Malicious programs have been the main actors in complex, sophisticated attacks against nations, governments, diplomatic agencies, private institutions and people. Knowledge about malicious program behavior forms the basis for constructing more secure information systems. In this article, we introduce MBO, a Malicious Behavior Ontology that represents complex behaviors of suspicious executions, and through inference rules calculates their associated threat level for analytical proposals. We evaluate MBO using over two thousand unique known malware and 385 unique known benign software. Results highlight the representativeness of the MBO for expressing typical malicious activities.
Afonso, V.M., Filho, D.S.F., Grégio, A.R.A., de Geus, P.L. & Jino, M. (2012). A hybrid framework to analyze web and OS malware. In Proceedings of the IEEE International Conference of Communications (ICC), Ottawa, Canada (pp. 966–970).
2.
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F. & Nazario, J. (2007). Automated classification and analysis of Internet malware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID’07), Gold Coast, Australia (pp. 178–197).
3.
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E. & Vigna, G. (2010). Efficient detection of split personalities in malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA.
4.
Bayer, U., Milani Comparetti, P., Hlauscheck, C., Kruegel, C. & Kirda, E. (2009). Scalable, behavior-based malware clustering. In 16th Symposium on Network and Distributed System Security (NDSS).
5.
Bellard, F. (2005). QEMU, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (ATEC’05) (pp. 41–41). Berkeley, CA, USA: USENIX Association.
6.
Branco, R.R., Barbosa, G.N. & Neto, P.D. (2012). Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. In Black Hat Technical Security Conf., Nevada, Las Vegas.
7.
Chen, X., Andersen, J., Mao, Z.M., Bailey, M. & Nazario, J. (2008). Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN 2008) (pp. 177–186). IEEE.
8.
Chiang, H.-S. & Tsaur, W.-J. (2010). Mobile malware behavioral analysis and preventive strategy using ontology. In A.K.Elmagarmid and D.Agrawal (Eds.), SocialCom (pp. 1080–1085). IEEE Computer Society.
9.
Gonzalez, C., Ben-Asher, N., Oltramari, A. & Lebiere, C. (2014). Cognition and technology. In A.Kott, C.Wang and R.F.Erbacher (Eds.), Cyber Defense and Situational Awareness. Advances in Information Security (Vol. 62, pp. 93–117). Springer.
10.
Grégio, A.R.A., Afonso, V.M., Filho, D.S.F., de Geus, d, P.L. & Jino, M. (2015). Toward a taxonomy of malware behaviors. The Computer Journal, 58(10), 2758–2777.
11.
Grégio, A.R.A., Afonso, V.M., Filho, D.S.F., de Geus, P.L., Jino, M. & dos Santos, R.D.C. (2012a). Pinpointing malicious activities through network and system-level malware execution behavior. In 12th International Conference on Computational Science and Its Applications (ICCSA), Salvador, BA, Brazil. Lecture Notes in Computer Science (Vol. 7336, pp. 274–285). Berlin, Heidelberg: Springer.
12.
Grégio, A.R.A., Bonacin, R., Nabuco, O., Monte Afonso, V., De Lício, G.P. & Jino, M. (2014). Ontology for malware behavior: A core model proposal. In 2014 IEEE 23rd International WETICE Conference (WETICE) (pp. 453–458). IEEE.
13.
Grégio, A.R.A., de Geus, P.L., Kruegel, C. & Vigna, G. (2012b). Tracking memory writes for malware classification and code reuse identification. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’12) (pp. 134–143). Berlin, Heidelberg: Springer.
14.
Huang, H.-D., Chuang, T.-Y., Tsai, Y.-L. & Lee, C.-S. (2010). Ontology-based intelligent system for malware behavioral analysis. In FUZZ–IEEE (pp. 1–6). IEEE.
15.
Huang, H.-D., Lee, C.-S., Hagras, H. & Kao, H.-Y. (2012). Twman+: A type-2 fuzzy ontology model for malware behavior analysis. In 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC) (pp. 2821–2826).
16.
Jasiul, B., Sliwa, J., Gleba, K. & Szpyrka, M. (2014). Identification of malware activities with rules. In M.Ganzha, L.A.Maciaszek and M.Paprzycki (Eds.), Proceedings of the 2014 Federated Conference on Computer Science and Information Systems, Warsaw, Poland, September 7–10, 2014 (pp. 101–110).
Lehti, R., Virolainen, P., van den Berg, R. & von Haugwitz, H. (2013). Advanced intrusion detection environment. Available at: http://aide.sourceforge.net.
19.
Li, P., Liu, L., Gao, D. & Reiter, M.K. (2010). On challenges in evaluating malware clustering. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10) (pp. 238–255). Berlin, Heidelberg: Springer.
20.
Liang, S., Fodor, P., Wan, H. & Kifer, M. (2009). Openrulebench: An analysis of the performance of rule engines. In Proceedings of the 18th International Conference on World Wide Web (WWW’09) (pp. 601–610). New York, NY, USA: ACM.
21.
Martinez, C.A., Echeverri, G.I. & Sanz, A.G.C. (2010). Malware detection based on cloud computing integrating intrusion ontology representation. In 2010 IEEE Latin-American Conference on Communications (LATINCOM) (pp. 1–6).
22.
Mundie, D.A. & Mcintire, D.M. (2013). The mal: A malware analysis lexicon. Avaibale at: http://www.sei.cmu.edu/reports/13tn010.pdf.
23.
Mundie, D.A. & McIntire, D.M. (2013). An ontology for malware analysis. In 2013 International Conference on Availability, Reliability and Security (ARES 2013), Regensburg, Germany, September 2–6, 2013 (pp. 556–558). IEEE Computer Society.
24.
Noor, M. & Abbas, H. (2013). Anticipating dormant functionality in malware: A semantics based approach. In 2013 International Symposium on Biometrics and Security Technologies (ISBAST) (pp. 20–23).
25.
Obrst, L., Chase, P. & Markeloff, R. (2012). Developing an ontology of the cyber security domain. In P.C.G.da Costa and K.B.Laskey (Eds.), Proceedings of the Seventh International Conference on Semantic Technologies for Intelligence, Defense, and Security (STIDS 2012). CEUR Workshop Proceedings (Vol. 966, pp. 49–56). Available at: CEUR-WS.org.
26.
Park, Y., Reeves, D., Mulukutla, V. & Sundaravel, B. (2010). Fast malware classification by automated behavioral graph matching. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW’10) (pp. 45:1–45:4). New York, NY, USA: ACM.
27.
Rieck, K., Holz, T., Willems, C., Düssel, P. & Laskov, P. (2008). Learning and classification of malware behavior. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08) (pp. 108–125). Berlin, Heidelberg: Springer.
28.
Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H. & van Steen, M. (2012). Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA (pp. 65–79).
29.
Shahriar, H. & Zulkernine, M. (2012). Trustworthiness testing of phishing websites: A behavior model-based approach. Future Generation Computer Systems, 28(8), 1258–1271. Including Special Sections SS: Trusting Software Behavior and SS: Economics of Computing Services.
30.
Shoaib, M. & Farooq, M. (2015). Uspam – A user centric ontology driven spam detection system. In 2015 48th Hawaii International Conference on System Sciences (HICSS) (pp. 3661–3669).
31.
Stewart, J. (2006). Truman. Available at: http://www.secureworks.com/cyber-threat-intelligence/tools/truman/.
32.
Syed, R.H., Syrame, M. & Bourgeois, J. (2013). Protecting grids from cross-domain attacks using security alert sharing mechanisms. Future Generation Comp. Syst., 29(2), 536–547.
33.
Tafazzoli, T. & Sadjadi, S.H. (2008). Malware fuzzy ontology for semantic web. International Journal of Computer Science and Network Security, 8, 153–161.
34.
Wang, P., Chao, K.-M., Lo, C.-C. & Wang, Y.-S. (2015). Using ontologies to perform threat analysis and develop defensive strategies for mobile security. Information Technology and Management, 1–25.
