Ecole d'ingénieur et centre de recherche en Sciences du numérique

A quantitative study of accuracy in system call-based malware detection

Canali, Davide; Lanzi, Andrea; Balzarotti, Davide; Christoderescu, Mihai; Kruegel, Christopher; Kirda, Engin

ISSTA 2012, International Symposium on Software Testing and Analysis, July 15-20, 2012, Minneapolis, MN, USA

Over the last decade, there has been a significant increase in the number and sophistication of malware-related attacks and infections. Many detection techniques have been proposed to mitigate the malware threat. A running theme among existing detection techniques is the similar promises of high detection rates, in spite of the wildly different models (or specification classes) of malicious activity used. In addition, the lack of a common testing methodology and the limited datasets used in the experiments make difficult to compare these models in order to determine which ones yield the best detection accuracy. In this paper, we present a systematic approach to measure how the choice of behavioral models in uences the quality of a malware detector. We tackle this problem by executing a large number of testing experiments, in which we explored the parameter space of over 200 different models, corresponding to more than 220 million of signatures. Our results suggest that commonly held beliefs about simple models are incorrect in how they relate changes in complexity to changes in detection accuracy. This implies that accuracy is non-linear across the model space, and that analytical reasoning is insufficient for finding an optimal model, and has to be supplemented by testing and empirical measurements.

Document Doi Hal Bibtex

Titre:A quantitative study of accuracy in system call-based malware detection
Mots Clés:Security, evaluation, malware, behavior
Type:Conférence
Langue:English
Ville:Minneapolis
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:3741
Copyright: © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ISSTA 2012, International Symposium on Software Testing and Analysis, July 15-20, 2012, Minneapolis, MN, USA http://dx.doi.org/10.1145/2338965.2336768
Bibtex: @inproceedings{EURECOM+3741, doi = {http://dx.doi.org/10.1145/2338965.2336768}, year = {2012}, title = {{A} quantitative study of accuracy in system call-based malware detection}, author = {{C}anali, {D}avide and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide and {C}hristoderescu, {M}ihai and {K}ruegel, {C}hristopher and {K}irda, {E}ngin}, booktitle = {{ISSTA} 2012, {I}nternational {S}ymposium on {S}oftware {T}esting and {A}nalysis, {J}uly 15-20, 2012, {M}inneapolis, {MN}, {USA}}, address = {{M}inneapolis, {\'{E}}{TATS}-{UNIS}}, month = {07}, url = {http://www.eurecom.fr/publication/3741} }
Voir aussi: