A multilabel fuzzy relevance clustering system for malware attack attribution in the edge layer of cyber-physical networks

Alaeiyan, M, Dehghantanha, A, Dargahi, T ORCID: https://orcid.org/0000-0002-0908-6483, Conti, M and Parsa, S 2020, 'A multilabel fuzzy relevance clustering system for malware attack attribution in the edge layer of cyber-physical networks' , ACM Transactions on Cyber-Physical Systems, 4 (3) , pp. 1-22.

[img]
Preview
PDF - Accepted Version
Download (1MB) | Preview

Abstract

The rapid increase in the number of malicious programs has made malware forensics a daunting task and caused users’ systems to become in danger. Timely identification of malware characteristics including its origin and the malware sample family would significantly limit the potential damage of malware. This is a more profound risk in Cyber-Physical Systems (CPSs), where a malware attack may cause significant physical damage to the infrastructure. Due to limited on-device available memory and processing power in CPS devices, most of the efforts for protecting CPS networks are focused on the edge layer, where the majority of security mechanisms are deployed. Since the majority of advanced and sophisticated malware programs are combining features from different families, these malicious programs are not similar enough to any existing malware family and easily evade binary classifier detection. Therefore, in this article, we propose a novel multilabel fuzzy clustering system for malware attack attribution. Our system is deployed on the edge layer to provide insight into applicable malware threats to the CPS network. We leverage static analysis by utilizing Opcode frequencies as the feature space to classify malware families. We observed that a multilabel classifier does not classify a part of samples. We named this problem the instance coverage problem. To overcome this problem, we developed an ensemble-based multilabel fuzzy classification method to suggest the relevance of a malware instance to the stricken families. This classifier identified samples of VirusShare, RansomwareTracker, and BIG2015 with an accuracy of 94.66%, 94.26%, and 97.56%, respectively.

Item Type: Article
Schools: Schools > School of Computing, Science and Engineering
Journal or Publication Title: ACM Transactions on Cyber-Physical Systems
Publisher: Association for Computing Machinery (ACM)
ISSN: 2378-962X
Related URLs:
Depositing User: T Dargahi
Date Deposited: 07 Apr 2020 08:10
Last Modified: 21 Apr 2020 14:15
URI: http://usir.salford.ac.uk/id/eprint/56720

Actions (login required)

Edit record (repository staff only) Edit record (repository staff only)

Downloads

Downloads per month over past year