A Supervised Topic Transition Model for Detecting Malicious System Call Sequences
We propose a probabilistic model for behavior-based mal- ware detection that jointly models sequential data and clas s labels. Given labeled sequences (harmless/malicious), ou r goal is to reveal behavior patterns and exploit them to pre- dict class labels of unknown sequences. The proposed model is a novel extension of supervised latent Dirichlet allocation with an estimation algorithm that alternates between Gibbs sampling and gradient descent. Experiments on real-world data set show that our model can learn meaningful patterns, and provides competitive performance on the malware detection task. Moreover, we parallelize the training algorithm and demonstrate scalability with varying numbers of processors.
A Supervised Topic Transition Model for Detecting Malicious System Call Sequences
KDD Workshop on Knowledge Discovery, Modeling, and Simulation
Authors: | Thomas Stibor and Han Xiao |
Year/month: | 2011/8 |
Booktitle: | KDD Workshop on Knowledge Discovery, Modeling, and Simulation |
Address: | San Diego |
Publisher: | ACM Press |
Note: | Best student paper award |
Fulltext: | xiaostiborkddws2011.pdf |
Abstract |
|
We propose a probabilistic model for behavior-based mal- ware detection that jointly models sequential data and clas s labels. Given labeled sequences (harmless/malicious), ou r goal is to reveal behavior patterns and exploit them to pre- dict class labels of unknown sequences. The proposed model is a novel extension of supervised latent Dirichlet allocation with an estimation algorithm that alternates between Gibbs sampling and gradient descent. Experiments on real-world data set show that our model can learn meaningful patterns, and provides competitive performance on the malware detection task. Moreover, we parallelize the training algorithm and demonstrate scalability with varying numbers of processors. |
Bibtex:
@incolletion { hanxiao2011-malware,author = { Thomas Stibor and Han Xiao},
title = { A Supervised Topic Transition Model for Detecting Malicious System Call Sequences },
year = { 2011 },
booktitle = { KDD Workshop on Knowledge Discovery, Modeling, and Simulation },
publisher = { ACM Press },
address = { San Diego },
note = { Best student paper award },
url = {https://www.sec.in.tum.de/i20/publications/a-supervised-topic-transition-model-for-detecting-malicious-system-call-sequences/@@download/file/xiaostiborkddws2011.pdf}
}