Brian E. Ruttenberg

Identifying Shared Software Components to Support Malware Forensics

Recent reports from the anti-malware industry indicate similarity between malware code resulting from code reuse can aid in developing a profile of the attackers. We describe a method for identifying shared components in a large corpus of malware, where a component is a collection of code, such as a set of procedures, that implement a unit of functionality. We develop a general architecture for identifying shared components in a corpus using a two-stage clustering technique. While our method is parametrized on any features extracted from a binary, our implementation uses features abstracting the semantics of blocks of instructions. Our system has been found to identify shared components with extremely high accuracy in a rigorous, controlled experiment conducted independently by MITLL. Our technique provides an automated method to find between malware code functional relationships that may be used to establish evolutionary relationships and aid in forensics.

Probabilistic Modeling of Insider Threat Detection Systems

Due to the high consequences of poorly performing automated insider threat detection systems (ITDSs), it is advantageous for Government and commercial organizations to understand the performance and limitations of potential systems before their deployment. We propose to capture the uncertainties and dynamics of organizations deploying ITDSs to create an accurate and effective probabilistic graphical model that forecasts the operational performance of an ITDS throughout its deployment. Ultimately, we believe this modeling methodology will result in the deployment of more effective ITDSs.

Hierarchical management of large-scale malware data

As the pace of generation of new malware accelerates, clustering and classifying newly discovered malware requires new approaches to data management. We describe our Big Data approach to managing malware to support effective and efficient malware analysis on large and rapidly evolving sets of malware. The key element of our approach is a hierarchical organization of the malware, which organizes malware into families, maintains a rich description of the relationships between malware, and facilitates efficient online analysis of new malware as they are discovered. Using clustering evaluation metrics, we show that our system discovers malware families comparable to those produced by traditional hierarchical clustering algorithms, while scaling much better with the size of the data set. We also show the flexibility of our system as it relates to substituting various data representations, methods of comparing malware binaries, clustering algorithms, and other factors. Our approach will enable malware analysts and investigators to quickly understand and quantify changes in the global malware ecosystem.

Implications of Hierarchies for RSO Recognition, Identification, and Characterization

Abstract : In our previous work, we demonstrated that hierarchical (taxonomical) trees can be used to depict hypotheses in a Bayesian object recognition and identification process using Figaro, an open source probabilistic programming language. We assume in this work that we have appropriately defined a satellite taxonomy that allows us to place a given space object (RSO) into a particular class of object without any ambiguity. Such a taxonomy allows one to assess the probability of assignment to a particular class by determining how well the object satisfies the unique criteria of belonging to that class. Furthermore, tree-based taxonomies delineate unique signatures by defining the minimum amount of information required to positively identify a RSO. Because of these properties of taxonomic trees, we can now explore the implications of RSO taxonomic trees for model distance metrics and sensor tasking. In particular, we seek to exploit the fact that taxonomic trees provide a model neighborhood that can be used to initiate a Monte Carlo or Multiple Hypothesis algorithm. We contend this feature of taxonomies will provide a quantifiable metric for model distances and the explicit number of models that should be considered, both of which currently do not exist. Additionally, the discriminating characteristics of taxonomic classes can be used to determine the kind of data and the associated sensor that needs to be tasked to acquire that data. We also discuss the concept of multiple interacting hierarchies that provide deeper insight into how object interact with one another.