The dose makes the poison \#x2014; Leveraging uncertainty for effective malware detection
Title | The dose makes the poison \#x2014; Leveraging uncertainty for effective malware detection |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Sun, R., Yuan, X., Lee, A., Bishop, M., Porter, D. E., Li, X., Gregio, A., Oliveira, D. |
Conference Name | 2017 IEEE Conference on Dependable and Secure Computing |
Keywords | 100 malware samples, AI Poisoning, analyzed benign software, behavioral-based malware detectors, Chameleon, CPU-bound software, deep analysis, deep learning models, Detectors, devastating consequences, effective malware detection, Human Behavior, I/O-bound software, Interference, invasive software, learning (artificial intelligence), Linux, Malware, Organizations, OS processes, Plan B, potential malware, promising avenue, pubcrawl, received borderline classifications, resilience, Resiliency, Scalability, sensitive information, software execution, Standards organizations, time-consuming, traditional ML detectors, traditional ML methods, uncertain environment |
Abstract | Malware has become sophisticated and organizations don't have a Plan B when standard lines of defense fail. These failures have devastating consequences for organizations, such as sensitive information being exfiltrated. A promising avenue for improving the effectiveness of behavioral-based malware detectors is to combine fast (usually not highly accurate) traditional machine learning (ML) detectors with high-accuracy, but time-consuming, deep learning (DL) models. The main idea is to place software receiving borderline classifications by traditional ML methods in an environment where uncertainty is added, while software is analyzed by time-consuming DL models. The goal of uncertainty is to rate-limit actions of potential malware during deep analysis. In this paper, we describe Chameleon, a Linux-based framework that implements this uncertain environment. Chameleon offers two environments for its OS processes: standard - for software identified as benign by traditional ML detectors - and uncertain - for software that received borderline classifications analyzed by ML methods. The uncertain environment will bring obstacles to software execution through random perturbations applied probabilistically on selected system calls. We evaluated Chameleon with 113 applications from common benchmarks and 100 malware samples for Linux. Our results show that at threshold 10%, intrusive and non-intrusive strategies caused approximately 65% of malware to fail accomplishing their tasks, while approximately 30% of the analyzed benign software to meet with various levels of disruption (crashed or hampered). We also found that I/O-bound software was three times more affected by uncertainty than CPU-bound software. |
URL | https://ieeexplore.ieee.org/document/8073803/ |
DOI | 10.1109/DESEC.2017.8073803 |
Citation Key | sun_dose_2017 |
- Resiliency
- Organizations
- OS processes
- Plan B
- potential malware
- promising avenue
- pubcrawl
- received borderline classifications
- resilience
- malware
- Scalability
- sensitive information
- software execution
- Standards organizations
- time-consuming
- traditional ML detectors
- traditional ML methods
- uncertain environment
- devastating consequences
- AI Poisoning
- analyzed benign software
- behavioral-based malware detectors
- Chameleon
- CPU-bound software
- deep analysis
- deep learning models
- Detectors
- 100 malware samples
- effective malware detection
- Human behavior
- I/O-bound software
- Interference
- invasive software
- learning (artificial intelligence)
- Linux