TY - GEN
T1 - Probabilistic inference on integrity for access behavior based malware detection
AU - Mao, Weixuan
AU - Cai, Zhongmin
AU - Towsley, Don
AU - Guan, Xiaohong
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2015.
PY - 2015
Y1 - 2015
N2 - Integrity protection has proven an effective way of malware detection and defense. Determining the integrity of subjects (programs) and objects (files and registries) plays a fundamental role in integrity protection. However, the large numbers of subjects and objects, and intricate behaviors place burdens on revealing their integrities either manually or by a set of rules. In this paper, we propose a probabilistic model of integrity in modern operating system. Our model builds on two primary security policies, “no read down” and “no write up”, which make connections between observed access behaviors and the inherent integrity ordering between pairs of subjects and objects. We employ a message passing based inference to determine the integrity of subjects and objects under a probabilistic graphical model. Furthermore, by lever- aging a statistical classifier, we build an integrity based access behavior model for malware detection. Extensive experimental results on a real- world dataset demonstrate that our model is capable of detecting 7,257 malware samples from 27,840 benign processes at 99.88% true positive rate under 0.1% false positive rate. These results indicate the feasibility of our probabilistic integrity model.
AB - Integrity protection has proven an effective way of malware detection and defense. Determining the integrity of subjects (programs) and objects (files and registries) plays a fundamental role in integrity protection. However, the large numbers of subjects and objects, and intricate behaviors place burdens on revealing their integrities either manually or by a set of rules. In this paper, we propose a probabilistic model of integrity in modern operating system. Our model builds on two primary security policies, “no read down” and “no write up”, which make connections between observed access behaviors and the inherent integrity ordering between pairs of subjects and objects. We employ a message passing based inference to determine the integrity of subjects and objects under a probabilistic graphical model. Furthermore, by lever- aging a statistical classifier, we build an integrity based access behavior model for malware detection. Extensive experimental results on a real- world dataset demonstrate that our model is capable of detecting 7,257 malware samples from 27,840 benign processes at 99.88% true positive rate under 0.1% false positive rate. These results indicate the feasibility of our probabilistic integrity model.
KW - Integrity protection
KW - Malware
KW - Probabilistic graphical model
UR - https://www.scopus.com/pages/publications/84950318484
U2 - 10.1007/978-3-319-26362-5_8
DO - 10.1007/978-3-319-26362-5_8
M3 - 会议稿件
AN - SCOPUS:84950318484
SN - 9783319263618
T3 - Lecture Notes in Computer Science
SP - 155
EP - 176
BT - Research in Attacks, Intrusions, and Defenses - 18th International Symposium, RAID 2015, Proceedings
A2 - Bos, Herbert
A2 - Monrose, Fabian
A2 - Blanc, Gregory
PB - Springer Verlag
T2 - 18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2015
Y2 - 2 November 2015 through 4 November 2015
ER -