspect of modern world, which is susceptible to highly advanced Cyber attacks which have wide range of ramifications like financial loss, intellectual property loss and privacy violations etc. The modern Cyber adversaries are evolving with new tactics, techniques and procedures (TTP) for longtime strategic information gathering by neutralizing the victim’s security defenses at the perimeter and system level. The sophistication and complexity of the Advanced Persistent Threats (APT) necessitate developing a new range of security solutions with unconventional defense technologies. The APT payloads are equipped with highly evasive manoeuvers to evade modern security solutions which rely on signature and rule-based methodologies. In these scenarios the malware behavioral analysis assists in detecting APT payloads. However it generates huge amount of behavioral logs which require domain experts review to decide the samples nature which is time consuming, resource intensive and less scalable. We need an automation process to mimic human intelligence by analyzing the internal dependencies of the behavioral patterns to solve the classification problem. So we are proposing an unconventional Bayesian Belief Network-based approach to address the APT malware detection problem by extracting unique features over the malware sample’s static, dynamic, and event analysis. The proposed Threat Detection Bayesian Belief Network Model (TDBBNM) is a combination of three Bayesian models named Static Analysis Bayesian Belief Network (SABBN), Dynamic Analysis Bayesian Belief Network (DABBN) and Event Analysis Bayesian Belief Network (EABBN) for better accuracy and fewer false-positives in malware detection. The system is evaluated over 10,413 (4733 APT payloads + 5680 Benign) samples by extracting unique features and constructing the BBN models using expert knowledge and empirical observations for conditional dependencies and probabilities. The proposed system exhibited 92.62% accuracy with a 0.0538% false-positive rate in detecting the APT malware, which is suitable for APT detection, a domain where reliable detection mechanisms are limited. Our approach is unique in nature and first of it’s kind to introduce BBN Networks in APT detection. The BBN Networks are very good at mimicking human reasoning with respect to internal dependent patterns analysis which is very important aspect in malware detection. So we are expecting the BBN approach opens up a new direction in solving complex problem in Cyber security domain.