Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models

TL;DR

This paper explores a novel approach to modeling program behavior using LSTM on branch sequences to improve resilience against mimicry attacks, leveraging hardware features for efficient data collection.

Contribution

It introduces a mimicry resilient program behavior model based on branch sequences and LSTM, addressing limitations of system call-based models against mimicry attacks.

Findings

LSTM effectively models large-scale branch sequences.

Hardware features enable efficient runtime data extraction.

Preliminary experiments show promise in resilience against mimicry attacks.

Abstract

In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program behavior is system call sequences. Unfortunately, however, since mimicry attacks were proposed, program behavior models based solely on system call sequences could no longer ensure the security of systems and require additional information that comes with its own drawbacks. In this paper, we report our preliminary findings in our research to build a mimicry resilient program behavior model that has lesser drawbacks. We employ branch sequences to harden our program behavior model against mimicry attacks while employing hardware features for efficient extraction of such branch information during program runtime. In order to handle the large scale of branch sequences, we also employ LSTM, the de facto standard in deep learning based sequence modeling and report our preliminary experiments on its interaction with program branch sequences.