Bilkent University
Department of Computer Engineering


Automated Detection and Classification of Malware Used in Targeted Attacks via Machine Learning


Yakup Korkmaz
MSc Student
(Supervisor: Doç. Dr. İbrahim Körpeoğlu)
Computer Engineering Department
Bilkent University

Targeted attacks pose a great threat to governments and commercial entities. Increasing number of targeted attacks, especially Advanced Persistent Threats, are being discovered and exposed in each year by various cyber security organizations. Key characteristics of these attacks are well-funded and skilled actors persistently targeting specific entities, sophisticated tools and tactics, long-time presence in breached environments before detection and stealth operation. Malware plays a crucial role in a targeted attack for various tasks such as compromising systems, maintaining presence, communicating with the operators, carrying out commands, etc. Because of its stealthy nature, malware used in targeted attacks is expected to act different than the traditional malware when it is dynamically analyzed in a sandbox environment. In this thesis we focused on the malware used in targeted attacks and present a method to automatically detect and classify targeted malware through machine learning using behavioral and memory features. It’s worth noting that it is a first work in the literature that classifies targeted malware and incorporates memory features into the dynamic features. The method comprises the steps of running both traditional and targeted malware in a dynamic analysis system along with a memory analysis tool, extracting features from behavioral and memory artifacts found in analysis results and employing machine learning on the extracted features. New behavioral and memory features were defined in order to classify targeted malware more effectively. Method is then evaluated over a dataset comprised of targeted and traditional malware with different supervised learning algorithms. The results show that machine learning can be employed successfully to automatically detect and classify targeted malware from dynamic analysis results using behavioral and memory features.


DATE: 10 September, 2015, Wednesday @ 08:30