Computer activity learning from system call time series

TL;DR

This paper presents a deep learning-based classifier for computer activity recognition from system call time series, achieving high accuracy in malware classification and demonstrating scalability and practical utility.

Contribution

Introduces a novel deep learning approach using a similarity function for system call streams, outperforming existing malware classifiers and providing scalable, real-world performance metrics.

Findings

Achieves F1 score of 0.995 on malware classification

System scales linearly with number of endpoints

Estimates 3450 malware families over 10 years

Abstract

Using a previously introduced similarity function for the stream of system calls generated by a computer, we engineer a program-in-execution classifier using deep learning methods. Tested on malware classification, it significantly outperforms current state of the art. We provide a series of performance measures and tests to demonstrate the capabilities, including measurements from production use. We show how the system scales linearly with the number of endpoints. With the system we estimate the total number of malware families created over the last 10 years as 3450, in line with reasonable economic constraints. The more limited rate for new malware families than previously acknowledged implies that machine learning malware classifiers risk being tested on their training set; we achieve F1 = 0.995 in a test carefully designed to mitigate this risk.