* update 2024-10-24 06:22:17

arXiv_db/Malware/2024.md

@@ -3126,3 +3126,51 @@
 
 </details>
 
+<details>
+
+<summary>2024-10-21 18:24:01 - Explaining Provenance-Based GNN Detectors with Graph Structural Features</summary>
+
+- *Kunal Mukherjee, Joshua Wiedemeier, Tianhao Wang, Muhyun Kim, Feng Chen, Murat Kantarcioglu, Kangkook Jee*
+
+- `2306.00934v3` - [abs](http://arxiv.org/abs/2306.00934v3) - [pdf](http://arxiv.org/pdf/2306.00934v3)
+
+> The opaqueness of ML-based security models hinders their broad adoption and consequently restricts transparent security operations due to their limited verifiability and explainability. To enhance the explainability of ML-based security models, we introduce PROVEXPLAINER, a framework offering security-aware explanations by translating an ML model's decision boundary onto the interpretable feature space of a surrogate DT. Our PROVEXPLAINER framework primarily focuses on explaining security models that are built using GNNs since recent studies employ GNNs to comprehensively digest system provenance graphs for security critical tasks. PROVEXPLAINER uses graph structural features based on security domain knowledge gained from extensive data analysis, utilizing public and private system provenance datasets.   PROVEXPLAINER's interpretable feature space can be directly mapped to the system provenance problem space, making the explanations human understandable. Because the security landscape is constantly changing, PROVEXPLAINER can be easily extended with new explanatory features as they are identified in the wild. By considering prominent GNN architectures (e.g., GAT and GraphSAGE) for program classification and anomaly detection tasks, we show how PROVEXPLAINER synergizes with current SOTA GNN explainers to deliver domain-specific explanations. On malware and APT datasets, PROVEXPLAINER achieves up to 9.14% and 6.97% higher precision and recall, respectively, compared to SOTA GNN explainers. When combined with a general-purpose SOTA GNN explainer, PROVEXPLAINER shows a further improvement of 7.22% and 4.86% precision and recall over the best individual explainer.
+
+</details>
+
+<details>
+
+<summary>2024-10-22 14:55:54 - A Novel Reinforcement Learning Model for Post-Incident Malware Investigations</summary>
+
+- *Dipo Dunsin, Mohamed Chahine Ghanem, Karim Ouazzane, Vassil Vassilev*
+
+- `2410.15028v2` - [abs](http://arxiv.org/abs/2410.15028v2) - [pdf](http://arxiv.org/pdf/2410.15028v2)
+
+> This Research proposes a Novel Reinforcement Learning (RL) model to optimise malware forensics investigation during cyber incident response. It aims to improve forensic investigation efficiency by reducing false negatives and adapting current practices to evolving malware signatures. The proposed RL framework leverages techniques such as Q-learning and the Markov Decision Process (MDP) to train the system to identify malware patterns in live memory dumps, thereby automating forensic tasks. The RL model is based on a detailed malware workflow diagram that guides the analysis of malware artefacts using static and behavioural techniques as well as machine learning algorithms. Furthermore, it seeks to address challenges in the UK justice system by ensuring the accuracy of forensic evidence. We conduct testing and evaluation in controlled environments, using datasets created with Windows operating systems to simulate malware infections. The experimental results demonstrate that RL improves malware detection rates compared to conventional methods, with the RL model's performance varying depending on the complexity and learning rate of the environment. The study concludes that while RL offers promising potential for automating malware forensics, its efficacy across diverse malware types requires ongoing refinement of reward systems and feature extraction methods.
+
+</details>
+
+<details>
+
+<summary>2024-10-22 15:12:37 - AppPoet: Large Language Model based Android malware detection via multi-view prompt engineering</summary>
+
+- *Wenxiang Zhao, Juntao Wu, Zhaoyi Meng*
+
+- `2404.18816v3` - [abs](http://arxiv.org/abs/2404.18816v3) - [pdf](http://arxiv.org/pdf/2404.18816v3)
+
+> Due to the vast array of Android applications, their multifarious functions and intricate behavioral semantics, attackers can adopt various tactics to conceal their genuine attack intentions within legitimate functions. However, numerous learning-based methods suffer from a limitation in mining behavioral semantic information, thus impeding the accuracy and efficiency of Android malware detection. Besides, the majority of existing learning-based methods are weakly interpretive and fail to furnish researchers with effective and readable detection reports. Inspired by the success of the Large Language Models (LLMs) in natural language understanding, we propose AppPoet, a LLM-assisted multi-view system for Android malware detection. Firstly, AppPoet employs a static method to comprehensively collect application features and formulate various observation views. Then, using our carefully crafted multi-view prompt templates, it guides the LLM to generate function descriptions and behavioral summaries for each view, enabling deep semantic analysis of the views. Finally, we collaboratively fuse the multi-view information to efficiently and accurately detect malware through a deep neural network (DNN) classifier and then generate the human-readable diagnostic reports. Experimental results demonstrate that our method achieves a detection accuracy of 97.15% and an F1 score of 97.21%, which is superior to the baseline methods. Furthermore, the case study evaluates the effectiveness of our generated diagnostic reports.
+
+</details>
+
+<details>
+
+<summary>2024-10-22 15:48:00 - Security and RAS in the Computing Continuum</summary>
+
+- *Martí Alonso, David Andreu, Ramon Canal, Stefano Di Carlo, Odysseas Chatzopoulos, Cristiano Chenet, Juanjo Costa, Andreu Girones, Dimitris Gizopoulos, George Papadimitriou, Enric Morancho, Beatriz Otero, Alessandro Savino*
+
+- `2410.17116v1` - [abs](http://arxiv.org/abs/2410.17116v1) - [pdf](http://arxiv.org/pdf/2410.17116v1)
+
+> Security and RAS are two non-functional requirements under focus for current systems developed for the computing continuum. Due to the increased number of interconnected computer systems across the continuum, security becomes especially pervasive at all levels, from the smallest edge device to the high-performance cloud at the other end. Similarly, RAS (Reliability, Availability, and Serviceability) ensures the robustness of a system towards hardware defects. Namely, making them reliable, with high availability and design for easy service. In this paper and as a result of the Vitamin-V EU project, the authors detail the comprehensive approach to malware and hardware attack detection; as well as, the RAS features envisioned for future systems across the computing continuum.
+
+</details>
+