Visible to the public TrustSign: Trusted Malware Signature Generation in Private Clouds Using Deep Feature Transfer Learning

TitleTrustSign: Trusted Malware Signature Generation in Private Clouds Using Deep Feature Transfer Learning
Publication TypeConference Paper
Year of Publication2019
AuthorsNahmias, Daniel, Cohen, Aviad, Nissim, Nir, Elovici, Yuval
Conference Name2019 International Joint Conference on Neural Networks (IJCNN)
Date PublishedJuly 2019
ISBN Number978-1-7281-1985-4
KeywordsAutomatic Signature Generation, cloud computing, cloud virtualization technology, convolutional neural networks, cryptography, cryptojacking, cryptojacking attacks, deep feature transfer learning, Deep Learning, digital signatures, distribution time, dynamic analysis, fileless malware, high-level deep features, Human Behavior, human factors, ImageNet dataset, in-browser cryptojacking attacks, inspection procedure, invasive software, Malware, Metrics, neural nets, private clouds, program diagnostics, pubcrawl, ransomware samples, resilience, Resiliency, static analysis, supervised classifiers, transfer learning, Trusted Computing, trusted malware signature generation method, TrustSign signature generation process, unsupervised classifier, unsupervised learning, VGG-19 neural network model, virtualisation, volatile memory

This paper presents TrustSign, a novel, trusted automatic malware signature generation method based on high-level deep features transferred from a VGG-19 neural network model pre-trained on the ImageNet dataset. While traditional automatic malware signature generation techniques rely on static or dynamic analysis of the malware's executable, our method overcomes the limitations associated with these techniques by producing signatures based on the presence of the malicious process in the volatile memory. Signatures generated using TrustSign well represent the real malware behavior during runtime. By leveraging the cloud's virtualization technology, TrustSign analyzes the malicious process in a trusted manner, since the malware is unaware and cannot interfere with the inspection procedure. Additionally, by removing the dependency on the malware's executable, our method is capable of signing fileless malware. Thus, we focus our research on in-browser cryptojacking attacks, which current antivirus solutions have difficulty to detect. However, TrustSign is not limited to cryptojacking attacks, as our evaluation included various ransomware samples. TrustSign's signature generation process does not require feature engineering or any additional model training, and it is done in a completely unsupervised manner, obviating the need for a human expert. Therefore, our method has the advantage of dramatically reducing signature generation and distribution time. The results of our experimental evaluation demonstrate TrustSign's ability to generate signatures invariant to the process state over time. By using the signatures generated by TrustSign as input for various supervised classifiers, we achieved 99.5% classification accuracy.

Citation Keynahmias_trustsign_2019