Dipartimento di Ingegneria informatica, automatica e gestionale

In the last decade, a new class of cyber-threats, known with the name of “Advanced Persistent Threat” (APT) has emerged and is referred to as different organizations performing dangerous and effective attacks against financial and politic entities, critical infrastructures, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. Recently, a malware triage step for a semi-automatic malware analysis architecture has been introduced. This step has the duty to early identify incoming APT samples, among all the malware delivered per day in the cyber-space, to immediately dispatch them to deeper analysis. In the paper, authors have built the knowledge base on known APTs obtained from publicly available reports. For efficiency reasons, they rely on static malware features, extracted with negligible delay, and use machine learning techniques for the identification. Unfortunately, the proposed solution has the disadvantage of requiring a long training time and needs to be completely retrained each time new APT samples or even a new APT class are discovered. In this paper, we move from multi-class classification to a group of one-class classifiers, which significantly decreases runtime and allows higher modularity, while still guaranteeing precision and accuracy over 90%.