Prison: Tracking Process Interactions to Contain Malware

Caillat, Benjamin; Gilbert, Bob; Kemmerer, Richard A.; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/hpcc-css-icess.2015.297

Cited by 4 publications

(1 citation statement)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…System-wide frequency feature vector As we mentioned before, our learning models make use of system calls from all processes running in the system. Our hypothesis is that such holistic (opposite to process-specific) approach will prove more effective for malware detection than current approaches, since modern malware perform interactions among multi-ple processes in the system to accomplish malicious behaviors [43], [44]. System-wide information helps the models learn the interactions among all processes running on the system.…”

Section: ) Reconstruction Modulementioning

confidence: 99%

Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection

Sun¹,

Yuan²,

He³

et al. 2017

Preprint

View full text Add to dashboard Cite

In this paper, we introduce and evaluate PROPEDEUTICA 1 , a novel methodology and framework for efficient and effective real-time malware detection, leveraging the best of conventional machine learning (ML) and deep learning (DL) algorithms.In PROPEDEUTICA, all software processes in the system start execution subjected to a conventional ML detector for fast classification. If a piece of software receives a borderline classification, it is subjected to further analysis via more performance expensive and more accurate DL methods, via our newly proposed DL algorithm DEEPMALWARE. Further, in an exploratory fashion, we introduce delays to the execution of software subjected to DEEPMALWARE as a way to "buy time" for DL analysis and to rate-limit the impact of possible malware in the system.We evaluated PROPEDEUTICA with a set of 9,115 malware samples and 877 commonly used benign software samples from various categories for the Windows OS. Our results show that the false positive rate for conventional ML methods can reach 20%, and for modern DL methods it is usually below 6%. However, the classification time for DL can be 100X longer than conventional ML methods. PROPEDEUTICA improved the detection F1-score from 77.54% (conventional ML method) to 90.25% (16.39% increase), and reduced the detection time by 54.86%. Further, the percentage of software subjected to DL analysis was approximately 40% on average. Further, the application of delays in software subjected to ML reduced the detection time by approximately 10%. Finally, we found and discussed a discrepancy between the detection accuracy offline (analysis after all traces are collected) and on-the-fly (analysis in tandem with trace collection). Conventional ML experienced a decrease of 13% in accuracy when executed offline (89.05%) compared to online (77.54%) with the same traces.Our insights show that conventional ML and modern DLbased malware detectors in isolation cannot meet the needs of efficient and effective malware detection: high accuracy, low false positive rate, and short classification time.

show abstract

Section: ) Reconstruction Modulementioning

confidence: 99%