About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part II

Research Article

JABBICLookups: A Backend Telemetry-Based System for Malware Triage

Download(Requires a free EAI acccount)
2 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-030-90022-9_9,
        author={Octavian Ciprian Bordeanu and Gianluca Stringhini and Yun Shen and Toby Davies},
        title={JABBICLookups: A Backend Telemetry-Based System for Malware Triage},
        proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part II},
        proceedings_a={SECURECOMM PART 2},
        year={2021},
        month={11},
        keywords={Malware triage Word embeddings},
        doi={10.1007/978-3-030-90022-9_9}
    }
    
  • Octavian Ciprian Bordeanu
    Gianluca Stringhini
    Yun Shen
    Toby Davies
    Year: 2021
    JABBICLookups: A Backend Telemetry-Based System for Malware Triage
    SECURECOMM PART 2
    Springer
    DOI: 10.1007/978-3-030-90022-9_9
Octavian Ciprian Bordeanu1,*, Gianluca Stringhini2, Yun Shen, Toby Davies1
  • 1: University College London
  • 2: Boston University, Boston
*Contact email: octavian.bordeanu.16@ucl.ac.uk

Abstract

In this paper, we propose JABBIC lookups, a telemetry-based system for malware triage at the interface between proprietary reputation score systems and malware analysts. JABBIC uses file download telemetry collected from client protection solutions installed on end-hosts to determine the threat level of an unknown file based on telemetry data associated with files already known to be malign. We apply word embeddings, and semantic and relational similarities to triage potentially malign files following the intuition that, while single elements in a malware download might change over time, their context, defined as the semantic and relational properties between the different elements in a malware delivery system (e.g., servers, autonomous systems, files) does not change as fast. To this end, we show that JABBIC can leverage file download telemetry to allow security vendors to manage the collection and analysis of unknown files from remote end-hosts for timely processing by more sophisticated malware analysis systems. We test and evaluate JABBIC lookups with 33M download events collected during October 2015. We show that 85.83% of the files triaged with JABBIC lookups are part of the same malware family as their past counterpart files. We also show that, if used with proprietary reputation score systems, JABBIC can triage as malicious 55.1% of files before they are detected by VirusTotal, preceding this detection by over 20 days.

Keywords
Malware triage Word embeddings
Published
2021-11-04
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-030-90022-9_9
Copyright © 2021–2025 ICST
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL