NtMalDetect: A Machine Learning Approach to Malware Detection Using Native API System Calls

TL;DR

This paper presents NtMalDetect, a dynamic malware detection method using machine learning on system call traces, achieving high accuracy and recall by applying NLP-inspired classification techniques.

Contribution

Introduces a novel dynamic malware detection approach based on system call analysis with NLP techniques, outperforming static analysis in detecting advanced malware variants.

Findings

Achieved up to 96% accuracy in malware detection.

Identified significant system call sequences for future research.

Effective use of SVM with NLP-inspired features.

Abstract

As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.