Neural Network Analysis of System Call Timing for Rootkit Detection

Luckett, Patrick; McDonald, J. Todd; Dawson, Joel

doi:10.1109/cybersec.2016.008

Cited by 18 publications

(11 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There have been several works on dynamic malware detection using traditional machine learning approaches. The works in [14], [16] focused on using system calls as features. Firdausi et al [14] employed traditional machine learning algorithms such as KNN, Naive Bayes, decision trees and SVM, where as Lucket et al [16] used neural networks.…”

Section: A Dynamic Malware Detectionmentioning

confidence: 99%

“…The works in [14], [16] focused on using system calls as features. Firdausi et al [14] employed traditional machine learning algorithms such as KNN, Naive Bayes, decision trees and SVM, where as Lucket et al [16] used neural networks. The works in [18], [15] rely on system performance metrics and traditional ML algorithms for malware detection.…”

Section: A Dynamic Malware Detectionmentioning

confidence: 99%

See 1 more Smart Citation

Recurrent Neural Networks Based Online Behavioural Malware Detection Techniques for Cloud Infrastructure

et al. 2021

View full text Add to dashboard Cite

Several organizations are utilizing cloud technologies and resources to run a range of applications. These services help businesses save on hardware management, scalability and maintainability concerns of underlying infrastructure. Key cloud service providers (CSPs) like Amazon, Microsoft and Google offer Infrastructure as a Service (IaaS) to meet the growing demand of such enterprises. This increased utilization of cloud platforms has made it an attractive target to the attackers, thereby, making the security of cloud services a top priority for CSPs. In this respect, malware has been recognized as one of the most dangerous and destructive threats to cloud infrastructure (IaaS). In this paper, we study the effectiveness of Recurrent Neural Networks (RNNs) based deep learning techniques for detecting malware in cloud Virtual Machines (VMs). We focus on two major RNN architectures: Long Short Term Memory RNNs (LSTMs) and Bidirectional RNNs (BIDIs). These models learn the behavior of malware over time based on run-time fine-grained processes system features such as CPU, memory, and disk utilization. We evaluate our approach on a dataset of 40,680 malicious and benign samples. The process level features were collected using real malware running in an open online cloud environment with no restrictions, which is important to emulate practical cloud provider settings and also capture the true behaviour of stealth and sophisticated malware. Both our LSTM and BIDI models achieve high detection rates over 99% for different evaluation metrics. In addition, an analysis study is conducted to understand the significance of input data representations. Our results suggest that in particular cases, input ordering does have some affect on the performance of the trained RNN models.

show abstract

Section: A Dynamic Malware Detectionmentioning

confidence: 99%

Section: A Dynamic Malware Detectionmentioning

confidence: 99%

Recurrent Neural Networks Based Online Behavioural Malware Detection Techniques for Cloud Infrastructure

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Research in [11], [15] utilize system calls as features to train classical machine learning models (i.e. KNN, NB, SVC and DT) and neural networks, respectively.…”

Section: A Related Workmentioning

confidence: 99%

“…1) Unlike traditional host-based approaches in [9], [11], [15], [19]- [23], we aim to focus on developing a cloudspecific approach. Our experiment deployment, which consists of a commonly used three-tier web architecture, gives our collected data the added benefit of being generated in an extremely realistic cloud environment.…”

Section: A Related Workmentioning

confidence: 99%

“…Online malware detection techniques are significantly impacted by the features chosen to capture the behavior of the malware present in a particular machine. For example, several works [2], [10], [11] are using system calls (the most widely used); however, it is very resource consuming and data can only be fetched through on-host collecting agent. Only few works [1], [5]- [8], [12], [13] use resource utilization metrics (also known as performance metrics) due to the fact that they are less expressive than system calls in terms of capturing the low-activity malicious behavior.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Analyzing Machine Learning Approaches for Online Malware Detection in Cloud

Kimmell¹,

Abdelsalam²,

Gupta³

2021

Preprint

View full text Add to dashboard Cite

The variety of services and functionality offered by various cloud service providers (CSP) have exploded lately. Utilizing such services has created numerous opportunities for enterprises infrastructure to become cloud-based and, in turn, assisted the enterprises to easily and flexibly offer services to their customers. The practice of renting out access to servers to clients for computing and storage purposes is known as Infrastructure as a Service (IaaS). The popularity of IaaS has led to serious and critical concerns with respect to the cyber security and privacy. In particular, malware is often leveraged by malicious entities against cloud services to compromise sensitive data or to obstruct their functionality. In response to this growing menace, malware detection for cloud environments has become a widely researched topic with numerous methods being proposed and deployed. In this paper, we present online malware detection based on process level performance metrics, and analyze the effectiveness of different baseline machine learning models including, Support Vector Classifier (SVC), Random Forest Classifier (RFC), K-Nearest Neighbor (KNN), Gradient Boosted Classifier (GBC), Gaussian Naive Bayes (GNB) and Convolutional Neural Networks (CNN). Our analysis conclude that neural network models can most accurately detect the impact malware have on the process level features of virtual machines in the cloud, and therefore are best suited to detect them. Our models were trained, validated, and tested by using a dataset of 40,680 malicious and benign samples. The dataset was complied by running different families of malware (collected from VirusTotal) in a live cloud environment and collecting the process level features.

show abstract

Online Malware Detection in Cloud Auto-scaling Systems Using Shallow Convolutional Neural Networks

Abdelsalam

Krishnan

Sandhu

2019

Data and Applications Security and Privacy XXXIII

View full text Add to dashboard Cite

This paper introduces a novel online malware detection approach in cloud by leveraging one of its unique characteristics-auto-scaling. Auto-scaling in cloud allows for maintaining an optimal number of running VMs based on load, by dynamically adding or terminating VMs. Our detection system is online because it detects malicious behavior while the system is running. Malware detection is performed by utilizing process-level performance metrics to model a Convolutional Neural Network (CNN). We initially employ a 2d CNN approach which trains on individual samples of each of the VMs in an auto-scaling scenario. That is, there is no correlation between samples from different VMs during the training phase. We enhance the detection accuracy by considering the correlations between multiple VMs through a sample pairing approach. Experiments are performed by injecting malware inside one of the VMs in an auto-scaling scenario. We show that our standard 2d CNN approach reaches an accuracy of 90%. However, our sample pairing approach significantly improves the accuracy to 97%.

show abstract

Neural Network Analysis of System Call Timing for Rootkit Detection

Cited by 18 publications

References 7 publications

Recurrent Neural Networks Based Online Behavioural Malware Detection Techniques for Cloud Infrastructure

Recurrent Neural Networks Based Online Behavioural Malware Detection Techniques for Cloud Infrastructure

Analyzing Machine Learning Approaches for Online Malware Detection in Cloud

Online Malware Detection in Cloud Auto-scaling Systems Using Shallow Convolutional Neural Networks

Contact Info

Product

Resources

About