Behavioral Malware Detection using a Language Model Classifier Trained on sys2vec Embeddings

Presenter Information

John Carter, Drexel UniversityFollow
Spiros Mancoridis, Drexel UniversityFollow
Pavlos Protopapas, Harvard UniversityFollow
Erick Galinkin, Drexel UniversityFollow

Location

Hilton Hawaiian Village, Honolulu, Hawaii

Event Website

https://hicss.hawaii.edu/

Start Date

3-1-2024 12:00 AM

End Date

6-1-2024 12:00 AM

Description

Behavioral malware detection is an effective way to detect ever-changing malware. Often, kernel-level system calls are collected on device and then processed and fed to machine learning models. In this work, we show that using simple natural language processing (NLP) techniques on system calls, such as a bag-of-n-grams model, coupled with shallow machine learning classifiers, are not as useful for stealthier malware. In contrast, training a Word2Vec-like model, which we call sys2vec, on the system call traces and feeding the resulting embeddings to a language model classifier provides consistently better results. We evaluate and compare the two classifiers using Area Under the Receiver Operating Characteristic Curve (AUC) and the True Positive Rate (TPR) at an acceptable False Positive Rate (FPR). We then discuss how this work can be further expanded in the language model space going forward.

Recommended Citation

Carter, John; Mancoridis, Spiros; Protopapas, Pavlos; and Galinkin, Erick, "Behavioral Malware Detection using a Language Model Classifier Trained on sys2vec Embeddings" (2024). Hawaii International Conference on System Sciences 2024 (HICSS-57). 3.
https://aisel.aisnet.org/hicss-57/st/threat_hunting/3