In its current iteration, BiG2-KAMAS bases its visualization on sequential traces of Windows kernel operations amounting to benign and malicious application behavior in the context of OS and user-initiated processes. These events are typically abstractions of raw system and API calls that yield information about the general behavior of an unknown application sample or resident process [ 8 ]. Raw calls may include wrapper functions (e.g. CreateFile) that offer a simple interface to the application programmer, or native system calls (e.g.

NtCreateFile) that represent the underlying OS or kernel support functions. In the context of BiG-KAMAS and its data providers, events are collected directly from the Windows kernel. We employ a driver-based monitoring agent [ 13 ] designed to collect and forward a number of events to a database server. This gives us unimpeded access to events depicting operations related to process and thread control, image loads, file management, registry modification, network socket interaction, and more. For example, a shell event that creates a new binary file on a system may be simply denoted as a triple explorer.exe,file-create,sample.exe.

Additional information captured in the background includes various process and thread ID information required to uniquely identify an event within a system session and to link individual events to a full sequence (trace) needed for further processing stages. Based on aforementioned traces, BiG2-KAMAS uses two distinct mechanisms to further process arbitrary kernel event sequences:

Pattern inference: Our introduced framework has been developed in concert with an event extraction system called SEQUIN [ 11 ]. SEQUIN uses grammar inference extended with statistical evaluation to automatically identify and crop relevant sequences (rules) from traces of kernel-level behavioral data for further processing and visualization. Generally speaking, grammar inference is the process of computationally assembling a formal ruleset by examining the sentences of an unknown language [ 18 ]. In the information security domain, grammar inference is primarily used for pattern recognition, computational biology, natural language processing, language design programming, data mining, and machine learning.

Grammar inference has also been proven to be a feasible approach to anomaly detection, since “algorithmic incompressibility is a necessary and sufficient condition for randomness” [ 19 ]. We use grammar inference as key component in the process of ‘compressing’ a sequential trace for extracting relevant behavioral patterns.

To achieve inference by compression in a computationally feasible way, we selected an algorithm that losslessly produces (without changes to order and immutability) a context-free grammar (CFG) in unsupervised operation. As opposed to context-sensitive grammars, languages created by a CFG can be recognized in O(n3) time, which is a relevant distinction for all future parsing efforts. The choice ultimately fell on Sequitur [ 20 ]. Sequitur is a greedy compression algorithm that creates a hierarchical structure (CFG) from a sequence of discrete symbols by recursively replacing repeated phrases with a grammatical rule. The output is a compressed representation of the original sequence. The algorithm creates this representation through the application of two base properties: rule utility and bi-gram uniqueness. Rule utility checks if a rule occurs at least twice in the grammar, while bi-gram uniqueness observes if two adjacent symbols occur only once. Assuming we have a string abcdbcabcd, where every character represents an event, the first bi-gram of that trace would be ab, followed by a second bi-gram bc, and so forth. See Table I for a complete example of the process.

Sequitur is linear in space and time. In terms of data compression, the algorithm can outperform other designs that achieve data reduction by factoring out repetition. It is almost as performant as designs that compress data based on probabilistic predictions [ 20 ].

Bi-gram extraction and scoring: In addition to rule inference, BiG2-KAMAS uses precomputed maliciousness scores of event bi-grams separately explored using a sentiment-like extraction system based on the log likelihood ratio (LLR) test [ 10 ]. An LLR test is a statistical method used test model assumptions, namely the quality of fit of a reference (null) and an alternative model. When determining the occurrence of rarely observed events – which are often at the core of malicious traces – likelihood ratio tests show significantly better results than alternatives such as x2 or z-score tests [ 21 ].

In preparation for sentiment-assisted visualization, we use the LLR method to learn likely benign and malicious event sequences in big corpora of recorded kernel operations (traces).

The resulting sentiment dictionary can be used to accurately and effectively determine if an investigated event bi-gram is contextually suspicious. Specifically, we compute the LLR score for each bi-gram to highlight collocations characteristic to sequences of malicious and benign system events [ 10 ].

The resulting occurrence counts (shown in Table II) are the basis for this calculation: Following the approach by [ 21 ], we define the number of times both event tokens occur in combination (k11), the number of times each token has been observed independently from the other (k12 and k21, depending on the relative position in the bi-gram), and the number of times the token was not present at all (k22). The same process is later applied to the pattern’s general The background of the third column of the ‘Rule Overview occurrence in a labeled benign versus malicious corpus. The Table’ indicates whether a rule is fully benign, partially final result is a normalized sentiment rating ranging from benign, not known, partially malicious or fully malicious. +1.0 (benign) to −1.0 (malicious). Unknown bi-grams are The background of the malicious rules will be painted in red ultimately scored against the resulting dictionary, the outcome and the background of the benign rules in blue. The fully of which is at the core of the bi-gram evaluation feature in the known rules will be displayed in a dark red/blue while the new BiG2-KAMAS prototype. partially known rules are highlighted in a light red/blue (see Figure 1:1b). The red color highlighting for malicious activity B. Visualization Design is adopted of the KAMAS prototype [ 3 ]. If a rule is fully

Structure: Wagner et al. [ 3 ] describe in their article that known and, therefore, highlighted in dark red, the rule is since IT-security experts are commonly familiar with pro- included as-is in the KDB. A partially known rule is only a gramming IDEs, they used the design concept of IDEs like part of one rule in the KDB. This kind of rule has at least one Eclipse or Netbeans for their prototype. The updates to the new additional call at the beginning or at the end of a fully known prototype also follow this design concept approach. In contrast rule [ 3 ]. If an input file was loaded, the system automatically to the previous prototype, the new one has an additional view. calculates the knowledge state of each rule. For this purpose, In this initial view the KDB is situated on the left side, which the system compares each rule of the input file with each can be compared to the project view in Eclipse. On the right rule of the KDB. After the calculation process the system side only the file load buttons are displayed, which can be highlights the rules in the corresponding colors in the rule compared to the initial view of Eclipse, where no project has overview table. been opened yet. Bi-Gram Visualization: The rule detail table is located

Coloring: For the rule highlighting as well as the Bi-Gram next to the rule overview table (see Figure 1:2b). The rule visualization we selected a sequential color scheme from red detail table automatically updates its content when clicking to blue. Red indicates that the rule or bi-gram is malicious on a rule in the rule overview table and represents all system and a blue one stands for a benign rule or bi-gram. To avoid and API calls included in the selected rule. From left to right, problems with red and green hues for colorblind people [22, p. the table displays the unique id as well as the name of the call. 124], we used blue instead of green and select colorblind-safe The last column visualizes the new bi-gram based valuation qualitative colors from Colorbrewer1. approach for the corresponding calls. As mentioned before,

Layout: The prototype is structured into three parts: knowl- the prototype uses the bi-gram approach of Luh et al. [ 10 ]. edge base, rule exploration area and call exploration area (see A bi-gram is an n-gram where the length of n = 2. An Figure 1). On the left side the knowledge base is visualized n-gram, in turn, is a coherent sequence of n elements. In with it’s ‘Knowledge Database (KDB)’ (see Figure 1:1a) and this approach the elements are system or API calls. Each the KDB’s color highlighting filters (see Figure 1:1b). The bi-gram has a score in the range [ -1, 1 ], which indicates KDB is displayed as a tree, in which each category of the whether this pair of calls is malicious or benign. For bidatabase can have several subcategories. Each category with gram based valuation, two different visualization approaches subcategories is shown with a box icon (see Figure 1:1a) were implemented following a semantic zooming approach: and the ones without subcategories are displayed with folder First, if the width of the bi-gram column is bigger than 75px, icons. Each rule, which is stored in the database, is displayed the prototype visualizes the bi-gram values as bar charts (see with a paper icon. Beneath the KDB the ‘Knowledge Base Figure 2:a), whereby each bar starts in the middle of the biHighlighting’ filters are displayed (see Figure 1:1b). Each filter gram column. If the bi-gram score is between 0 and -1, the can be activated or disabled with its checkbox and updates the bi-gram is malicious. Therefore, the red color bar chart unfurls result of the prototypes filter pipeline and visualization of the from the middle towards the left side. If the bi-gram score is ‘Rule Overview Table’ (see Figure 1:2a). between 0 and 1 the bi-gram is benign and the bar chart is

After loading and translating the input file, the system visualized from the middle to the right side in a blue color. The updates the ‘Graphical User Interface’ (GUI) and visualizes colors correspond to the KDB highlighting. The visualization new elements. In the middle the ‘Rule Exploration’ area (see approach was chosen to give the user a quick but still precise Figure 1:2) is visualized, while the right side contains the ‘Call overview of the bi-gram based scores. Exploration’ area (see Figure 1:3). If the width of the bi-gram column is smaller than 75px and

In the ‘Call Exploration’ area all the included system or API therefore the bar charts are hardly recognizable, the system calls of the loaded input file are represented in the call table switches to the second visualization. Here, the bi-gram values (see Figure 1:2b) as described by Wagner et al. [ 3 ]. The rules are visualized as a color-filled rectangle (see Figure 2:b). included in the input file are visualized in the rule overview As before, a red colored rectangle indicates that the bi-gram table located in the ‘Rule Exploration’ area (see Figure 1:2a). is malicious and a blue one stands for a benign bi-gram. If the user loads several trace files, each trace file will be To visualize the value of the malicious or benign bi-gram, displayed as one rule. the system changes the alpha value of the displayed color.

Therefore, the darker the color, the higher the respective value. 1http://colorbrewer2.org Since the difference of an alpha value between 255 and 240 is data of these files. Contrary to a loaded Sequitur file, each entry of the rule overview table represents an entire trace file.

Thus, if the user loads three traces the rule overview table will have only three rows. Furthermore, due to the fact that the user analyses several independent trace files the histogram for the rule occurrence is insignificant. Therefore, only one histogram for the trace length will be displayed in the rule filter area.

Rearrange: If the rule overview table and the call overview table are loaded with data, the user can rearrange their content by clicking on a table’s column. This will re-sort the included data and update the visualization [ 3 ]. The content of the rule detail table cannot be rearranged since the calls are shown in their sequential order and should therefore not be changeable.

Fig. 2. The two different visualisations methods of the call bi-grams. The Filter: In the next step the user can reduce the number of first method visualises the bi-grams as bar charts (a), whereas the second rules or trace files by using the rule/trace and call filters [ 3 ]. visualisation uses the alpha channel to show the severity of the bi-gram (b). No matter which files were loaded, the user always has the opportunity to filter the rules or traces by the included calls not easy to recognize and every value below 100 is generally (events). The user can rearrange the call filters or select a difficult to see, we decided to implement only four graduation specific call in the call overview table to reduce the number of steps for the alpha value. The visualization with the alpha shown rules [ 3 ]. Furthermore, the analyst can filter the rules or value is less precise than the visualization with the bar charts specific traces by using the filters in the rule exploration area. but, at the same time, significantly easier to interpret. Table III If loading a Sequitur file, the analyst can filter the rules by their shows the different graduation steps and their value ranges. occurrence, length, whether they are equally distributed in the input file or if they match, partially match, or don’t match the

TABLE III stored rules in the KDB [ 3 ]. By changing the filter settings, the COLOUR GRADUATION STEPS FOR THE ALPHA VALUE BI-GRAM included rules in the rule overview table automatically update

VISUALISATION. immediately. If one or more trace files were loaded, the analyst Colour Alpha value Value ranges can only filter the shown traces in the rule overview table by 200 >= 0.75 their length. In addition, the highlighting and filtering of the

KDB is switched off. 150 >= 0.5 && <0.75 Details-on-Demand: If the user wants to analyze a rule or 100 >= 0.25 && <0.5 trace, he/she can open the rule/trace in the rule detail table 50 >= 0 && <0.25 by selecting it in the rule overview table. This will display

all the included calls in the rule detail table in their sequential 50 <0 && <= -0.25 order [ 3 ]. The bi-grams provide information whether a combi100 <-0.25 && <= -0.5 nation of two calls is malicious or benign. This should support 150 <-0.5 && <= -0.75 the user in finding interesting call sequences more quickly. 200 <-0.75 Extract: Independent of the loaded files the analyst can add a new rule to the database using two different ways.

One method is to simply select one rule or trace in the rule C. Interaction overview table and simply drag and drop it in one leaf category

Like the KAMAS prototype of Wagner et al. [ 3 ], the BiG2- of the KDB. This will add the entire rule or trace file to the KAMAS’s functionality will be described in accordance to database [ 3 ]. Alternatively, the analyst can select several calls the four steps of the visual information seeking mantra of of interest in the call overview table and add these by dragging Shneiderman et al. [ 23 ], namely overview, rearrange and filter, and dropping them to the KDB. When adding a new rule to details-on-demand and, extract. the KDB, a popup window will show up where the analyst

Overview: The BiG2-Kamas prototype has an additional can assign the rule a specific name. If the user has loaded a initial view where the user can decide whether to load a Sequitur file, the system will now update the knowledge state Sequitur input file or several raw trace files. When the analyst for all rules as well as the highlighting in the rule overview loads a Sequitur file, the rule and call tables will be filled with table for further analysis. the rule and call data included in the input file. Each entry in the rule overview table represents one rule of the loaded D. Implementation cluster. Furthermore, the histograms in the rule exploration Since the BiG2-KAMAS prototype is based on the protoarea give a quick impression of the distribution in the rule type of Wagner et al. [ 3 ], it also uses a data-oriented design occurrence and length [ 3 ]. When the user loads one or more concept [ 24 ]. To increase the performance of the prototype, trace files the rule and call tables will also be filled with the the system only works with integer comparisons. Therefore, the input data only includes the call ids. It is only possible to • Rule Name: Here, the actual rule name is displayed. The translate a call id to the actual call value with an additional rule name is implemented as a text field to quickly change translation file. This translation file is also used for the bi- it if necessary. grams. The original bi-gram file has several columns in which • Included Calls: Finally, the calls included in the stored only the string values of the system or API calls are stored. rule are displayed in a table. Thus, the calls are visualized To increase the performance and to reduce memory usage, the in their sequential order and each call will be shown with BiG2-KAMAS prototype generates its own bi-gram file. When its unique call id which corresponds to the call id of the starting the prototype the system checks with md5 hash values translation file and the actual call value. In the current to determine whether the translation file or the original bi-gram version of the prototype it is only possible to investigate file has changed. If so, the system converts the original bi-gram the included calls in their sequential order, but not to file to the translated bi-gram file in which also the integer delete specific calls which are listed in the table. values of the system calls are stored. Like the prototype of The second menu item is the “delete’ item, which allows Wagner et al. [ 3 ] the new prototype is using the action pipeline the analyst to delete the currently selected rule. Furthermore, for filter options. This enables dynamic query environments when selecting a concept instead of a rule, the BiG2-Kamas and real-time data operations. prototype will show a context menu with which the user

To evaluate the robustness and performance of the BiG2- can disable a category and all its integrated subcategories. KAMAS prototype three different Sequitur cluster-grammar Thus, the analyst can disable the entire KDB or only specific files containing between 10 and 500 rules were used. The file categories. If the user disables a category all the included with 500 different rules contained a total amount of 30,000 rules will no longer be considered in the knowledge base system and API calls. To test the bi-gram functionality, a bi- highlighting and filtering. gram file with nearly 117,500 bi-gram entries was loaded. On When the user clicks the right mouse button to open a machine with an 2.1GHZ Dual-Core processor and 12GB the corresponding context menu before selecting a rule or of memory it took the system about four minutes to translate category, the system automatically selects the rule/category at the original bi-gram file to the translated bi-gram file. The the actual mouse position. malware and bi-gram samples were collected by collaborators Searching: If the user searches for interesting rules or in the Josef Ressel Center TARGET of St. P o¨lten UAS. specific calls or call groups he/she can use the call filter options to reduce the data to be analyzed. In the call exploration area, IV. EXTERNALIZED KNOWLEDGE INTEGRATION the user can search for a specific call by entering its name or use regular expressions to find an entire call group. Beneath the search text field the user can enable case sensitive search with the corresponding checkbox ’Case Sensitive’. Filtering or searching the calls affects the data shown in the call overview and rule overview table. Additionally, to find rules of interest the analyst can use the rule exploration filters or the knowledge base filters.

Both participants had no difficulties with loading the three trace files. They also recognized quickly that each entry in the rule overview table now represents one trace. Neither of them realized that the knowledge base filters and highlighting were disabled. Participant 1 suggested to gray out the knowledge base filters to make it clear that these are disabled. Participant 2 proposed to change the headings for the trace file analysis view in order to avoid confusion. He remarked that it could be misleading if the headings say e.g. ‘Rule Overview Table’ when analyzing a trace file. Furthermore, both participants recommended to change the occurrence column in the rule overview table to the file names of the traces. As the last task, the participants had to change the corresponding category of a random rule. Even if both participants solved this task easily, both remarked that it would be useful if the user could move a rule from one category to another per drag & drop.

Both participants quickly recognized the additional color scheme for the new benign category. The colors for the knowledge base highlighting were assessed as easily understandable and the additional rule counter next to the knowledge base filters were mentioned as being very useful. Participant 1 mentioned that if a rule in the rule overview table is highlighted, it would be useful to know which rule or rules of the KDB match this rule in the table. Therefore, a tooltip would be helpful which tells the user the names of the matching rules of the KDB. Furthermore, participant 2 suggested to always show the rule counter of the KDB’s categories. If there are currently no rules in a category, the counter should be zero.

When participant 2 first saw the bar chart bi-gram visualization, he assumed it visualizes the occurrence of the combined call sequence. In contrast, the alpha color visualization was immediately recognized as an indicator for maliciousness or benignity. Participant 1 also mentioned that the alpha color visualization is easier and faster to recognize. Furthermore, both participants mentioned that the color visualization is not as precise as the bar chart visualization and therefore would only be useful for initial malware classification. Participant 1 suggested an additional tooltip to display the accurate bi-gram value. Participant 2 remarked that it would be more useful if the calls in the call overview table only showed the beginning and the end of the call’s value. This would simplify finding

Description KDB: Move a rule to another category by using drag & drop.

KDB: Show the rule counter even if zero rules are included.

KDB: Gray out the knowledge base filters if they are disabled.

Tables: Highlighted rules in the rule overview table should show the KDB’s corresponding rules.

Tables: Change the occurrence column to the trace file names.

Tables: Show only the begin and the end of the calls in the call overview table.

Tables: Implement a search button for the call regex search.

Bigram: Tooltip to show the bi-gram values.

Headings: Change the headings when loading trace files. 2 1 2 3 2 3 1

the bi-gram approach of Luh et al, [ 10 ] the prototype’s rule detail table was adopted. Since many domain experts mentioned [ 3 ] that the arc-diagram visualization is not very helpful, it was replaced by the bi-gram visualization. Bi-gram based valuation is implemented with two different approaches. If the width of the bi-gram column is bigger than 75px the valuation is visualized with bar charts and colored in red (malicious) or blue (benign). If the width is less than 75px the bi-gram visualization uses the alpha channel to show the severity of the bi-gram (see Table III).

the user studies show further feature requests which could be implemented in a future project. However, both participants mentioned that the bi-gram visualization is very helpful for identifying potentially malicious or benign call sequences and, therefore, helps to decide whether a rule is malicious or not.

Future Work: For the behavior-based malware analysis process, it could be valuable to implement a rule creation process where the analyst can build their own rules based on the known system and API calls [ 27 ]. Furthermore, it could be beneficial to edit the stored rules in the KDB or to build new rules based on existing patterns. Further avenues for future work are to include possibilities to hide, shrink an expand areas to provide the user with more flexibility. Moreover, to update the occurrence column of the Call Exploration area (see 1:3a) to show the relation to the total number of occurrences included in the loaded file. Additionally, normalizing the occurrence dataset and visualization to this total could be beneficial.

Categorization of BiG2-KAMAS: Like the KAMAS prototype [ 3 ] the BiG2-KAMAS prototype can be categorized as a Malware Forensic as well as a Malware Classification tool in the Malware Visualization Taxonomy of Wagner et al. [ 8 ]. However, due to the bi-gram based valuation the BiG2KAMAS prototype offers the malware analyst an additional assistance for the Individual Malware Analysis.