Run-time classification of malicious processes using system call analysis

Raymond Canzanese; Spiros Mancoridis; Moshe Kam

doi:10.1109/MALWARE.2015.7413681

Run-time classification of malicious processes using system call analysis

Raymond Canzanese, Spiros Mancoridis, Moshe Kam

Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

22 Scopus citations

Abstract

This study presents a malware classification system designed to classify malicious processes at run-time on production hosts. The system monitors process-level system call activity and uses information extracted from system call traces as inputs to the classifier. The system is advantageous because it does not require the use of specialized analysis environments. Instead, a 'lightweight' service application monitors process execution and classifies new malware samples based on their behavioral similarity to known malware. This study compares the effectiveness of multiple feature sets, ground truth labeling schemes, and machine learning algorithms for malware classification. The accuracy of the classification system is evaluated against processlevel system call traces of recently discovered malware samples collected from production environments. Experimental results indicate that accurate classification results can be achieved using relatively short system call traces and simple representations.

Original language	English (US)
Title of host publication	2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	21-28
Number of pages	8
ISBN (Electronic)	9781509003174
DOIs	https://doi.org/10.1109/MALWARE.2015.7413681
State	Published - Feb 18 2016
Event	10th International Conference on Malicious and Unwanted Software, MALWARE 2015 - Fajardo, United States Duration: Oct 20 2015 → Oct 22 2015

Publication series

Name	2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015

Other

Other	10th International Conference on Malicious and Unwanted Software, MALWARE 2015
Country/Territory	United States
City	Fajardo
Period	10/20/15 → 10/22/15

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Software
Safety, Risk, Reliability and Quality

Keywords

Algorithm design and analysis
Decision trees
Feature extraction
Heuristic algorithms
Malware
Training
Vegetation

Access to Document

10.1109/MALWARE.2015.7413681

Cite this

Canzanese, R., Mancoridis, S., & Kam, M. (2016). Run-time classification of malicious processes using system call analysis. In 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015 (pp. 21-28). [7413681] (2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MALWARE.2015.7413681

Canzanese, Raymond ; Mancoridis, Spiros ; Kam, Moshe. / Run-time classification of malicious processes using system call analysis. 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 21-28 (2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015).

@inproceedings{db39f2e84b5e49ecb93703729f60f365,

title = "Run-time classification of malicious processes using system call analysis",

abstract = "This study presents a malware classification system designed to classify malicious processes at run-time on production hosts. The system monitors process-level system call activity and uses information extracted from system call traces as inputs to the classifier. The system is advantageous because it does not require the use of specialized analysis environments. Instead, a 'lightweight' service application monitors process execution and classifies new malware samples based on their behavioral similarity to known malware. This study compares the effectiveness of multiple feature sets, ground truth labeling schemes, and machine learning algorithms for malware classification. The accuracy of the classification system is evaluated against processlevel system call traces of recently discovered malware samples collected from production environments. Experimental results indicate that accurate classification results can be achieved using relatively short system call traces and simple representations.",

keywords = "Algorithm design and analysis, Decision trees, Feature extraction, Heuristic algorithms, Malware, Training, Vegetation",

author = "Raymond Canzanese and Spiros Mancoridis and Moshe Kam",

note = "Funding Information: Thank you to the KEYSPOT Network, the People's Emergency Center, the Dornsife Center for Neighborhood Partnerships, the City of Philadelphia's Mayor's Commission on Literacy, Office of Innovation and Technology (OIT), and Department of Parks and Recreation (PPR) for their support of this research. This research is sponsored by a Secure and Trustworthy Cyberspace (SaTC) award from the National Science Foundation (NSF), under grant CNS-1228847, and the Isaac L. Auerbach endowed chair for Spiros Mancoridis Publisher Copyright: {\textcopyright} 2015 IEEE.; 10th International Conference on Malicious and Unwanted Software, MALWARE 2015 ; Conference date: 20-10-2015 Through 22-10-2015",

year = "2016",

month = feb,

day = "18",

doi = "10.1109/MALWARE.2015.7413681",

language = "English (US)",

series = "2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "21--28",

booktitle = "2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015",

address = "United States",

}

Canzanese, R, Mancoridis, S & Kam, M 2016, Run-time classification of malicious processes using system call analysis. in 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015., 7413681, 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015, Institute of Electrical and Electronics Engineers Inc., pp. 21-28, 10th International Conference on Malicious and Unwanted Software, MALWARE 2015, Fajardo, United States, 10/20/15. https://doi.org/10.1109/MALWARE.2015.7413681

Run-time classification of malicious processes using system call analysis. / Canzanese, Raymond; Mancoridis, Spiros; Kam, Moshe.

2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015. Institute of Electrical and Electronics Engineers Inc., 2016. p. 21-28 7413681 (2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Run-time classification of malicious processes using system call analysis

AU - Canzanese, Raymond

AU - Mancoridis, Spiros

AU - Kam, Moshe

N1 - Funding Information: Thank you to the KEYSPOT Network, the People's Emergency Center, the Dornsife Center for Neighborhood Partnerships, the City of Philadelphia's Mayor's Commission on Literacy, Office of Innovation and Technology (OIT), and Department of Parks and Recreation (PPR) for their support of this research. This research is sponsored by a Secure and Trustworthy Cyberspace (SaTC) award from the National Science Foundation (NSF), under grant CNS-1228847, and the Isaac L. Auerbach endowed chair for Spiros Mancoridis Publisher Copyright: © 2015 IEEE.

PY - 2016/2/18

Y1 - 2016/2/18

N2 - This study presents a malware classification system designed to classify malicious processes at run-time on production hosts. The system monitors process-level system call activity and uses information extracted from system call traces as inputs to the classifier. The system is advantageous because it does not require the use of specialized analysis environments. Instead, a 'lightweight' service application monitors process execution and classifies new malware samples based on their behavioral similarity to known malware. This study compares the effectiveness of multiple feature sets, ground truth labeling schemes, and machine learning algorithms for malware classification. The accuracy of the classification system is evaluated against processlevel system call traces of recently discovered malware samples collected from production environments. Experimental results indicate that accurate classification results can be achieved using relatively short system call traces and simple representations.

AB - This study presents a malware classification system designed to classify malicious processes at run-time on production hosts. The system monitors process-level system call activity and uses information extracted from system call traces as inputs to the classifier. The system is advantageous because it does not require the use of specialized analysis environments. Instead, a 'lightweight' service application monitors process execution and classifies new malware samples based on their behavioral similarity to known malware. This study compares the effectiveness of multiple feature sets, ground truth labeling schemes, and machine learning algorithms for malware classification. The accuracy of the classification system is evaluated against processlevel system call traces of recently discovered malware samples collected from production environments. Experimental results indicate that accurate classification results can be achieved using relatively short system call traces and simple representations.

KW - Algorithm design and analysis

KW - Decision trees

KW - Feature extraction

KW - Heuristic algorithms

KW - Malware

KW - Training

KW - Vegetation

UR - http://www.scopus.com/inward/record.url?scp=84969792589&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84969792589&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2015.7413681

DO - 10.1109/MALWARE.2015.7413681

M3 - Conference contribution

AN - SCOPUS:84969792589

T3 - 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015

SP - 21

EP - 28

BT - 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 10th International Conference on Malicious and Unwanted Software, MALWARE 2015

Y2 - 20 October 2015 through 22 October 2015

ER -

Canzanese R, Mancoridis S, Kam M. Run-time classification of malicious processes using system call analysis. In 2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015. Institute of Electrical and Electronics Engineers Inc. 2016. p. 21-28. 7413681. (2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015). doi: 10.1109/MALWARE.2015.7413681

Run-time classification of malicious processes using system call analysis

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this