In recent years, malware attacks have become more and more sophisticated, reflecting a radical change in malware behavior. Attackers aim to create malware that, at each execution, generates a different number of independent and cooperating threads. Randomization of malware's division of labor among threads poses significant challenges to traditional detection approaches. In this paper, we demonstrate that attacks based on random division of labor among multiple threads can dramatically degrade the detection performance of five benchmark ML models, in some cases dropping their accuracy to 50% with only a few threads. Then, we propose and evaluate a novel detection technique based on polymorphic-aware training and ensemble learning with ad-hoc voting scheme (favoring minority report). Results of experimentation carried out on real malware system call logs and assigned to threads via a Bayesian splitting accounting for inter-call dependency indicate that our ensemble has high detection capabilities (99.7% best case), and improves the baseline accuracy of a single model in detecting single-thread malware.

Hardening behavioral classifiers against polymorphic malware: An ensemble approach based on minority report / L. Mauri, E. Damiani. - In: INFORMATION SCIENCES. - ISSN 0020-0255. - 689:(2025 Jan), pp. 121499.1-121499.17. [10.1016/j.ins.2024.121499]

Hardening behavioral classifiers against polymorphic malware: An ensemble approach based on minority report

L. Mauri
Primo
;
E. Damiani
Secondo
2025

Abstract

In recent years, malware attacks have become more and more sophisticated, reflecting a radical change in malware behavior. Attackers aim to create malware that, at each execution, generates a different number of independent and cooperating threads. Randomization of malware's division of labor among threads poses significant challenges to traditional detection approaches. In this paper, we demonstrate that attacks based on random division of labor among multiple threads can dramatically degrade the detection performance of five benchmark ML models, in some cases dropping their accuracy to 50% with only a few threads. Then, we propose and evaluate a novel detection technique based on polymorphic-aware training and ensemble learning with ad-hoc voting scheme (favoring minority report). Results of experimentation carried out on real malware system call logs and assigned to threads via a Bayesian splitting accounting for inter-call dependency indicate that our ensemble has high detection capabilities (99.7% best case), and improves the baseline accuracy of a single model in detecting single-thread malware.
Behavioral detection; Polymorphic attack; Evasion; Ensemble learning; Machine learning; Exfiltration;
Settore INFO-01/A - Informatica
   Sovereign Edge-Hub: un’architettura cloud-edge per la sovranità digitale nelle scienze della vita (SOV-EDGE-HUB)Linea Strategica 4 - Sicurezza informatica/Cloud
   SOV-EDGE-HUB
   UNIVERSITA' DEGLI STUDI DI MILANO
gen-2025
27-set-2024
Article (author)
File in questo prodotto:
File Dimensione Formato  
Hardening_behavioral_classifiers_against_polymorphic_malware__An_ensemble_approach_based_on_minority_report.pdf

accesso aperto

Tipologia: Publisher's version/PDF
Dimensione 2.83 MB
Formato Adobe PDF
2.83 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/1105057
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact