LAB to SOC: Robust Features for Dynamic Malware Detection

Rhode, Matilda; Tuson, Lewis; Burnap, Pete; Jones, Kevin

doi:10.1109/dsn-industry.2019.00010

Cited by 11 publications

(10 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another set of experiments were conducted to select the base classifier. The commonly used classifiers in the existing related works were implemented in this study for the comparison which are Support Vector Machine (SVM) [44], Naïve Bayes (NB) [45], Logistic Regression [46], Random Forest (RF) [47], XGBoost [9] and Deep Learning (DL). These classifiers were trained based on the dataset denoted by DS1 in Table 1.…”

Section: Figure 4 Comparison Of Feature Selection Techniquesmentioning

confidence: 99%

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

Malware variants are the major emerging threats that face cybersecurity due to the potential damage to computer systems. Many solutions have been proposed for detecting malware variants. However, accurate detection is challenging due to the constantly evolving nature of the malware variants that cause concept drift. Existing malware detection solutions assume that the mapping learned from historical malware features will be valid for new and future malware. The relationship between input features and the class label has been considered stationary, which doesn't hold for the ever-evolving nature of malware variants. Malware features change dynamically due to code obfuscations, mutations, and the modification made by malware authors to change the features' distribution and thus evade the detection rendering the detection model obsolete and ineffective. This study presents an Adaptive behavioral-based Incremental Batch Learning Malware Variants Detection model using concept drift detection and sequential deep learning (AIBL-MVD) to accommodate the new malware variants. Malware behavior were extracted using dynamic analysis by running the malware files in a sandbox environment and collecting their Application Programming Interface (API) traces. According to the malware first-time appearance, the malware samples were sorted to capture the malware variants' change characteristics. The base classifier was then trained based on a subset of historical malware samples using a sequential deep learning model. The new malware samples were mixed with a subset of old data and gradually introduced to the learning model in an adaptive batch size incremental learning manner to address the catastrophic forgetting dilemma of the incremental learning. The statistical process control technique has been used to detect the concept drift as indication for incrementally updating the model as well as reducing the frequency of model updates. Results from extensive experiments show that the proposed model is superior in terms of detection rate and the efficiency compared with the static model, periodic retraining approaches, and the fixed batch size incremental learning approach. The model maintains an average of 99.41% detection accuracy of new and variants malware with a low updating frequency of 1.35 times per month.

show abstract

Section: Figure 4 Comparison Of Feature Selection Techniquesmentioning

confidence: 99%

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

show abstract

“…This method has a low false-positive rate, on other hand, this method has high detection time and high complexity, which makes it unsuitable for use in modern cars. Similarly, the authors of [158], [159] proposed a dynamic malware detection approach based on analysis of API calls and permissions. Other work by Das et al [154] proposed a dynamic hardware-based method for detecting malware based on system call patterns by using processor and field-programmable gate array (FPGA).…”

Section: B Behaviour-based Malware Detectionmentioning

confidence: 99%

“…For instance, the behavior-based detection approach is insufficient for recognizing and categorizing all of a program's behaviors as malicious or benign. As a result, an abnormally high rate of false positives or false negatives may occur [144], [158]. Furthermore, complex code obfuscation and evasion techniques might simply prevent malware from being properly assessed [143].…”

Section: B Behaviour-based Malware Detectionmentioning

confidence: 99%

Vehicle Security: A Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

et al. 2021

View full text Add to dashboard Cite

“…Other dynamic data sources include dynamic opcode sequences (e.g., Carlin et al [9] achieved 99% using a Random Forest), hardware performance counters (e.g., Sayadi [15] achieved 94% on Linux/Ubuntu malware using a decision tree), network activity and file system activity (e.g., Usman et al [16] achieved 93% using a decision tree in combination with threat intelligence feeds and these data sources), and machine activity metrics (e.g., Burnap et al [17] achieved 94% using a self-organising map). Previous work [18] demonstrated the robustness of machine activity metrics over API calls in detecting malware collected from different sources.…”

Section: Malware Detection With Static or Post-collectionmentioning

confidence: 99%

“…Despite the popularity of API calls noted in Ref. [18], due to these findings and Sun et al's [23] difficulties hooking this data in real-time, these were not considered as features to train the model.…”

Section: Featuresmentioning

confidence: 99%

Real-Time Malware Process Detection and Automated Process Killing

Rhode

Burnap

Wedgbury

2021

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware. The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model that is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.

show abstract

LAB to SOC: Robust Features for Dynamic Malware Detection

Cited by 11 publications

References 36 publications

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

Vehicle Security: A Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

Real-Time Malware Process Detection and Automated Process Killing

Contact Info

Product

Resources

About