Recently, my colleagues and I published two papers demonstrating the potential for practical machine learning based detection of malware. The first paper was presented at 2015 AI-Sec Workshop in Denver on October 16th. The second paper was presented at 2015 MALCON conference in Puerto Rico on October 20th. While the two papers have similar end goals, they use two different (but complementary) approaches for detection.
The first paper, Malicious Behavior Detection using Windows Audit Logs, uses dynamic program behavior for classification. The dynamic behavior is collected using low volume, build-in Windows Audit Log collection mechanism, requiring little to almost no setup by a system administrator. We demonstrated how a regularized logistic regression can provide high accuracy detection, while providing interpretable reasoning behind the detection.
In the second paper, Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features, we presented a deep neural network learning method that uses the concept of “two dimensional” features. The two-dimensional encoding allowed us to have a very compact and resilient representation of the binary, which in turn, allowed us to cheaply and effectively train our classifier.
The pre-print can be found at ArXiv.
We feel that one of the major issues holding back progress in cybersecurity is the lack of good databases that can be used to evaluate various methods, paywall restriction to large fraction of publications, and irreproducibility of results. Finally, we hope that they cybersecurity community will follow us in openly releasing their pre-publications and data, whenever possible.
Further details can be found on GitHub and ArXiv: