Leveraging String Kernels for Malware Detection

Pfoh, Jonas; Schneider, Christian; Eckert, Claudia

doi:10.1007/978-3-642-38631-2_16

Cited by 17 publications

(7 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The literature is full of ML-based approaches applied to dynamic analysis traces. For instance, classic machine learning models [16], [77], such as Markov chain and Support Vector Machines, were applied on sequences of system calls derived from dynamic analysis to capture sequential patterns of successively executed system calls. Pascanu et al [73], inspired by text classification research, proposed the use of recurrent neural networks, such as Long Short-Term Memory (LSTM) [42] and Gated Recurrent Units (GRU) [27] for modeling system call sequences.…”

Section: A Classifiermentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify each sample. Anything more is wasting resources, anything less is jeopardizing the experiments. Despite its importance, there are no clear guidelines on how to choose this parameter, nor experiments that can help companies to assess the pros and cons of a choice over another. To fill this gap, in this paper we provide the first large-scale study of the impact that the execution time has on both the amount and the quality of the collected events. We measure the evolution of system calls and code coverage, to draw a precise picture of the fraction of runtime behavior we can expect to observe in a sandbox. Finally, we implemented a machine learning based malware detection method, and applied it to the data collected in different time windows, to also report on the relevance of the events observed at different points in time. Our results show that most samples run for either less than two minutes or for more than ten. However, most of the behavior (and 98% of the executed basic blocks) are observed during the first two minutes of execution, which is also the time windows that result in a higher accuracy of our ML classifier. We believe this information can help future researchers and industrial sandboxes to better tune their analysis systems.

show abstract

Section: A Classifiermentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Exploration of using machine learning in this space has witnessed the use of both traditional and deep learning models. Support Vector Machines (SVM) have been incorporated into this task by [26]. Hidden Markov Models have been explored by [3].…”

Section: Related Workmentioning

confidence: 99%

Robust Neural Malware Detection Models for Emulation Sequence Learning

Agrawal

Stokes

Marinescu

et al. 2018

MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)

View full text Add to dashboard Cite

Malicious software, or malware, presents a continuously evolving challenge in computer security. These embedded snippets of code in the form of malicious files or hidden within legitimate files cause a major risk to systems with their ability to run malicious command sequences. Malware authors even use polymorphism to reorder these commands and create several malicious variations. However, if executed in a secure environment, one can perform early malware detection on emulated command sequences. The models presented in this paper leverage this sequential data derived via emulation in order to perform Neural Malware Detection. These models target the core of the malicious operation by learning the presence and pattern of co-occurrence of malicious event actions from within these sequences. Our models can capture entire event sequences and be trained directly using the known target labels. These end-to-end learning models are powered by two commonly used structures -Long Short-Term Memory (LSTM) Networks and Convolutional Neural Networks (CNNs). Previously proposed sequential malware classification models process no more than 200 events. Attackers can evade detection by delaying any malicious activity beyond the beginning of the file. We present specialized models that can handle extremely long sequences while successfully performing malware detection in an efficient way. We present an implementation of the Convoluted Partitioning of Long Sequences approach in order to tackle this vulnerability and operate on long sequences. We present our results on a large dataset consisting of 634,249 file sequences, with extremely long file sequences.Machine learning models can be trained to learn both the presence and sequential occurrence of events leading to malicious actions. Neural networks for sequential learning like Long Short-Term Memory or LSTM [18,12] recurrent neural networks excel at tasks of learning sequences with a fixed vocabulary. They have shown exemplary results over the past few years in primary sequential learning domains like speech [14] and natural language modeling and translation [4,31]. Besides these, LSTMs have shown significant success in a much broader range of sequential problems as well. Pointer Networks [33], Neural Turing Machines and Differentiable Neural Computers [16,15], have demonstrated the ability of LSTMs to be used for far more complex tasks when augmented with attention [35] and memory [34].AI-based learning models for malware detection, therefore, can be constructed with the help of LSTMs when event sequences are available. Use of language models with Recurrent Neural Networks (RNNs) has been demonstrated by [25,2] on malware detection tasks. The two primary objectives in such problems are event presence detection and sequential occurrence binding. LSTMs, in particular, are excellent operators for sequential occurrence, and hence lead to significantly improved results in the process. Presence detection, while done efficiently by RNNs and LSTMs, is a specialty of the Convolutional Neu...

show abstract

“…Classifier Used for Malware Detection There is a large body of work regarding behavior-based malware detection approaches [2,12,13,9]. In this work we use the insights given by Canali et al [2], which indicate that simple ngram approaches perform poorly with respect to variations in syscall logs.…”

Section: Effectiveness Evaluationmentioning

confidence: 99%

“…In this work we use the insights given by Canali et al [2], which indicate that simple ngram approaches perform poorly with respect to variations in syscall logs. Therefore we chose to use support vector machines (SVMs) for our evaluation, which is a more advanced classifier, often employed by state of the art malware detection approaches [12,13,9]. SVMs can only process numerical feature vectors.…”

Section: Effectiveness Evaluationmentioning

confidence: 99%

A framework for empirical evaluation of malware detection resilience against behavior obfuscation

Bănescu

Wüchner

Salem

et al. 2015

2015 10th International Conference on Malicious and Unwanted Software (MALWARE)

View full text Add to dashboard Cite

Program obfuscation is increasingly popular among malware creators. Objectively comparing different malware detection approaches with respect to their resilience against obfuscation is challenging. To the best of our knowledge, there is no common empirical framework for evaluating the resilience of malware detection approaches w.r.t. behavior obfuscation. We propose and implement such a framework, called FEEBO that obfuscates the observable behavior of malware binaries targeting Microsoft Windows operating systems. To assess the framework's utility, we use it to obfuscate known malware binaries and then investigate the impact on detection effectiveness of different popular behavior based malware detection approaches. We find that the obfuscation transformations employed by FEEBO can affect the accuracy of such detection approaches significantly. FEEBO is therefore an effective and fair way to test the degree of resilience of behavior-based malware detection approaches against behavior obfuscation.

show abstract

Leveraging String Kernels for Malware Detection

Cited by 17 publications

References 8 publications

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Robust Neural Malware Detection Models for Emulation Sequence Learning

A framework for empirical evaluation of malware detection resilience against behavior obfuscation

Contact Info

Product

Resources

About