Stealth malware analysis from kernel space with Kolumbo

Desfossez, Julien; Dieppedale, Justine; Girard, Gabriel

doi:10.1007/s11416-009-0139-z

Cited by 2 publications

(1 citation statement)

References 1 publication

(1 reference statement)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, while very useful for other contexts, these tools are not sufficient for real-time monitoring and analysis of all processes running on a Windows system. Therefore, we designed and implemented our own system call monitoring driver to monitor system calls and address some issues from the mentioned tools: our driver operates at the kernel level, making it hard for user-level malware to tamper with it or evade interception-most malware today can detect user level tracing and change behavior [37]; our driver is able to perform whole-system system call interception, since that DEEPMALWARE does not analyze processes in isolation-the context of processes' interactions with other processes in the system is considered.…”

Section: A the System Call Monitoring Drivermentioning

confidence: 99%

Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection

Sun¹,

Yuan²,

He³

et al. 2017

Preprint

View full text Add to dashboard Cite

In this paper, we introduce and evaluate PROPEDEUTICA 1 , a novel methodology and framework for efficient and effective real-time malware detection, leveraging the best of conventional machine learning (ML) and deep learning (DL) algorithms.In PROPEDEUTICA, all software processes in the system start execution subjected to a conventional ML detector for fast classification. If a piece of software receives a borderline classification, it is subjected to further analysis via more performance expensive and more accurate DL methods, via our newly proposed DL algorithm DEEPMALWARE. Further, in an exploratory fashion, we introduce delays to the execution of software subjected to DEEPMALWARE as a way to "buy time" for DL analysis and to rate-limit the impact of possible malware in the system.We evaluated PROPEDEUTICA with a set of 9,115 malware samples and 877 commonly used benign software samples from various categories for the Windows OS. Our results show that the false positive rate for conventional ML methods can reach 20%, and for modern DL methods it is usually below 6%. However, the classification time for DL can be 100X longer than conventional ML methods. PROPEDEUTICA improved the detection F1-score from 77.54% (conventional ML method) to 90.25% (16.39% increase), and reduced the detection time by 54.86%. Further, the percentage of software subjected to DL analysis was approximately 40% on average. Further, the application of delays in software subjected to ML reduced the detection time by approximately 10%. Finally, we found and discussed a discrepancy between the detection accuracy offline (analysis after all traces are collected) and on-the-fly (analysis in tandem with trace collection). Conventional ML experienced a decrease of 13% in accuracy when executed offline (89.05%) compared to online (77.54%) with the same traces.Our insights show that conventional ML and modern DLbased malware detectors in isolation cannot meet the needs of efficient and effective malware detection: high accuracy, low false positive rate, and short classification time.

show abstract

Section: A the System Call Monitoring Drivermentioning

confidence: 99%