A Threat Intelligence Generation Method for Malware Family

doi:10.3969/j.issn.1671-1122.2020.12.011

Abstract

Abstract:

In view of the current high redundancy of threat intelligence and the inability to quickly generate and share intelligence, a rapid threat intelligence generation method for malware families is proposed. Run the malware through the open source automated malware analysis platform and extract the malicious features, calculate the feature fuzzy hash value, use the improved CFSFDP algorithm to cluster the malware based on the fuzzy Hash value of the malicious code, and finally according to each type of malware family The characteristics of generate threat intelligence that meets the STIX1.2 standards. Experiments show that this method can effectively generate machine-readable and shareable threat intelligence, and significantly shorten the time for threat intelligence generation.

Key words: threat intelligence, malware, fuzzy Hash, clustering

CLC Number:

TP309

WANG Changjie, LI Zhihua, ZHANG Ye. A Threat Intelligence Generation Method for Malware Family[J]. Netinfo Security, 2020, 20(12): 83-90.

Figures/Tables 10

References 20

[1]	SYMANTEC. 2019 Symantec Symantec 2019 Internet Security Threat Report[EB/OL]. https://docs.broadcom.com/doc/istr-24-2019-en, 2020-09-28.
[2]	YANG Peian, WU Yang, SU Liya, et al. Overview of Threat Intelligence Sharing Technologies in Cyberspace[J]. Computer Science, 2018,45(6):9-18.
	杨沛安, 武杨, 苏莉娅, 等. 网络空间威胁情报共享技术综述[J]. 计算机科学, 2018,45(6):9-18.
[3]	HAN Xiaoguang, QU Wu, YAO Xuanxia, et al. Research on Malicious Code Variants Detection Based on Texture Fingerprint[J]. Journal on Communications, 2014,35(8):125-136.
	韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136.
[4]	LIAO Xiaojing, YUAN Kan, WANG Xiaofeng, et al. Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-source Cyber Threat Intelligence[C]// ACM. ACM SIGSAC Conference on Computer & Communications Security, October 24-28, 2016, Vienna, Austria. New York: ACM, 2016: 755-766.
[5]	SUN Bo, FUJINO A, MORI T, et al. Automatically Generating Malware Analysis Reports Using Sandbox Logs[J]. IEICE Transactions on Information and Systems, 2018,101(11):2622-2632.
[6]	ZHANG Yongsheng, WANG Zhi, WU Yijie, et al. Cyber Threat Intelligence Propagation Based on Conformal Prediction[J]. Netinfo Security, 2020,20(6):90-95.
[7]	WANG Qinxin, YANG Wang. Extraction of Threat Intelligence Entities Based on STIX[J]. Cyberspace Security, 2020,11(8):86-91.
	王沁心, 杨望. 基于STIX标准的威胁情报实体抽取研究[J]. 网络空间安全, 2020,11(8):86-91.
[8]	GBADEBO A, SWARUP C, LATIFUR K, et al. Automated Threat Report Classification over Multi-source Data[C]// IEEE. 4th International Conference on Collaboration and Internet Computing, October 18-20, 2018, Philadelphia, PA, USA. New Jersey: IEEE, 2018: 236-245.
[9]	LYU Zongping, ZHONG Youbing, GU Zhaojun. Threat Intelligence Analysis Research Based on Kill Chain and Network Traffic Detection[J]. Application Research of Computers, 2017,34(6):1794-1797.
	吕宗平, 钟友兵, 顾兆军. 基于攻击链和网络流量检测的威胁情报分析研究[J]. 计算机应用研究, 2017,34(6):1794-1797.
[10]	KIM E, KIM K, SHIN D, et al. CyTIME: Cyber Threat Intelligence ManagEment Framework for Automatically Generating Security Rules[C]// ACM. 13th International Conference on Future Internet Technologies, June 20-22, 2018, Seoul, Republic of Korea. New York: ACM, 2018: 1-5.
[11]	GASCON H, GROBAUER B, SCHRECK T, et al. Mining Attributed Graphs for Threat Intelligence[C]// ACM. The 7th ACM on Conference on Data and Application Security and Privacy, March 22-24, 2017, Scottsdale, Arizona, USA. New York: ACM, 2017: 15-22.
[12]	WAGNER C, DULAUNOY A, LKLODY A, et al. MISP-The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform[C]// ACM. 2016 ACM on Workshop on Information Sharing and Collaborative Security, October 24, 2016, Vienna Austria. New York: ACM, 2016: 49-56.
[13]	VERMA M, KUMARGURU P, DEB S B, et al. Analysing Indicator of Compromises for Ransomware: Leveraging IOCs with Machine Learning Techniques[C]// IEEE. 2018 IEEE International Conference on Intelligence and Security Informatics, November 9-11, 2018, Miami, FL, USA. New Jersey: IEEE, 2018: 154-159.
[14]	RODRIGUEZ A, LAIO A. Clustering by Fast Search and Find of Density Peaks[EB/OL]. http://sites.psu.edu/mcnl/files/2017/03/9-2dhti48.pdf, 2014-06-14.
[15]	MITRE. Structured Threat Information eXpression[EB/OL]. https://stixproject.github.io/about/, 2020-09-28.
[16]	HUANG Yajuan. Research on Network Threat Intelligence in the United States[D]. Changsha: National University of Defense Technology, 2018.
	黄雅娟. 美国网络威胁情报工作研究[D]. 长沙:国防科技大学, 2018.
[17]	CUCKOO Foundation. Automated Mailware Analysis: Cuckoo Sandbox[EB/OL]. https://cuckoo.sh/docs/, 2020-09-28.
[18]	KORNBLUM J. Identifying Almost Identical Files Using Context Triggered Piecewise Hashing[EB/OL]. https://www.sciencedirect.com/science/article/pii/S1742287606000764, 2020-09-28.
[19]	MITRE. A Python Library for Parsing, Manipulating, and Generating Structured Threat Information eXpression(STIX™) v1.2.0 Content[EB/OL]. https://github.com/STIXProject/python-stix, 2020-09-28.
[20]	SERKETZIS N, KATOS V, LLIOUDIS C, et al. Actionable Threat Intelligence for Digital Forensics Readiness[J]. Information and Computer Security, 2019,27(2):273-291. doi: 10.1108/ICS-09-2018-0110 URL

操作系统	Office版本	架构
Windows 7	Office2003	X86
Windows 7	Office2007	X86
Windows 7	Office2010	X86
Windows 7	Office2013	X64
Ubuntu 16.04	Libreoffice	X64
CentOS 7	Libreoffice	X64

操作方式	操作行为	API
File	读文件	NtOpenFile
	创建文件	NtCreateFile
	查询文件	NtQueryDirectoryFile
Registry	打开注册表	NtOpenKeyEx
Registry	查询注册表	NtQueryKey
Process	创建进程	NtCreaateSection
Process	打开进程	NtOpenProcess

特征	CybOX对象	属性
IP Address	IP Watchlist	Linked TTP
File Hash	File Hash Watchlist	SHA256、MD5
URL	URL Watchlist	Linked IP
File	File Watchlist	File name、File Path、File Extension

函数	功能
SITXPackage()	创建一个新的STIX格式威胁情报
Header()	为STIX格式威胁情报添加头信息
stix.indicator.Indicator()	创建一个IOC
add_object()	为IOC添加一个CybOX对象
stix.base.Entity.to_xml()	将一个STIX实例转换成XML字符串

家族名	样本数量
Win32:Agent-BARL	78
Win64:Vitro	46
Win32:Malware-gen	49
Win64:Trojan-gen	30
Patched-HO	50
Win32:Agent-KKQ	39
AutoRun-BPN	34
Win64:Evo-gen	26
Evo-gen	16
Kryptik-AZZ	18
Bluehero	12
Win64:Winnti	9
Win32:Patched-XF	6
Win32:Runouce-E	3
Win32:Patched-AKC	3
Win32:Flooder-GR	2
Win64:Adware-gen	4
Inject-AII	3