A System-call Behavior Language System for Malware Detection Using A Sensitivity-based LSTM Model

With the increasing number and variety of malware, it is imperative to design behavior analysis system to detect them. In this paper, we propose a sensitivity-based LSTM model to design a System-call Behavioral Language (SBL) system for malware detection. The behavior of software can be represented by a System-call sequence. Each System-call has different sensitivity which is related with the resource it handles and so should be paid different attention. The model we designed in SBL system consists of two parts: behavior language learning and sensitivity-based attention calculation. Our model obtains the AUC values of 0.99 on the test dataset, and 0.93 on the unknown dataset which is 0.15 higher than KNN and 0.02 higher than Random Forest. Especially, our model achieves 78% specificity on the unknown attack dataset, while the classic language model can only reach 66%.

[1]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Sapna Malik,et al.  System Call Analysis of Android Malware Families , 2016 .

[3]  Alex Graves,et al.  Supervised Sequence Labelling with Recurrent Neural Networks , 2012, Studies in Computational Intelligence.

[4]  F. Gers,et al.  Long short-term memory in recurrent neural networks , 2001 .

[5]  Yunheung Paek,et al.  LSTM-Based System-Call Language Modeling and Robust Ensemble Method for Designing Host-Based Intrusion Detection Systems , 2016, ArXiv.

[6]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[7]  Pierre-Francois Marteau,et al.  Sequence Covering for Efficient Host-Based Intrusion Detection , 2017, IEEE Transactions on Information Forensics and Security.

[8]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Jiankun Hu,et al.  Generation of a new IDS test dataset: Time to retire the KDD collection , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[10]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[11]  Richard E. Harang,et al.  Rapid Permissions-Based Detection and Analysis of Mobile Malware Using Random Decision Forests , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[12]  L. Javier García-Villalba,et al.  A novel pattern recognition system for detecting Android malware by analyzing suspicious boot sequences , 2018, Knowl. Based Syst..

[13]  Karen Spärck Jones A statistical interpretation of term specificity and its application in retrieval , 2021, J. Documentation.

[14]  Simone Atzeni,et al.  Evaluation of Android Malware Detection Based on System Calls , 2016, IWSPA@CODASPY.

[15]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[16]  Chan Woo Kim,et al.  NtMalDetect: A Machine Learning Approach to Malware Detection Using Native API System Calls , 2018, ArXiv.

[17]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[18]  Gideon Creech,et al.  Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks , 2014 .

[19]  Geoffrey E. Hinton,et al.  Speech recognition with deep recurrent neural networks , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[20]  Yoshua Bengio,et al.  Neural Machine Translation by Jointly Learning to Align and Translate , 2014, ICLR.

[21]  Daniel Jurafsky,et al.  Sharp Nearby, Fuzzy Far Away: How Neural Language Models Use Context , 2018, ACL.

[22]  Yincheng Qi,et al.  A Design of Network Behavior-Based Malware Detection System for Android , 2014, ICA3PP.

[23]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[24]  Mark Lindsey,et al.  Detecting malicious Android applications from runtime behavior , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.