TY - JOUR
T1 - A Multilabel Fuzzy Relevance Clustering System for Malware Attack Attribution in the Edge Layer of Cyber-Physical Networks
AU - Alaeiyan, Mohammadhadi
AU - Dehghantanha, Ali
AU - Dargahi, Tooska
AU - Conti, Mauro
AU - Parsa, Saeed
PY - 2020/5
Y1 - 2020/5
N2 - The rapid increase in the number of malicious programs has made malware forensics a daunting task and caused users' systems to become in danger. Timely identification of malware characteristics including its origin and the malware sample family would significantly limit the potential damage of malware. This is a more profound risk in Cyber-Physical Systems (CPSs), where a malware attack may cause significant physical damage to the infrastructure. Due to limited on-device available memory and processing power in CPS devices, most of the efforts for protecting CPS networks are focused on the edge layer, where the majority of security mechanisms are deployed. Since the majority of advanced and sophisticated malware programs are combining features from different families, these malicious programs are not similar enough to any existing malware family and easily evade binary classifier detection. Therefore, in this article, we propose a novel multilabel fuzzy clustering system for malware attack attribution. Our system is deployed on the edge layer to provide insight into applicable malware threats to the CPS network. We leverage static analysis by utilizing Opcode frequencies as the feature space to classify malware families. We observed that a multilabel classifier does not classify a part of samples. We named this problem the instance coverage problem. To overcome this problem, we developed an ensemble-based multilabel fuzzy classification method to suggest the relevance of a malware instance to the stricken families. This classifier identified samples of VirusShare, RansomwareTracker, and BIG2015 with an accuracy of 94.66%, 94.26%, and 97.56%, respectively.
AB - The rapid increase in the number of malicious programs has made malware forensics a daunting task and caused users' systems to become in danger. Timely identification of malware characteristics including its origin and the malware sample family would significantly limit the potential damage of malware. This is a more profound risk in Cyber-Physical Systems (CPSs), where a malware attack may cause significant physical damage to the infrastructure. Due to limited on-device available memory and processing power in CPS devices, most of the efforts for protecting CPS networks are focused on the edge layer, where the majority of security mechanisms are deployed. Since the majority of advanced and sophisticated malware programs are combining features from different families, these malicious programs are not similar enough to any existing malware family and easily evade binary classifier detection. Therefore, in this article, we propose a novel multilabel fuzzy clustering system for malware attack attribution. Our system is deployed on the edge layer to provide insight into applicable malware threats to the CPS network. We leverage static analysis by utilizing Opcode frequencies as the feature space to classify malware families. We observed that a multilabel classifier does not classify a part of samples. We named this problem the instance coverage problem. To overcome this problem, we developed an ensemble-based multilabel fuzzy classification method to suggest the relevance of a malware instance to the stricken families. This classifier identified samples of VirusShare, RansomwareTracker, and BIG2015 with an accuracy of 94.66%, 94.26%, and 97.56%, respectively.
KW - CPS
KW - cyber-physical systems
KW - Edge layer
KW - fuzzy classification
KW - instance coverage
KW - Internet of Things
KW - IoT
KW - malware classification
UR - http://www.scopus.com/inward/record.url?scp=85085504201&partnerID=8YFLogxK
U2 - 10.1145/3351881
DO - 10.1145/3351881
M3 - Article
AN - SCOPUS:85085504201
SN - 2378-962X
VL - 4
JO - ACM Transactions on Cyber-Physical Systems
JF - ACM Transactions on Cyber-Physical Systems
IS - 3
M1 - 3351881
ER -