An ontology of suspicious software behavior

Article type: Research Article

Authors: Grégio, André^{a; *} | Bonacin, Rodrigo^{a; b} | de Marchi, Antonio Carlos^b | Nabuco, Olga Fernanda^a | de Geus, Paulo Lício^c

Affiliations: [a] Center for Information Technology Renato Archer (CTI), Campinas, São Paulo, Brazil. E-mails: [email protected], [email protected], [email protected] | [b] FACCAMP, Campo Limpo Paulista/SP, Brazil. E-mail: [email protected] | [c] University of Campinas (Unicamp), Campinas, São Paulo, Brazil. E-mail: [email protected]

Correspondence: [*] Corresponding author. E-mail: [email protected].

Note: [] Accepted by: Leo Obrst

Abstract: Malicious programs have been the main actors in complex, sophisticated attacks against nations, governments, diplomatic agencies, private institutions and people. Knowledge about malicious program behavior forms the basis for constructing more secure information systems. In this article, we introduce MBO, a Malicious Behavior Ontology that represents complex behaviors of suspicious executions, and through inference rules calculates their associated threat level for analytical proposals. We evaluate MBO using over two thousand unique known malware and 385 unique known benign software. Results highlight the representativeness of the MBO for expressing typical malicious activities.

Keywords: Security ontology, malware behavior, threat analysis

DOI: 10.3233/AO-160163

Journal: Applied Ontology, vol. 11, no. 1, pp. 29-49, 2016