Centrality Metrics of Importance in Access Behaviors and Malware Detections

Presentation pdf 856KB

System objects play different roles in a computer system and exhibit different degrees of importance with respect to system security. Identifying importance metrics can help us to develop more effective and efficient security protection methods. However, there is little previous work on evaluating the importance of objects from the perspective of security. In this paper, we propose a novel approach to evaluate the importance of various system objects based on a bipartite dependency network representation of access behaviors observed in a computer system. We introduce centrality metrics from network science to quantitatively measure the relative importance of system objects and reveal their inherent connections to security properties such as integrity and confidentiality. Furthermore, we propose importance-metric based models to characterize process behaviors and identify abnormal access patterns with respect to confidentiality and integrity. Extensive experimental results on one real-world dataset demonstrate that our model is capable of detecting 7,257 malware samples from 27,840 benign processes at 93.94% TPR under 0.1% FPR. Moreover, a selective protection scheme based on a partial behavioral model of important objects achieves comparable or even better results in malware detection when compared with complete behavior models. This demonstrates the feasibility of the devised importance metrics and presents a promising new approach to malware detection.

Author(s):

Weixuan Mao    
MOE KLINNS Lab, Xi’an Jiaotong University
China

Zhongmin Cai    
MOE KLINNS Lab, Xi’an Jiaotong University
China

Xiaohong Guan    
MOE KLINNS Lab, Xi’an Jiaotong University
China

Don Towsley    
School of Computer Science, University of Massachusetts
United States