Towards Malware Author Attribution

走向恶意软件作者归属

• 批准号: RGPIN-2015-04102
• 负责人: Stakhanova, Natalia
• 金额: $ 1.31万
• 依托单位: University of Saskatchewan
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2019
• 资助国家: 加拿大
• 起止时间: 2019-01-01 至 2020-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=676965
• 关键词: Towards; Malware; Author; Attribution

In 2008 Symantec added 1.6 million new malware signatures to its malware database. This number increased to 2.9 million in 2009. In 2010, the new addition to the database constituted 4.4 million new signatures. This trend continued, and in 2011 an increase in malware has reached 41%. Traditional approaches predominantly based on recognizing well-documented threats (signatures) are struggling to cope with this rate of growth in malware numbers each year. Consequently, the majority of malware strains (many of which are short lived, i.e., less than 24 hours) go undetected. This inadequacy of traditional approaches exposes a dire need for alternative defences. We propose to turn our attention to malware source, i.e, malware authors. The benefit of such a strategy is clear: instead of detecting every malware strain, we could effectively characterize all malware variants generated by its author. We propose to study the theory and practice behind malware author attribution. Although authorship attribution, a technique aiming to determine an author of a document given some textual characteristics of the author's writing style extracted from his previous works, is well established in social science, it raises many research questions in malware detection domain. For example, how can we define an author (e.g., malware generation engine, a malware campaign, an individual) so that it can be leveraged for automatic and accurate detection, and to what extend source and binary code embed distinct features traceable to its author.**

2008年，赛门铁克在其恶意软件数据库中增加了160万个新的恶意软件签名。这一数字在2009年增加到290万。2010年，该数据库新增了440万个新签名。这一趋势还在继续，2011年恶意软件的增长达到了41%。传统的方法主要基于识别有案可查的威胁（签名），正努力应对每年恶意软件数量的增长速度。因此，大多数恶意软件（其中许多是短命的，即不到24小时）都没有被发现。传统方法的不足暴露了对替代防御的迫切需要。我们建议将注意力转向恶意软件的来源，即恶意软件的作者。这种策略的好处是显而易见的：我们可以有效地描述由其作者生成的所有恶意软件变体，而不是检测每个恶意软件菌株。我们建议研究恶意软件作者归属背后的理论和实践。作者归属是一种从作者以前的作品中提取作者写作风格的文本特征来确定文档作者的技术，虽然在社会科学中已经很成熟，但它在恶意软件检测领域提出了许多研究问题。例如，我们如何定义作者（例如，恶意软件生成引擎，恶意软件活动，个人），以便可以利用它进行自动和准确的检测，以及扩展源代码和二进制代码嵌入可追溯到其作者的独特特征