A better understanding of machine learning malware misclassifcation

Nada Alruhaily; Tom Chothia; Behzad Bordbar

doi:10.1007/978-3-319-93354-2_3

A better understanding of machine learning malware misclassifcation

Nada Alruhaily^*, Tom Chothia, Behzad Bordbar

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.

Original language	English
Title of host publication	Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers
Editors	Paolo Mori, Steven Furnell, Olivier Camp
Publisher	Springer Verlag
Pages	35-58
Number of pages	24
ISBN (Electronic)	9783319933542
ISBN (Print)	9783319933535
DOIs	https://doi.org/10.1007/978-3-319-93354-2_3
Publication status	Published - 1 Jan 2018
Event	3rd International Conference on Information Systems Security and Privacy, ICISSP 2017 - Porto, Portugal Duration: 19 Feb 2017 → 21 Feb 2017

Publication series

Name	Communications in Computer and Information Science
Volume	867
ISSN (Print)	1865-0929

Conference

Conference	3rd International Conference on Information Systems Security and Privacy, ICISSP 2017
Country/Territory	Portugal
City	Porto
Period	19/02/17 → 21/02/17

Keywords

Behavioural analysis
Classification
Machine learning
Malware

ASJC Scopus subject areas

Computer Science(all)
Mathematics(all)

Access to Document

10.1007/978-3-319-93354-2_3Licence: None: All rights reserved

Cite this

Alruhaily, N., Chothia, T., & Bordbar, B. (2018). A better understanding of machine learning malware misclassifcation. In P. Mori, S. Furnell, & O. Camp (Eds.), Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers (pp. 35-58). (Communications in Computer and Information Science; Vol. 867). Springer Verlag. https://doi.org/10.1007/978-3-319-93354-2_3

Alruhaily, Nada ; Chothia, Tom ; Bordbar, Behzad. / A better understanding of machine learning malware misclassifcation. Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. editor / Paolo Mori ; Steven Furnell ; Olivier Camp. Springer Verlag, 2018. pp. 35-58 (Communications in Computer and Information Science).

@inproceedings{cf0840eaa0344d73a4dbc6f60d03b00a,

title = "A better understanding of machine learning malware misclassifcation",

abstract = "Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.",

keywords = "Behavioural analysis, Classification, Machine learning, Malware",

author = "Nada Alruhaily and Tom Chothia and Behzad Bordbar",

year = "2018",

month = jan,

day = "1",

doi = "10.1007/978-3-319-93354-2_3",

language = "English",

isbn = "9783319933535",

series = "Communications in Computer and Information Science",

publisher = "Springer Verlag",

pages = "35--58",

editor = "Paolo Mori and Steven Furnell and Camp, {Olivier }",

booktitle = "Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers",

note = "3rd International Conference on Information Systems Security and Privacy, ICISSP 2017 ; Conference date: 19-02-2017 Through 21-02-2017",

}

Alruhaily, N, Chothia, T & Bordbar, B 2018, A better understanding of machine learning malware misclassifcation. in P Mori, S Furnell & O Camp (eds), Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. Communications in Computer and Information Science, vol. 867, Springer Verlag, pp. 35-58, 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal, 19/02/17. https://doi.org/10.1007/978-3-319-93354-2_3

A better understanding of machine learning malware misclassifcation. / Alruhaily, Nada; Chothia, Tom; Bordbar, Behzad.
Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. ed. / Paolo Mori; Steven Furnell; Olivier Camp. Springer Verlag, 2018. p. 35-58 (Communications in Computer and Information Science; Vol. 867).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A better understanding of machine learning malware misclassifcation

AU - Alruhaily, Nada

AU - Chothia, Tom

AU - Bordbar, Behzad

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.

AB - Machine learning-based malware detection systems have been widely suggested and used as a replacement for signature-based detection methods. Such systems have shown that they can provide a high detection rate when recognising non-previously seen malware samples. However, when classifying malware based on their behavioural features, some new malware can go undetected, resulting in a misclassification. Our aim is to gain more understanding of the underlying causes of malware misclassification; this will help to develop more robust malware detection systems. Towards this objective, several questions have been addressed in this paper: Does misclassification increase over a period of time? Do changes that affect classification occur in malware at the level of families, where all instances that belong to certain families are hard to detect? Alternatively, can such changes be traced back to certain malware variants instead of families? Also, does misclassification increase when removing distinct API functions that have been used only by malware? As this technique could be used by malware writers to evade the detection. Our experiments showed that changes in malware behaviour are mostly due to behavioural changes at the level of variants across malware families, where variants did not behave as expected. It also showed that machine learning-based systems could maintain a high detection rate even in the case of trying to evade the detection by not using distinct API functions, which are uniquely used by malware.

KW - Behavioural analysis

KW - Classification

KW - Machine learning

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=85049107741&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-93354-2_3

DO - 10.1007/978-3-319-93354-2_3

M3 - Conference contribution

AN - SCOPUS:85049107741

SN - 9783319933535

T3 - Communications in Computer and Information Science

SP - 35

EP - 58

BT - Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers

A2 - Mori, Paolo

A2 - Furnell, Steven

A2 - Camp, Olivier

PB - Springer Verlag

T2 - 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017

Y2 - 19 February 2017 through 21 February 2017

ER -

Alruhaily N, Chothia T, Bordbar B. A better understanding of machine learning malware misclassifcation. In Mori P, Furnell S, Camp O, editors, Information Systems Security and Privacy - 3rd International Conference, ICISSP 2017, Revised Selected Papers. Springer Verlag. 2018. p. 35-58. (Communications in Computer and Information Science). doi: 10.1007/978-3-319-93354-2_3

A better understanding of machine learning malware misclassifcation

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this