Monotonic models for real-time dynamic malware detection

TL;DR

This paper introduces monotonic classification models for real-time malware detection, ensuring consistent and stable predictions over execution logs, which enhances interpretability and reliability in dynamic analysis.

Contribution

It proposes the use of monotonic neural networks for malware detection, making predictions stable over time and resistant to noise, a novel approach in dynamic malware analysis.

Findings

Monotonic neural networks provide stable predictions during execution.

Models are interpretable and resistant to benign activity noise.

Effective for real-time malware classification on user machines.

Abstract

In dynamic malware analysis, programs are classified as malware or benign based on their execution logs. We propose a concept of applying monotonic classification models to the analysis process, to make the trained model's predictions consistent over execution time and provably stable to the injection of any noise or `benign-looking' activity into the program's behavior. The predictions of such models change monotonically through the log in the sense that the addition of new lines into the log may only increase the probability of the file being found malicious, which make them suitable for real-time classification on a user's machine. We evaluate monotonic neural network models based on the work by Chistyakovet al. (2017) and demonstrate that they provide stable and interpretable results.