Imperial College London
Portrait Picture

Professor Nick Heard

Faculty of Natural SciencesDepartment of Mathematics

Chair in Statistics
 
 
 
//

Contact

 

+44 (0)20 7594 1490n.heard Website

 
 
//

Location

 

543Huxley BuildingSouth Kensington Campus

//

Summary

 

Publications

Citation

BibTex format

@article{Bolton:2018:10.1080/01621459.2018.1423984,
author = {Bolton, A and Heard, N},
doi = {10.1080/01621459.2018.1423984},
journal = {Journal of the American Statistical Association},
pages = {1490--1502},
title = {Malware family discovery using reversible jump MCMC sampling of regimes},
url = {http://dx.doi.org/10.1080/01621459.2018.1423984},
volume = {113},
year = {2018}
}
Download

RIS format (EndNote, RefMan)

TY  - JOUR
AB  - Malware is computer software which has either been designed or modified with malicious intent. Hundreds of thousands of new malware threats appear on the internet each day. This is made possible through reuse of known exploits in computer systems which have not been fully eradicated; existing pieces of malware can be trivially modified and combined to create new malware which is unknown to anti-virus programs. Finding new software with similarities to known malware is therefore an important goal in cyber-security. A dynamic instruction trace of a piece of software is the sequence of machine language instructions it generates when executed. Statistical analysis of a dynamic instruction trace can help reverse engineers infer the purpose and origin of the software that generated it. Instruction traces have been successfully modeled as simple Markov chains, but empirically there are change points in the structure of the traces, with recurring regimes of transition patterns. Here, reversible jump MCMC for change point detection is extended to incorporate regime-switching, allowing regimes to be inferred from malware instruction traces. A similarity measure for malware programs based on regime matching is then used to infer the originating families, leading to compelling performance results.
AU  - Bolton,A
AU  - Heard,N
DO  - 10.1080/01621459.2018.1423984
EP  - 1502
PY  - 2018///
SN  - 0162-1459
SP  - 1490
TI  - Malware family discovery using reversible jump MCMC sampling of regimes
T2  - Journal of the American Statistical Association
UR  - http://dx.doi.org/10.1080/01621459.2018.1423984
UR  - http://hdl.handle.net/10044/1/56640
VL  - 113
ER  -
Download