Run-time classification of malicious processes using system call analysis

Authors

Raymond Canzanese, Drexel University College of Engineering
Spiros Mancoridis, College of Computing & Informatics
Moshe Kam, Newark College of Engineering

Document Type

Conference Proceeding

Publication Date

2-18-2016

Abstract

This study presents a malware classification system designed to classify malicious processes at run-time on production hosts. The system monitors process-level system call activity and uses information extracted from system call traces as inputs to the classifier. The system is advantageous because it does not require the use of specialized analysis environments. Instead, a 'lightweight' service application monitors process execution and classifies new malware samples based on their behavioral similarity to known malware. This study compares the effectiveness of multiple feature sets, ground truth labeling schemes, and machine learning algorithms for malware classification. The accuracy of the classification system is evaluated against processlevel system call traces of recently discovered malware samples collected from production environments. Experimental results indicate that accurate classification results can be achieved using relatively short system call traces and simple representations.

Identifier

84969792589 (Scopus)

ISBN

[9781509003174]

Publication Title

2015 10th International Conference on Malicious and Unwanted Software Malware 2015

External Full Text Location

https://doi.org/10.1109/MALWARE.2015.7413681

First Page

21

Last Page

28

Grant

CNS-1228847

Fund Ref

National Science Foundation

Recommended Citation

Canzanese, Raymond; Mancoridis, Spiros; and Kam, Moshe, "Run-time classification of malicious processes using system call analysis" (2016). Faculty Publications. 10675.
https://digitalcommons.njit.edu/fac_pubs/10675