A better understanding of machine learning malware misclassifcation

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

A better understanding of machine learning malware misclassifcation. / Alruhaily, Nada; Chothia, Tom; Bordbar, Behzad.

Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. ed. / Paolo Mori; Steven Furnell; Olivier Camp. Springer Verlag, 2018. p. 35-58 (Communications in Computer and Information Science; Vol. 867).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Alruhaily, N, Chothia, T & Bordbar, B 2018, A better understanding of machine learning malware misclassifcation. in P Mori, S Furnell & O Camp (eds), Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. Communications in Computer and Information Science, vol. 867, Springer Verlag, pp. 35-58, 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal, 19/02/17. https://doi.org/10.1007/978-3-319-93354-2_3

APA

Alruhaily, N., Chothia, T., & Bordbar, B. (2018). A better understanding of machine learning malware misclassifcation. In P. Mori, S. Furnell, & O. Camp (Eds.), Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers (pp. 35-58). (Communications in Computer and Information Science; Vol. 867). Springer Verlag. https://doi.org/10.1007/978-3-319-93354-2_3

Vancouver

Alruhaily N, Chothia T, Bordbar B. A better understanding of machine learning malware misclassifcation. In Mori P, Furnell S, Camp O, editors, Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. Springer Verlag. 2018. p. 35-58. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-319-93354-2_3

Author

Alruhaily, Nada ; Chothia, Tom ; Bordbar, Behzad. / A better understanding of machine learning malware misclassifcation. Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. editor / Paolo Mori ; Steven Furnell ; Olivier Camp. Springer Verlag, 2018. pp. 35-58 (Communications in Computer and Information Science).

Bibtex

@inproceedings{cf0840eaa0344d73a4dbc6f60d03b00a,
title = "A better understanding of machine learning malware misclassifcation",
abstract = "Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.",
keywords = "Behavioural analysis, Classification, Machine learning, Malware",
author = "Nada Alruhaily and Tom Chothia and Behzad Bordbar",
year = "2018",
month = jan
day = "1",
doi = "10.1007/978-3-319-93354-2_3",
language = "English",
isbn = "9783319933535",
series = "Communications in Computer and Information Science",
publisher = "Springer Verlag",
pages = "35--58",
editor = "Paolo Mori and Steven Furnell and Camp, {Olivier }",
booktitle = "Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers",
note = "3rd International Conference on Information Systems Security and Privacy, ICISSP 2017 ; Conference date: 19-02-2017 Through 21-02-2017",

}

RIS

TY - GEN

T1 - A better understanding of machine learning malware misclassifcation

AU - Alruhaily, Nada

AU - Chothia, Tom

AU - Bordbar, Behzad

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.

AB - Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.

KW - Behavioural analysis

KW - Classification

KW - Machine learning

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=85049107741&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-93354-2_3

DO - 10.1007/978-3-319-93354-2_3

M3 - Conference contribution

AN - SCOPUS:85049107741

SN - 9783319933535

T3 - Communications in Computer and Information Science

SP - 35

EP - 58

BT - Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers

A2 - Mori, Paolo

A2 - Furnell, Steven

A2 - Camp, Olivier

PB - Springer Verlag

T2 - 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017

Y2 - 19 February 2017 through 21 February 2017

ER -