ABSTRACT
Behavior-based analysis of emerging malware families involves finding suspicious patterns in large collections of execution traces. This activity cannot be automated for previously unknown malware families and thus malware analysts would benefit greatly from integrating visual analytics methods in their process. However existing approaches are limited to fairly static representations of data and there is no systematic characterization and abstraction of this problem domain. Therefore we performed a systematic literature study, conducted a focus group as well as semi-structured interviews with 10 malware analysts to elicit a problem abstraction along the lines of data, users, and tasks. The requirements emerging from this work can serve as basis for future design proposals to visual analytics-supported malware pattern analysis.
- W. Aigner, S. Miksch, H. Schumann, and C. Tominski. Visualization of Time-Oriented Data. Springer, 2011. Google ScholarCross Ref
- U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A tool for analyzing malware. In 15th Ann. Conf. Europ. Inst. Computer Antivirus Research, EICAR, 2006.Google Scholar
- Z. Bazrafshan, H. Hashemi, S. Fard, and A. Hamzeh. A survey on heuristic malware detection techniques. In Conf. on Info. and Knowledge Technology, pages 113--120, 2013.Google ScholarCross Ref
- M. Brehmer and T. Munzner. A multi-level typology of abstract visualization tasks. TVCG, 19(12):2376--2385, 2013. Google ScholarDigital Library
- M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In India Software Eng. Conf., pages 5--14. ACM, 2008. Google ScholarDigital Library
- C. Collins, F. Viegas, and M. Wattenberg. Parallel tag clouds to explore and analyze faceted text corpora. In Symp. on Visual Analytics Science and Technology, pages 91--98, 2009.Google ScholarCross Ref
- G. Conti. Security data visualization: graphical techniques for network analysis. No Starch Press, 2007. Google ScholarDigital Library
- H. Dornhackl, K. Kadletz, R. Luh, and P. Tavolato. Malicious behavior patterns. In IEEE Int. Symp. on Service Oriented System Eng., pages 384--389, 2014. Google ScholarDigital Library
- M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Comp. Surv., 44(2):6:1--6:42, 2008. Google ScholarDigital Library
- G. Fink, C. North, A. Endert, and S. Rose. Visualizing cyber security: Usable workspaces. In Int. Workshop on Vis. for Cyber Sec., pages 45--56, 2009.Google ScholarCross Ref
- E. Gelenbe, G. Gorbil, D. Tzovaras, S. Liebergeld, D. Garcia, M. Baltatu, and G. Lyberopoulos. Security for smart mobile networks: The NEMESYS approach. In IEEE Global High Tech Congr. on Electronics, pages 63--69, 2013.Google ScholarCross Ref
- J. R. Goodall, A. Komlodi, and W. G. Lutters. The work of intrusion detection: Rethinking the role of security analysts. In Proc. of the 10th Americas Conf. on Info. Systems, pages 1421--1427, NY, 2004.Google Scholar
- D. Gotz, H. Stavropoulos, J. Sun, and F. Wang. ICDA: A platform for intelligent care delivery analytics. AMIA Annual Symp. Proceedings, 2012:264--273, 2012.Google Scholar
- D. Keim. Designing pixel-oriented visualization techniques: theory and applications. TVCG, 6(1):59--78, 2000. Google ScholarDigital Library
- D. Keim, J. Kohlhammer, G. Ellis, and F. Mansmann, editors. Mastering the information age: solving problems with visual analytics. Eurographics, 2010.Google Scholar
- A. Kerren, H. C. Purchase, and M. O. Ward, editors. Multivariate Network Visualization. LNCS 8380. Springer, Cham, 2014.Google ScholarCross Ref
- H. Lam, E. Bertini, P. Isenberg, C. Plaisant, and S. Carpendale. Empirical studies in information visualization: Seven scenarios. TVCG, 18(9):1520--1536, 2012. Google ScholarDigital Library
- S. Laxman and P. S. Sastry. A survey of temporal data mining. Sadhana, 31(2):173--198, 2006.Google ScholarCross Ref
- J. Lazar, J. H. Feng, and H. Hochheiser. Research Methods in Human-Computer Interaction. Wiley, 2010. Google ScholarDigital Library
- D. Lee, I. S. Song, K. Kim, and J.-h. Jeong. A study on malicious codes pattern analysis using visualization. In Int. Conf. on Info. Science and Applications, pages 1--5, 2011. Google ScholarDigital Library
- M. Meyer, T. Munzner, and H. Pfister. MizBee: A multiscale synteny browser. TVCG, 15(6):897--904, 2009. Google ScholarDigital Library
- S. Miksch and W. Aigner. A matter of time: Applying a data-users-tasks design triangle to visual analytics of time-oriented data. Computers & Graphics, 38:286--290, 2014. Google ScholarDigital Library
- T. Munzner. A nested model for visualization design and validation. TVCG, 15(6):921--928, 2009. Google ScholarDigital Library
- C. G. Nevill-Manning and I. H. Witten. Identifying hierarchical structure in sequences: A linear-time algorithm. J. Artif. Int. Res., 7(1):67--82, 1997. Google ScholarDigital Library
- D. Quist and L. Liebrock. Visualizing compiled executables for malware analysis. In Int. Workshop on Vis. for Cyber Sec., pages 27--32, 2009.Google ScholarCross Ref
- M. Sedlmair, D. Baur, S. Boring, P. Isenberg, M. Jurmu, and A. Butz. Requirements for a MDE system to support collaborative in-car communication diagnostics. In Workshop on Beyond the Laboratory: Supporting Authentic Collaboration with Multiple Displays, 2008.Google Scholar
- M. Sedlmair, A. Frank, T. Munzner, and A. Butz. RelEx: Visualization for actively changing overlay network specifications. TVCG, 18(12):2729--2738, 2012.Google ScholarDigital Library
- M. Sedlmair, M. Meyer, and T. Munzner. Design study methodology: Reflections from the trenches and the stacks. TVCG, 18(12):2431--2440, 2012.Google ScholarDigital Library
- A. Shabtai, D. Klimov, Y. Shahar, and Y. Elovici. An intelligent, interactive tool for exploration and visualization of time-oriented security data. In Int. Workshop Vis. Comp. Sec., pages 15--22. ACM, 2006. Google ScholarDigital Library
- H. Sharp, Y. Rogers, and J. Preece. Interaction Design: Beyond Human-Computer Interaction. John Wiley & Sons, 2nd edition, 2007. Google ScholarDigital Library
- H. Shiravi, A. Shiravi, and A. Ghorbani. A survey of visualization systems for network security. TVCG, 18(8):1313--1329, 2012. Google ScholarDigital Library
- B. Shneiderman. The eyes have it: a task by data type taxonomy for information visualizations. In IEEE Symp. on Visual Languages, pages 336--343, 1996. Google ScholarDigital Library
- G. Stoneburner, A. Y. Goguen, and A. Feringa. SP 800-30. risk management guide for information technology systems. Technical report, NIST, 2002. Google ScholarDigital Library
- J. J. Thomas and K. A. Cook. Illuminating the path: The research and development agenda for visual analytics. IEEE Comp. Society Press, 2005.Google Scholar
- M. Tory and S. Staub-French. Qualitative analysis of visualization: A building design field study. In Proc. Workshop BEyond Time and Errors: Novel evaLuation Methods for Information Visualization, pages 7:1--7:8. ACM, 2008. Google ScholarDigital Library
- P. Trinius, T. Holz, J. Gobel, and F. Freiling. Visual analysis of malware behavior using treemaps and thread graphs. In Int. Workshop on Vis. for Cyber Sec., pages 33--38, 2009.Google ScholarCross Ref
- M. Wattenberg. Arc diagrams: Visualizing structure in strings. In Proc. IEEE Symp. Information Visualization (InfoVis), pages 110--116, 2002. Google ScholarDigital Library
- M. Wattenberg and F. Viegas. The word tree, an interactive visual concordance. TVCG, 14(6):1221--1228, 2008. Google ScholarDigital Library
- J. Wei and G. Salvendy. The cognitive task analysis methods for job and task design: review and reappraisal. Behaviour & Information Technology, 23(4):273--299, 2004.Google ScholarCross Ref
- C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Sec. Privacy, 5(2):32--39, 2007. Google ScholarDigital Library
- K. Wongsuphasawat and D. Gotz. Outflow: Visualizing patient flow by symptoms and outcome. In IEEE VisWeek Workshop on Visual Analytics in Healthcare, Providence, Rhode Island, USA, 2011.Google Scholar
- Y. Xia, K. Fairbanks, and H. Owen. Visual analysis of program flow data with data propagation. In J. R. Goodall, G. Conti, and K.-L. Ma, editors, Vis. for Comp. Sec., LNCS 5210, pages 26--35. Springer, 2008. Google ScholarDigital Library
- D. Yao, M. Shin, R. Tamassia, and W. Winsborough. Visualization of automated trust negotiation. In IEEE Workshop on Vis. for Comp. Sec., pages 65--74, 2005. Google ScholarDigital Library
- C. L. Yee, L. L. Chuan, M. Ismail, and N. Zainal. A static and dynamic visual debugger for malware analysis. In Asia-Pacific Conf. on Communications, pages 765--769, 2012.Google Scholar
Index Terms
- Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis
Recommendations
Automatic analysis of malware behavior using machine learning
Malicious software - so called malware - poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with ...
The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
ICEC '15: Proceedings of the 17th International Conference on Electronic Commerce 2015Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using ...
Behavior-Based Malware Analysis and Detection
IWCDM '11: Proceedings of the 2011 First International Workshop on Complexity and Data MiningMalware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware and its variants may vary a lot from content signatures, they share some behavior features at a higher level which are more precise in ...
Comments