TUM Logo

A Supervised Topic Transition Model for Detecting Malicious System Call Sequences

We propose a probabilistic model for behavior-based mal- ware detection that jointly models sequential data and clas s labels. Given labeled sequences (harmless/malicious), ou r goal is to reveal behavior patterns and exploit them to pre- dict class labels of unknown sequences. The proposed model is a novel extension of supervised latent Dirichlet allocation with an estimation algorithm that alternates between Gibbs sampling and gradient descent. Experiments on real-world data set show that our model can learn meaningful patterns, and provides competitive performance on the malware detection task. Moreover, we parallelize the training algorithm and demonstrate scalability with varying numbers of processors.

A Supervised Topic Transition Model for Detecting Malicious System Call Sequences

KDD Workshop on Knowledge Discovery, Modeling, and Simulation

Authors: Thomas Stibor and Han Xiao
Year/month: 2011/8
Booktitle: KDD Workshop on Knowledge Discovery, Modeling, and Simulation
Address: San Diego
Publisher: ACM Press
Note: Best student paper award
Fulltext: xiaostiborkddws2011.pdf

Abstract

We propose a probabilistic model for behavior-based mal- ware detection that jointly models sequential data and clas s labels. Given labeled sequences (harmless/malicious), ou r goal is to reveal behavior patterns and exploit them to pre- dict class labels of unknown sequences. The proposed model is a novel extension of supervised latent Dirichlet allocation with an estimation algorithm that alternates between Gibbs sampling and gradient descent. Experiments on real-world data set show that our model can learn meaningful patterns, and provides competitive performance on the malware detection task. Moreover, we parallelize the training algorithm and demonstrate scalability with varying numbers of processors.

Bibtex:

@incolletion { hanxiao2011-malware,
author = { Thomas Stibor and Han Xiao},
title = { A Supervised Topic Transition Model for Detecting Malicious System Call Sequences },
year = { 2011 },
booktitle = { KDD Workshop on Knowledge Discovery, Modeling, and Simulation },
publisher = { ACM Press },
address = { San Diego },
note = { Best student paper award },
url = {https://www.sec.in.tum.de/i20/publications/a-supervised-topic-transition-model-for-detecting-malicious-system-call-sequences/@@download/file/xiaostiborkddws2011.pdf}
}