Log In Sign Up

Learning Explainable Representations of Malware Behavior

by   Paul Prasse, et al.

We address the problems of identifying malware in network telemetry logs and providing indicators of compromise – comprehensible explanations of behavioral patterns that identify the threat. In our system, an array of specialized detectors abstracts network-flow data into comprehensible network events in a first step. We develop a neural network that processes this sequence of events and identifies specific threats, malware families and broad categories of malware. We then use the integrated-gradients method to highlight events that jointly constitute the characteristic behavioral pattern of the threat. We compare network architectures based on CNNs, LSTMs, and transformers, and explore the efficacy of unsupervised pre-training experimentally on large-scale telemetry data. We demonstrate how this system detects njRAT and other malware based on behavioral patterns.


page 8

page 13


Behavioral Malware Classification using Convolutional Recurrent Neural Networks

Behavioral malware detection aims to improve on the performance of stati...

The Naked Sun: Malicious Cooperation Between Benign-Looking Processes

Recent progress in machine learning has generated promising results in b...

Peeler: Profiling Kernel-Level Events to Detect Ransomware

Ransomware is a growing threat that typically operates by either encrypt...

Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection

Security operation centers (SOCs) typically use a variety of tools to co...

Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering

Using runtime execution artifacts to identify malware and its associated...

Poisoning Behavioral Malware Clustering

Clustering algorithms have become a popular tool in computer security to...

SUNDEW: An Ensemble of Predictors for Case-Sensitive Detection of Malware

Malware programs are diverse, with varying objectives, functionalities, ...