Identifying ATT&CK Tactics in a Control Flow Graph by Applying Graph Neural Networks on Android Malware
Additional Funding Sources
This research has been sponsored by the National Science Foundation under Award No. 1950599.
Abstract
Malware applications create huge monetary damages and represent a menace for people. Mitigating the effects of a Malware application is a challenging task requiring a deep understanding of what such an application does. To deeply understand malware actions, it is helpful to connect such actions with the specific macro tactics, techniques, and procedures (TTP) enumerated in the ATT&CK ontology. The Control Flow Graph (CFG) of an application (or Malware) describes the actions of a program during its execution, it describes the flow of all the internal and external function calls. We propose a novel approach to locating ATT&CK® TTP in a CFG by applying Machine Learning Classifiers on Android Malware. More specifically, our approach will associate the TTP with a subgraph of a CFG. We use Graph Neural Network and SIR-GN node representation learning approach to process the CFG and create a model that classifies the associated TTP. Furthermore, we use Shapley Additive Explanations (SHAP) technique to identify the subgraph in the CFG connected with the specific TTP. Initial experiments directly show 85% accuracy in classifying such techniques.
Identifying ATT&CK Tactics in a Control Flow Graph by Applying Graph Neural Networks on Android Malware
Malware applications create huge monetary damages and represent a menace for people. Mitigating the effects of a Malware application is a challenging task requiring a deep understanding of what such an application does. To deeply understand malware actions, it is helpful to connect such actions with the specific macro tactics, techniques, and procedures (TTP) enumerated in the ATT&CK ontology. The Control Flow Graph (CFG) of an application (or Malware) describes the actions of a program during its execution, it describes the flow of all the internal and external function calls. We propose a novel approach to locating ATT&CK® TTP in a CFG by applying Machine Learning Classifiers on Android Malware. More specifically, our approach will associate the TTP with a subgraph of a CFG. We use Graph Neural Network and SIR-GN node representation learning approach to process the CFG and create a model that classifies the associated TTP. Furthermore, we use Shapley Additive Explanations (SHAP) technique to identify the subgraph in the CFG connected with the specific TTP. Initial experiments directly show 85% accuracy in classifying such techniques.