Hardening behavioral classifiers against polymorphic malware: An ensemble approach based on minority report

In recent years, malware attacks have become more and more sophisticated, reflecting a radical change in malware behavior. Attackers aim to create malware that, at each execution, generates a different number of independent and cooperating threads. Randomization of malware's division of labor among threads poses significant challenges to traditional detection approaches. In this paper, we demonstrate that attacks based on random division of labor among multiple threads can dramatically degrade the detection performance of five benchmark ML models, in some cases dropping their accuracy to 50% with only a few threads. Then, we propose and evaluate a novel detection technique based on polymorphic-aware training and ensemble learning with ad-hoc voting scheme (favoring minority report). Results of experimentation carried out on real malware system call logs and assigned to threads via a Bayesian splitting accounting for inter-call dependency indicate that our ensemble has high detection capabilities (99.7% best case), and improves the baseline accuracy of a single model in detecting single-thread malware.