Additionally, we observed that machine learning algorithms trained on data from the user-level tended to use the anti-debug/anti-vm features in malware to distinguish it from benignware.
This may seem intuitive but was hitherto not empirically demonstrated. The combination of user and kernel level data gave the best classification results with an accuracy of 96.0% for Random Forest.
#Malware used runonly avoid detection five driver#
Random Forest was the best performing classifier with an accuracy of 95.2% for the kernel driver and 94.0% at a user-level. We then tested the performance of several state-of-the-art machine learning classifiers on the data. To study the effects of collecting system calls at different privilege levels and viewpoints, we collected data at a process-specific user-level using a virtualised sandbox environment and a system-wide kernel-level using a custom-built kernel driver. There are several techniques to capture system calls, the most popular of which is a user-level hook. During dynamic analysis it is common practice to capture the system calls that are made to better understand the behaviour of malware. Dynamic malware analysis is fast gaining popularity over static analysis since it is not easily defeated by evasion tactics such as obfuscation and polymorphism.
0 kommentar(er)
