SIGL: Securing Software Installations Through Deep Graph Learning

by   Xueyuan Han, et al.

Many users implicitly assume that software can only be exploited after it is installed. However, recent supply-chain attacks demonstrate that application integrity must be ensured during installation itself. We introduce SIGL, a new tool for detecting malicious behavior during software installation. SIGL collects traces of system call activity, building a data provenance graph that it analyzes using a novel autoencoder architecture with a graph long short-term memory network (graph LSTM) for the encoder and a standard multilayer perceptron for the decoder. SIGL flags suspicious installations as well as the specific installation-time processes that are likely to be malicious. Using a test corpus of 625 malicious installers containing real-world malware, we demonstrate that SIGL has a detection accuracy of 96 systems from industry and academia by up to 87 in accuracy. We also demonstrate that SIGL can pinpoint the processes most likely to have triggered malicious behavior, works on different audit platforms and operating systems, and is robust to training data contamination and adversarial attack. It can be used with application-specific models, even in the presence of new software versions, as well as application-agnostic meta-models that encompass a wide range of applications and installers.


page 9

page 12


Droidetec: Android Malware Detection and Malicious Code Localization through Deep Learning

Android malware detection is a critical step towards building a security...

Tracking Temporal Evolution of Network Activity for Botnet Detection

Botnets are becoming increasingly prevalent as the primary enabling tech...

All Infections are Not Created Equal: Time-Sensitive Prediction of Malware Generated Network Attacks

Many techniques have been proposed for quickly detecting and containing ...

Malicious Code Detection: Run Trace Output Analysis by LSTM

Malicious software threats and their detection have been gaining importa...

Detecting Abnormal Traffic in Large-Scale Networks

With the rapid technological advancements, organizations need to rapidly...

One-Class Adversarial Nets for Fraud Detection

Many online applications, such as online social networks or knowledge ba...

Finding Cryptocurrency Attack Indicators Using Temporal Logic and Darkweb Data

With the recent prevalence of darkweb/deepweb (D2web) sites specializing...