TUM Logo

Leveraging String Kernels for Malware Detection

Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.

Leveraging String Kernels for Malware Detection

Proceedings of the 7th International Conference on Network and System Security

Authors: Jonas Pfoh, Christian Schneider, and Claudia Eckert
Year/month: 2013/6
Booktitle: Proceedings of the 7th International Conference on Network and System Security
Series: Lecture Notes in Computer Science
Publisher: Springer
Fulltext: nss2013.pfohetal.pdf

Abstract

Signature-based malware detection will always be a step behind as novel malware cannot be detected. On the other hand, machine learning-based methods are capable of detecting novel malware but classification is frequently done in an offline or batched manner and is often associated with time overheads that make it impractical. We propose an approach that bridges this gap. This approach makes use of a support vector machine (SVM) to classify system call traces. In contrast to other methods that use system call traces for malware detection, our approach makes use of a string kernel to make better use of the sequential information inherent in a system call trace. By classifying system call traces in small sections and keeping a moving average over the probability estimates produced by the SVM, our approach is capable of detecting malicious behavior online and achieves great accuracy.

Bibtex:

@incolletion {
author = { Jonas Pfoh and Christian Schneider and Claudia Eckert},
title = { Leveraging String Kernels for Malware Detection },
year = { 2013 },
booktitle = { Proceedings of the 7th International Conference on Network and System Security },
publisher = { Springer },
series = { Lecture Notes in Computer Science },
url = {https://www.sec.in.tum.de/i20/publications/leveraging-string-kernels-for-malware-detection/@@download/file/nss2013.pfohetal.pdf}
}