Modern malware detection tools rely on special permissions to collect data that can reveal the presence of suspicious software within a machine. Typical data that they collect for this task are the set of system calls, the content of network traffic, file system changes, and API calls. However, giving access to these data to an externally created program means granting the company that created that software complete control over the host machine. This is undesirable for many reasons. In this work, we propose an alternative approach for this task, which relies on easily accessible data, information about system performances (CPU, RAM, disk, and network usage), and does not need high-level permissions to be collected. To investigate the effectiveness of this approach, we collected these data in the form of a multivalued time series and ran a number of malware programs in a suitably devised sandbox. Then – to address the fact that deep learning models need large training sets – we augmented the dataset using a deep learning generative model (a Generative Adversarial Network). Finally, we trained an LSTM (Long Short Term Memory) network to capture the malware behavioral patterns. Our investigation found that this approach, based on easy-to-collect information, is very effective (we achieved 0.99 accuracy), despite the fact that the data used for training the detector are substantially different from the ones specifically targeted for this purpose. The real and synthetic datasets, as well as corresponding source code, are publicly available.

Lightweight Behavior-Based Malware Detection / M. Anisetti, C.A. Ardagna, N. Bena, V. Giandomenico, G. Gianini (COMMUNICATIONS IN COMPUTER AND INFORMATION SCIENCE). - In: Management of Digital EcoSystems / [a cura di] R. Chbeir, D. Benslimane, M. Zervakis, Y. Manolopoulos, N. Thanh Ngyuen, J. Tekli. - [s.l] : Springer, 2024 Feb. - ISBN 978-3-031-51642-9. - pp. 237-250 (( Intervento presentato al 15. convegno MEDES International Conference on Management of Digital EcoSystems tenutosi a Heraklion nel 2023 [10.1007/978-3-031-51643-6_17].

Lightweight Behavior-Based Malware Detection

M. Anisetti
Primo
;
C.A. Ardagna
Secondo
;
N. Bena;
2024

Abstract

Modern malware detection tools rely on special permissions to collect data that can reveal the presence of suspicious software within a machine. Typical data that they collect for this task are the set of system calls, the content of network traffic, file system changes, and API calls. However, giving access to these data to an externally created program means granting the company that created that software complete control over the host machine. This is undesirable for many reasons. In this work, we propose an alternative approach for this task, which relies on easily accessible data, information about system performances (CPU, RAM, disk, and network usage), and does not need high-level permissions to be collected. To investigate the effectiveness of this approach, we collected these data in the form of a multivalued time series and ran a number of malware programs in a suitably devised sandbox. Then – to address the fact that deep learning models need large training sets – we augmented the dataset using a deep learning generative model (a Generative Adversarial Network). Finally, we trained an LSTM (Long Short Term Memory) network to capture the malware behavioral patterns. Our investigation found that this approach, based on easy-to-collect information, is very effective (we achieved 0.99 accuracy), despite the fact that the data used for training the detector are substantially different from the ones specifically targeted for this purpose. The real and synthetic datasets, as well as corresponding source code, are publicly available.
Malware detection; behavior analysis; LSTM; GAN
Settore INF/01 - Informatica
   SEcurity and RIghts in the CyberSpace (SERICS)
   SERICS
   MINISTERO DELL'UNIVERSITA' E DELLA RICERCA
   codice identificativo PE00000014

   MUSA - Multilayered Urban Sustainability Actiona
   MUSA
   MINISTERO DELL'UNIVERSITA' E DELLA RICERCA
feb-2024
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
AABGG.MEDES2023.pdf

embargo fino al 01/02/2025

Tipologia: Post-print, accepted manuscript ecc. (versione accettata dall'editore)
Dimensione 2.47 MB
Formato Adobe PDF
2.47 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
AABGG.MEDES2023.pdf

accesso riservato

Tipologia: Publisher's version/PDF
Dimensione 1.37 MB
Formato Adobe PDF
1.37 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/1022276
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact