Deep Learning for Classification of Malware System Call Sequences

Kolosnjaji, Bojan; Zarras, Apostolis; Webster, George D.; Eckert, Claudia

doi:10.1007/978-3-319-50127-7_11

Cited by 332 publications

(199 citation statements)

References 19 publications

Supporting

Mentioning

198

Contrasting

Order By: Relevance

“…These neural models respond aptly to the criticality of our problem. The model which combines a CNN followed by an LSTM proposed by Kolosnjaji, et al [21] performed better than DSL in terms of average accuracy, but had a significantly lower performance in TPR@1% and the best case ROC curve. Our experiments with AOLL display comparable performance to LAMP [25,2], highlighting the ability of end-to-end models to identify optimal gradient flow even when using multiple loss functions, but also signifying the effectiveness of a single loss function optimizing the entire model end-to-end.…”

Section: Experiments and Resultsmentioning

confidence: 99%

Robust Neural Malware Detection Models for Emulation Sequence Learning

Agrawal

Stokes

Marinescu

et al. 2018

MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)

View full text Add to dashboard Cite

Malicious software, or malware, presents a continuously evolving challenge in computer security. These embedded snippets of code in the form of malicious files or hidden within legitimate files cause a major risk to systems with their ability to run malicious command sequences. Malware authors even use polymorphism to reorder these commands and create several malicious variations. However, if executed in a secure environment, one can perform early malware detection on emulated command sequences. The models presented in this paper leverage this sequential data derived via emulation in order to perform Neural Malware Detection. These models target the core of the malicious operation by learning the presence and pattern of co-occurrence of malicious event actions from within these sequences. Our models can capture entire event sequences and be trained directly using the known target labels. These end-to-end learning models are powered by two commonly used structures -Long Short-Term Memory (LSTM) Networks and Convolutional Neural Networks (CNNs). Previously proposed sequential malware classification models process no more than 200 events. Attackers can evade detection by delaying any malicious activity beyond the beginning of the file. We present specialized models that can handle extremely long sequences while successfully performing malware detection in an efficient way. We present an implementation of the Convoluted Partitioning of Long Sequences approach in order to tackle this vulnerability and operate on long sequences. We present our results on a large dataset consisting of 634,249 file sequences, with extremely long file sequences.Machine learning models can be trained to learn both the presence and sequential occurrence of events leading to malicious actions. Neural networks for sequential learning like Long Short-Term Memory or LSTM [18,12] recurrent neural networks excel at tasks of learning sequences with a fixed vocabulary. They have shown exemplary results over the past few years in primary sequential learning domains like speech [14] and natural language modeling and translation [4,31]. Besides these, LSTMs have shown significant success in a much broader range of sequential problems as well. Pointer Networks [33], Neural Turing Machines and Differentiable Neural Computers [16,15], have demonstrated the ability of LSTMs to be used for far more complex tasks when augmented with attention [35] and memory [34].AI-based learning models for malware detection, therefore, can be constructed with the help of LSTMs when event sequences are available. Use of language models with Recurrent Neural Networks (RNNs) has been demonstrated by [25,2] on malware detection tasks. The two primary objectives in such problems are event presence detection and sequential occurrence binding. LSTMs, in particular, are excellent operators for sequential occurrence, and hence lead to significantly improved results in the process. Presence detection, while done efficiently by RNNs and LSTMs, is a specialty of the Convolutional Neu...

show abstract

Section: Experiments and Resultsmentioning

confidence: 99%

Robust Neural Malware Detection Models for Emulation Sequence Learning

Agrawal

Stokes

Marinescu

et al. 2018

MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)

View full text Add to dashboard Cite

show abstract

“…Hierarchical clustering methodologies have been proposed for malware clustering especially where the number of centroid is unknown. Kolosnjaji uses cosine distance and DBSCAN to detect regions of high similarities. Other hierarchical clustering such as Agglomerative Clustering is also used for clustering malware according to its family with the help of activity tree.…”

Section: Related Workmentioning

confidence: 99%

“…In the recent development, Deep learning such as autoencoder has grown in popularity among the machine learning arena. Researchers such as Kolosnjaji et al uses convolutional and recurrent network to obtain the best feature set. AE provides a good solution to the clustering problem .…”

Section: Related Workmentioning

confidence: 99%

Static malware clustering using enhanced deep embedding method

Jiang

Zhang

et al. 2019

Concurrency and Computation

View full text Add to dashboard Cite

Summary Malware refers to any software, programs, or files that are intentionally utilised to compromise the system and cause unexpected losses to end‐users such as economical losses or privacy breaches. The rapid growth of malware makes it impossible to keep up with its progress merely via human interventions or manual analysis. One of the challenges for the human‐oriented approaches is they will cause backlog and inability to keep up with the development traces of the malware. Hence, an efficient method is needed urgently to analyse effectively and identify accurately the malware in their domain. Malware clustering has been extensively studied in the machine learning area with regards to distance functions, grouping algorithm and cluster validation. A large number of research studies have been done via behavioral analysis for clustering to achieve high performance of malware detections. However, there is a trade‐off for better detection performance between behaviorial approaches and high computational forces. Up to date, little work focuses on the deep learning representations for malware clustering. Therefore, in this paper, we propose an enhanced deep embedded clustering method to facilitate an effective and efficient malware clustering process. The new method takes advantage of linear dimensionality reduction and a customised deep neural network to learn malware representations in an orthogonal space and performs cluster assignments. Our experimental results demonstrate that the proposed clustering model outperforms the traditional K‐means method with regards to the enhanced features using various auto‐encoder, pre‐trained weight and principle component analysis (PCA).

show abstract

“…There has recently been some work on deep learning based malware classification which does not require feature engineering. However, existing deep learning approaches do not leverage the information from already-available dynamic analysis systems, instead tending to pick one type of dynamic feature [14] or use static features [6]. These solutions miss out on the complete information concerning what actions are taken by each sample.…”

Section: Introductionmentioning

confidence: 99%

Neurlux

Jindal

Salls

Aghakhani

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Malware detection plays a vital role in computer security. Modern machine learning approaches have been centered around domain knowledge for extracting malicious features. However, many potential features can be used, and it is time consuming and difficult to manually identify the best features, especially given the diverse nature of malware.In this paper, we propose Neurlux, a neural network for malware detection. Neurlux does not rely on any feature engineering, rather it learns automatically from dynamic analysis reports that detail behavioral information. Our model borrows ideas from the field of document classification, using word sequences present in the reports to predict if a report is from a malicious binary or not. We investigate the learned features of our model and show which components of the reports it tends to give the highest importance. Then, we evaluate our approach on two different datasets and report formats, showing that Neurlux improves on the state of the art and can effectively learn from the dynamic analysis reports. Furthermore, we show that our approach is portable to other malware analysis environments and generalizes to different datasets. CCS CONCEPTS• Security and privacy → Software and application security; • Computing methodologies → Neural networks.

show abstract

Deep Learning for Classification of Malware System Call Sequences

Cited by 332 publications

References 19 publications

Robust Neural Malware Detection Models for Emulation Sequence Learning

Robust Neural Malware Detection Models for Emulation Sequence Learning

Static malware clustering using enhanced deep embedding method

Neurlux

Contact Info

Product

Resources

About