Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The algorithm used integer and floating point values, which • PrivateMemorySize64
= Exited, -1 Not Exited and 0 indicates this field had no value • Handle
All other data was converted to either integers or floating point, Whilst this lead to a different set of features being identified,
dependent on which was more appropriate i.e. measurements when used as the basis to re-train the classifier it still re-
in seconds and milliseconds. The most successful process sulted in misclassification of benignware processes. Following
parameters which were used by the algorithm were: manual inspection of the script output it was apparent that
• Path âĂŞ Binary processes the script considered to be âĂŸlegitimateâĂŹ had an
• Company âĂŞ Binary extremely high output score, leading to a very high threshold
• Description âĂŞ Binary for any process to be considered benignware and resulting in
• Has Exited âĂŞ Binary a high number of false positives.
• Processor Affinity âĂŞ Binary The features identified as being key in the high output
• Peak Working Set64 âĂŞ Integer for âĂŸlegitimateâĂŹ processes were identified as being the
• Peak Virtual Memory Size64 âĂŞ Integer Version features (Product and File). These were removed from
• Private Memory Size64 âĂŞ Integer the combined dataset and training (with feature selection) was
• Handle Count âĂŞ Integer re-run. The following features were then identified as key, this
• Virtual Memory Size64 âĂŞ Integer being the final feature selection used for the training of the
• Working Set64 âĂŞ Integer current NODENS system;
• Total Processor Time âĂŞ Float Final Set
• ProcessorAffinity
V. R ESULTS
• VirtualMemorySize64
A. Feature Selection • HandleCount
The features identified as key changed multiple times, each • HasExited
time being refined to increase the accuracy of the classifier, • Company
Process Classification Total (scheme 1) Total (scheme 2)
Firefox Malware 7,638 64,547,168
Python Malware 2,182 27,109,170
exe1 Malware 1,888 2,514,799,716
Internet Explorer Legitimate 800,760,001,869 80,100,000,000,000,000,000,000
TABLE I
C APTION
Malware Process Name Path Company Description Has Exited Processor Affinity
bot 1 0 0 0 1
p.tmp 1 0 1 -1 1
DUCUMENT-3839274322-pdf 1 1 0 1 1
re1608 1 1 1 -1 1
TABLE III
C APTION
R EFERENCES
R EFERENCES
[1] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant,
“Semantics-aware malware detection,” in 2005 IEEE Symposium on
Security and Privacy (S P’05), May 2005, pp. 32–46.
[2] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama:
Capturing system-wide information flow for malware detection
and analysis,” in Proceedings of the 14th ACM Conference on
Computer and Communications Security, ser. CCS ’07. New
York, NY, USA: ACM, 2007, pp. 116–127. [Online]. Available:
http://doi.acm.org/10.1145/1315245.1315261
[3] S. J. Stolfo, K. Wang, and W.-J. Li, “Towards stealthy malware detec-
tion,” in Malware Detection, M. Christodorescu, S. Jha, D. Maughan,
D. Song, and C. Wang, Eds. Boston, MA: Springer US, 2007, pp.
231–249.
Private Total Virtual
Handle Peak Working Peak Virtual Working Total output
Classification Process Memory Processor Memory
Count Set64 Memory Size64 Set64 score
Size64 Time Size64
Malware vlc 51 5,328,896 56,504,320 2,191,360 0.1602304 56,504,320 5,328,896 125,857,846
Both vlc 323 19,406,848 117,628,928 7,737,344 0.1602304 117,616,640 19,394,560 281,784,646
Legitimate vlc 324 19,312,640 117,022,720 7,684,096 0.1802592 117,010,432 19,308,544 280,338,759
Difference +1 -94,208 -606,208 -53,248 +0.200288 -606,208 -86,016 -1,445,887
TABLE V
C APTION
Processing RF Classifier
Known Unknown
Process Killed
Process Process Signature Saved
Signature Saved
Refitting
Fig. 1. Title