Leveraging string kernels for malware detection

Jonas Pfoh; Christian Schneider; Claudia Eckert

doi:10.1007/978-3-642-38631-2_16

Leveraging string kernels for malware detection

Jonas Pfoh
, Christian Schneider
, Claudia Eckert

Informatics 20 - Chair of IT Security

Technical University of Munich

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

19 Scopus citations

Abstract

Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.

Original language	English
Title of host publication	Network and System Security - 7th International Conference, NSS 2013, Proceedings
Pages	206-219
Number of pages	14
DOIs	https://doi.org/10.1007/978-3-642-38631-2_16
State	Published - 2013
Event	7th International Conference on Network and System Security, NSS 2013 - Madrid, Spain Duration: 3 Jun 2013 → 4 Jun 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7873 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th International Conference on Network and System Security, NSS 2013
Country/Territory	Spain
City	Madrid
Period	3/06/13 → 4/06/13

Keywords

Machine Learning
Malware Detection
Security
System Calls

Access to Document

10.1007/978-3-642-38631-2_16

Cite this

Pfoh, J., Schneider, C., & Eckert, C. (2013). Leveraging string kernels for malware detection. In Network and System Security - 7th International Conference, NSS 2013, Proceedings (pp. 206-219). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7873 LNCS). https://doi.org/10.1007/978-3-642-38631-2_16

@inproceedings{13d54ac0188a4178897d0ea0a0d9366b,

title = "Leveraging string kernels for malware detection",

abstract = "Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.",

keywords = "Machine Learning, Malware Detection, Security, System Calls",

author = "Jonas Pfoh and Christian Schneider and Claudia Eckert",

year = "2013",

doi = "10.1007/978-3-642-38631-2\_16",

language = "English",

isbn = "9783642386305",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "206--219",

booktitle = "Network and System Security - 7th International Conference, NSS 2013, Proceedings",

note = "7th International Conference on Network and System Security, NSS 2013 ; Conference date: 03-06-2013 Through 04-06-2013",

}

Pfoh, J, Schneider, C & Eckert, C 2013, Leveraging string kernels for malware detection. in Network and System Security - 7th International Conference, NSS 2013, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7873 LNCS, pp. 206-219, 7th International Conference on Network and System Security, NSS 2013, Madrid, Spain, 3/06/13. https://doi.org/10.1007/978-3-642-38631-2_16

Leveraging string kernels for malware detection. / Pfoh, Jonas; Schneider, Christian; Eckert, Claudia.
Network and System Security - 7th International Conference, NSS 2013, Proceedings. 2013. p. 206-219 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7873 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Leveraging string kernels for malware detection

AU - Pfoh, Jonas

AU - Schneider, Christian

AU - Eckert, Claudia

PY - 2013

Y1 - 2013

N2 - Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.

AB - Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.

KW - Machine Learning

KW - Malware Detection

KW - Security

KW - System Calls

UR - https://www.scopus.com/pages/publications/84883432226

U2 - 10.1007/978-3-642-38631-2_16

DO - 10.1007/978-3-642-38631-2_16

M3 - Conference contribution

AN - SCOPUS:84883432226

SN - 9783642386305

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 206

EP - 219

BT - Network and System Security - 7th International Conference, NSS 2013, Proceedings

T2 - 7th International Conference on Network and System Security, NSS 2013

Y2 - 3 June 2013 through 4 June 2013

ER -

Leveraging string kernels for malware detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this