Stochastic identification of malware with dynamic traces
Loading...
Authors
Storlie, Curtis
Anderson, Blake
Weil, Scott Vander
Quist, Daniel
Hash, Curtis
Brown, Nathan
Subjects
Malware detection
classification
elastic net
Relaxed Lasso
Adaptive Lasso
logistic regression
splines
empirical Bayes
classification
elastic net
Relaxed Lasso
Adaptive Lasso
logistic regression
splines
empirical Bayes
Advisors
Date of Issue
2014
Date
Publisher
Language
Abstract
A novel approach to malware classification is introduced based
on analysis of instruction traces that are collected dynamically from
the program in question. The method has been implemented online
in a sandbox environment (i.e., a security mechanism for separating
running programs) at Los Alamos National Laboratory, and is in-
tended for eventual host-based use, provided the issue of sampling
the instructions executed by a given process without disruption to
the user can be satisfactorily addressed. The procedure represents an
instruction trace with a Markov chain structure in which the transi-
tion matrix, P, has rows modeled as Dirichlet vectors. The malware
class (malicious or benign) is modeled using a flexible spline logistic
regression model with variable selection on the elements of P, which
are observed with error. The utility of the method is illustrated on
a sample of traces from malware and nonmalware programs, and the
results are compared to other leading detection schemes (both sig-
nature and classification based). This article also has supplementary
materials available online.
Type
Article
Description
The article of record as published may be located at http://dx.doi.org/10.1214/13-AOAS703
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
This is an electronic reprint of the original article published by the
Institute of Mathematical Statistics in The Annals of Applied Statistics,
2014, Vol. 8, No. 1, 1–18. This reprint differs from the original in pagination and
typographic detail.
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.