Detecting Malicious Software

Current malware detection methods based on system API calls do not fully use all the information available and are not as effective at differentiating between malicious and benign software as they could be. More importantly, they are not adequately robust to attacks where malware authors modify their samples to evade detection.

The Connection Lab is working on a method to detect malware that is both effective against standard malware and malware that use evasion attacks. We developed a behavior model that properly incorporates additional API information to summarize program behavior and use it in conjunction with machine learning techniques like monotonic models to build a robust malware detection pipeline. We’ve demonstrated that this method can effectively detect malware in the presence of evasion attacks like mimicry attacks and adversarial attacks.

For more details on this work, please see our paper: https://doi.org/10.1145/3607199.3607207.