sysBERT: Improved Behavioral Malware Detection using BERT Trained on sys2vec Embeddings
| dc.contributor.author | Carter, John | |
| dc.contributor.author | Mancoridis, Spiros | |
| dc.contributor.author | Protopapas, Pavlos | |
| dc.date.accessioned | 2024-12-26T21:11:01Z | |
| dc.date.available | 2024-12-26T21:11:01Z | |
| dc.date.issued | 2025-01-07 | |
| dc.description.abstract | As malware becomes increasingly stealthy and more difficult to detect, behavioral malware detection has become the preferred method of detection, which uses representative run-time data from the device to determine if an infection has occurred. In this work, we collected kernel-level system calls from a router serving IoT devices during periods of benign behavior and periods of known malware infection. The system calls were processed using our custom-trained sys2vec model, which created contextual embeddings for each system call observed. We then subjected the data to a classifier using a Gated Recurrent Unit (GRU) with an Attention layer. Although this pipeline performed well for noisy, easy-to-detect malware, it struggled with stealthier malware. To combat this, we trained a classifier that uses a custom-trained BERT encoder in place of the GRU/Attention layers, which results in much better detection at a usable false positive rate (FPR) ≤ 1 × 10−5. | |
| dc.format.extent | 10 | |
| dc.identifier.isbn | 978-0-9981331-8-8 | |
| dc.identifier.other | 4d709582-a81c-4948-9857-eeb32cb82252 | |
| dc.identifier.uri | https://hdl.handle.net/10125/109702 | |
| dc.relation.ispartof | Proceedings of the 58th Hawaii International Conference on System Sciences | |
| dc.rights | Attribution-NonCommercial-NoDerivatives 4.0 International | |
| dc.rights.uri | https://creativecommons.org/licenses/by-nc-nd/4.0/ | |
| dc.subject | Cyber Operations, Defense, and Forensics | |
| dc.subject | behavioral malware detection, bert, language models, machine learning | |
| dc.title | sysBERT: Improved Behavioral Malware Detection using BERT Trained on sys2vec Embeddings | |
| dc.type | Conference Paper | |
| dc.type.dcmi | Text | |
| prism.startingpage | 7120 |
Files
Original bundle
1 - 1 of 1