Modern malware detection tools rely on special permissions to collect data that can reveal the presence of suspicious software within a machine. Typical data that they collect for this task are the set of system calls, the content of network traffic, file system changes, and API calls. However, giving access to these data to an externally created program means granting the company that created that software complete control over the host machine. This is undesirable for many reasons. In this work, we propose an alternative approach for this task, which relies on easily accessible data, information about system performances (CPU, RAM, disk, and network usage), and does not need high-level permissions to be collected. To investigate the effectiveness of this approach, we collected these data in the form of a multivalued time series and ran a number of malware programs in a suitably devised sandbox. Then – to address the fact that deep learning models need large training sets – we augmented the dataset using a deep learning generative model (a Generative Adversarial Network). Finally, we trained an LSTM (Long Short Term Memory) network to capture the malware behavioral patterns. Our investigation found that this approach, based on easy-to-collect information, is very effective (we achieved 0.99 accuracy), despite the fact that the data used for training the detector are substantially different from the ones specifically targeted for this purpose. The real and synthetic datasets, as well as corresponding source code, are publicly available.
Lightweight Behavior-Based Malware Detection / M. Anisetti, C.A. Ardagna, N. Bena, V. Giandomenico, G. Gianini (COMMUNICATIONS IN COMPUTER AND INFORMATION SCIENCE). - In: Management of Digital EcoSystems / [a cura di] R. Chbeir, D. Benslimane, M. Zervakis, Y. Manolopoulos, N. Thanh Ngyuen, J. Tekli. - [s.l] : Springer, 2024 Feb. - ISBN 978-3-031-51642-9. - pp. 237-250 (( Intervento presentato al 15. convegno MEDES International Conference on Management of Digital EcoSystems tenutosi a Heraklion nel 2023 [10.1007/978-3-031-51643-6_17].
Lightweight Behavior-Based Malware Detection
M. AnisettiPrimo
;C.A. ArdagnaSecondo
;N. Bena;
2024
Abstract
Modern malware detection tools rely on special permissions to collect data that can reveal the presence of suspicious software within a machine. Typical data that they collect for this task are the set of system calls, the content of network traffic, file system changes, and API calls. However, giving access to these data to an externally created program means granting the company that created that software complete control over the host machine. This is undesirable for many reasons. In this work, we propose an alternative approach for this task, which relies on easily accessible data, information about system performances (CPU, RAM, disk, and network usage), and does not need high-level permissions to be collected. To investigate the effectiveness of this approach, we collected these data in the form of a multivalued time series and ran a number of malware programs in a suitably devised sandbox. Then – to address the fact that deep learning models need large training sets – we augmented the dataset using a deep learning generative model (a Generative Adversarial Network). Finally, we trained an LSTM (Long Short Term Memory) network to capture the malware behavioral patterns. Our investigation found that this approach, based on easy-to-collect information, is very effective (we achieved 0.99 accuracy), despite the fact that the data used for training the detector are substantially different from the ones specifically targeted for this purpose. The real and synthetic datasets, as well as corresponding source code, are publicly available.
| File | Dimensione | Formato | |
|---|---|---|---|
|
AABGG.MEDES2023.pdf
embargo fino al 01/02/2025
Tipologia:
Post-print, accepted manuscript ecc. (versione accettata dall'editore)
Dimensione
2.47 MB
Formato
Adobe PDF
|
2.47 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
AABGG.MEDES2023.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
1.37 MB
Formato
Adobe PDF
|
1.37 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
