Malware Anomaly Detection on Virtual Assistants

An, Ning; Duff, Alexander; Noorani, Mahshid; Weber, Steven; Mancoridis, Spiros

doi:10.1109/malware.2018.8659366

Cited by 6 publications

(2 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…System call sequences have been shown to be effective as a feature set in many architectures due to the fact that they are one of the best indicators of what is happening on a machine at runtime [10] [2]. Each process running on a machine uses system calls to request resources from the OS kernel, which means the programs running normally are likely to make similar system calls each time they run.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Evaluation of an Anomaly Detector for Routers using Parameterizable Malware in an IoT Ecosystem

Carter¹,

Mancoridis²

2021

Preprint

Self Cite

View full text Add to dashboard Cite

This work explores the evaluation of a machine learning anomaly detector using custom-made parameterizable malware in an Internet of Things (IoT) Ecosystem. It is assumed that the malware has infected, and resides on, the Linux router that serves other devices on the network, as depicted in Figure 1. This IoT Ecosystem was developed as a testbed to evaluate the efficacy of a behavior-based anomaly detector. The malware consists of three types of custom-made malware: ransomware, cryptominer, and keylogger, which all have exfiltration capabilities to the network. The parameterization of the malware gives the malware samples multiple degrees of freedom, specifically relating to the rate and size of data exfiltration. The anomaly detector uses feature sets crafted from system calls and network traffic, and uses a Support Vector Machine (SVM) for behavioral-based anomaly detection. The custommade malware is used to evaluate the situations where the SVM is effective, as well as the situations where it is not effective.

show abstract

Section: Related Workmentioning

confidence: 99%

“…The pre-processing step for system calls is similar to [2], where a sequence of system calls collected in a window size of length L is treated as an observation. Then, a bag-of-n-grams approach [4], [1], [11] is used to group the system calls and create the feature vector x ∈ R p .…”

Section: System Callsmentioning

confidence: 99%