Graduate School and Research Center in Digital Sciences

A quantitative study of accuracy in system call-based malware detection

Canali, Davide; Lanzi, Andrea; Balzarotti, Davide; Christoderescu, Mihai; Kruegel, Christopher; Kirda, Engin

ISSTA 2012, International Symposium on Software Testing and Analysis, July 15-20, 2012, Minneapolis, MN, USA

Over the last decade, there has been a significant increase in the number and sophistication of malware-related attacks and infections. Many detection techniques have been proposed to mitigate the malware threat. A running theme among existing detection techniques is the similar promises of high detection rates, in spite of the wildly different models (or specification classes) of malicious activity used. In addition, the lack of a common testing methodology and the limited datasets used in the experiments make difficult to compare these models in order to determine which ones yield the best detection accuracy. In this paper, we present a systematic approach to measure how the choice of behavioral models in uences the quality of a malware detector. We tackle this problem by executing a large number of testing experiments, in which we explored the parameter space of over 200 different models, corresponding to more than 220 million of signatures. Our results suggest that commonly held beliefs about simple models are incorrect in how they relate changes in complexity to changes in detection accuracy. This implies that accuracy is non-linear across the model space, and that analytical reasoning is insufficient for finding an optimal model, and has to be supplemented by testing and empirical measurements.

Document Doi Hal Bibtex

Title:A quantitative study of accuracy in system call-based malware detection
Keywords:Security, evaluation, malware, behavior
Type:Conference
Language:English
City:Minneapolis
Country:UNITED STATES
Date:
Department:Digital Security
Eurecom ref:3741
Copyright: © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ISSTA 2012, International Symposium on Software Testing and Analysis, July 15-20, 2012, Minneapolis, MN, USA http://dx.doi.org/10.1145/2338965.2336768
Bibtex: @inproceedings{EURECOM+3741, doi = {http://dx.doi.org/10.1145/2338965.2336768}, year = {2012}, title = {{A} quantitative study of accuracy in system call-based malware detection}, author = {{C}anali, {D}avide and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide and {C}hristoderescu, {M}ihai and {K}ruegel, {C}hristopher and {K}irda, {E}ngin}, booktitle = {{ISSTA} 2012, {I}nternational {S}ymposium on {S}oftware {T}esting and {A}nalysis, {J}uly 15-20, 2012, {M}inneapolis, {MN}, {USA}}, address = {{M}inneapolis, {UNITED} {STATES}}, month = {07}, url = {http://www.eurecom.fr/publication/3741} }
See also: