Sophisticated cyber-attacks intended to earn money or steal confidential information, such as targeted attacks, have become a serious problem. Such attacks often use specially crafted malware, which utilizes the art of hiding such as by process injection. Thus, preventing intrusion using conventional countermeasures is difficult, so a countermeasure needs to be developed that prevents attackers from reaching their ultimate goal. Therefore, we propose a method for estimating process maliciousness by focusing on process behavior. In our proposal, we first use one Seq2Seq model to extract a feature vector sequence from a process behavior log. Then, we use another Seq2Seq model to estimate the process maliciousness score by classifying the obtained feature vectors. By applying Seq2Seq models stepwise, our proposal can compress behavioral logs and extract abstracted behavioral features. We present an experimental evaluation using logs when actual malware is executed. The obtained results show that malicious processes are classified with a highest Areas Under the Curve (AUC) of 0.979 and 80% TPR even when the FPR is 1%. Furthermore, the results of an experiment using the logs when simulated attacks are executed show our proposal can detect unknown malicious processes that do not appear in training data.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.