Eiger: Automated IOC generation for accurate and interpretable endpoint malware detection

Yuma Kurogome, Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Syogo Hayashi, Tatsuya Mori, Koushik Sen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

A malware signature including behavioral artifacts, namely Indicator of Compromise (IOC) plays an important role in security operations, such as endpoint detection and incident response. While building IOC enables us to detect malware efficiently and perform the incident analysis in a timely manner, it has not been fully-automated yet. To address this issue, there are two lines of promising approaches: regular expression-based signature generation and machine learning. However, each approach has a limitation in accuracy or interpretability, respectively. In this paper, we propose EIGER, a method to generate interpretable, and yet accurate IOCs from given malware traces. The key idea of EIGER is enumerate-then-optimize. That is, we enumerate representations of potential artifacts as candidates of IOCs. Then, we optimize the combination of these candidates to maximize the two essential properties, i.e., accuracy and interpretability, towards the generation of reliable IOCs. Through the experiment using 162K of malware samples collected over the five months, we evaluated the accuracy of EIGER-generated IOCs. We achieved a high True Positive Rate (TPR) of 91.98% and a very low False Positive Rate (FPR) of 0.97%. Interestingly, EIGER achieved FPR of less than 1% even when we use completely different dataset. Furthermore, we evaluated the interpretability of the IOCs generated by EIGER through a user study, in which we recruited 15 of professional security analysts working at a security operation center. The results allow us to conclude that our IOCs are as interpretable as manually-generated ones. These results demonstrate that EIGER is practical and deployable to the real-world security operations.

Original languageEnglish
Title of host publicationProceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PublisherAssociation for Computing Machinery
Pages687-701
Number of pages15
ISBN (Electronic)9781450376280
DOIs
Publication statusPublished - 2019 Dec 9
Event35th Annual Computer Security Applications Conference, ACSAC 2019 - San Juan, United States
Duration: 2019 Dec 92019 Dec 13

Publication series

NameACM International Conference Proceeding Series

Conference

Conference35th Annual Computer Security Applications Conference, ACSAC 2019
CountryUnited States
CitySan Juan
Period19/12/919/12/13

Keywords

  • Classification
  • Detection
  • Indicator of Compromise
  • Malware

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Eiger: Automated IOC generation for accurate and interpretable endpoint malware detection'. Together they form a unique fingerprint.

Cite this