Blog machine learning

Recently, my colleagues and I published two papers demonstrating the potential for practical machine learning based detection of malware. The first paper was presented at 2015 AI-Sec Workshop in Denver on October 16th. The second paper was presented at 2015 MALCON conference in Puerto Rico on October 20th. While the two papers have similar end goals, they use two different (but complementary) approaches for detection.

Dynamic Detection

The first paper, Malicious Behavior Detection using Windows Audit Logs, uses dynamic program behavior for classification. The dynamic behavior is collected using low volume, build-in Windows Audit Log collection mechanism, requiring little to almost no setup by a system administrator. We demonstrated how a regularized logistic regression can provide high accuracy detection, while providing interpretable reasoning behind the detection.

To facilitate further research in this direction, we have uploaded the pre-publication to arXiv, and we are releasing the anonymized dataset and code on GitHub.

Static Detection

In the second paper, Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features, we presented a deep neural network learning method that uses the concept of “two dimensional” features. The two-dimensional encoding allowed us to have a very compact and resilient representation of the binary, which in turn, allowed us to cheaply and effectively train our classifier.

The pre-print can be found at ArXiv.

Open Science

We feel that one of the major issues holding back progress in cybersecurity is the lack of good databases that can be used to evaluate various methods, paywall restriction to large fraction of publications, and irreproducibility of results. Finally, we hope that they cybersecurity community will follow us in openly releasing their pre-publications and data, whenever possible.

References

Further details can be found on GitHub and ArXiv:

Malicious Behavior Detection using Windows Audit Logs

Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *