Identifying ATT&CK Tactics in a Control Flow Graph by Applying Graph Neural Networks on Android Malware

Additional Funding Sources

This research has been sponsored by the National Science Foundation under Award No. 1950599.

Presentation Date

7-2021

Abstract

Malware applications create huge monetary damages and represent a menace for people. Mitigating the effects of a Malware application is a challenging task requiring a deep understanding of what such an application does. To deeply understand malware actions, it is helpful to connect such actions with the specific macro tactics, techniques, and procedures (TTP) enumerated in the ATT&CK ontology. The Control Flow Graph (CFG) of an application (or Malware) describes the actions of a program during its execution, it describes the flow of all the internal and external function calls. We propose a novel approach to locating ATT&CK® TTP in a CFG by applying Machine Learning Classifiers on Android Malware. More specifically, our approach will associate the TTP with a subgraph of a CFG. We use Graph Neural Network and SIR-GN node representation learning approach to process the CFG and create a model that classifies the associated TTP. Furthermore, we use Shapley Additive Explanations (SHAP) technique to identify the subgraph in the CFG connected with the specific TTP. Initial experiments directly show 85% accuracy in classifying such techniques.

This document is currently not available here.

Share

COinS
 

Identifying ATT&CK Tactics in a Control Flow Graph by Applying Graph Neural Networks on Android Malware

Malware applications create huge monetary damages and represent a menace for people. Mitigating the effects of a Malware application is a challenging task requiring a deep understanding of what such an application does. To deeply understand malware actions, it is helpful to connect such actions with the specific macro tactics, techniques, and procedures (TTP) enumerated in the ATT&CK ontology. The Control Flow Graph (CFG) of an application (or Malware) describes the actions of a program during its execution, it describes the flow of all the internal and external function calls. We propose a novel approach to locating ATT&CK® TTP in a CFG by applying Machine Learning Classifiers on Android Malware. More specifically, our approach will associate the TTP with a subgraph of a CFG. We use Graph Neural Network and SIR-GN node representation learning approach to process the CFG and create a model that classifies the associated TTP. Furthermore, we use Shapley Additive Explanations (SHAP) technique to identify the subgraph in the CFG connected with the specific TTP. Initial experiments directly show 85% accuracy in classifying such techniques.