SK-Tree: a systematic malware detection algorithm on streaming trees via the signature kernel

TL;DR

The paper introduces SK-Tree, a new malware detection algorithm that uses streaming trees and the signature kernel to effectively identify malicious activity in complex, hierarchical cybersecurity data streams.

Contribution

It presents a novel framework combining streaming trees and the signature kernel for malware detection, addressing challenges of irregular sampling and high dimensionality.

Findings

Achieved 98% AUROC on DARPA OpTC dataset

Robust to irregular sampling and high-dimensional data

Effective in detecting malicious events in cybersecurity streams

Abstract

The development of machine learning algorithms in the cyber security domain has been impeded by the complex, hierarchical, sequential and multimodal nature of the data involved. In this paper we introduce the notion of a streaming tree as a generic data structure encompassing a large portion of real-world cyber security data. Starting from host-based event logs we represent computer processes as streaming trees that evolve in continuous time. Leveraging the properties of the signature kernel, a machine learning tool that recently emerged as a leading technology for learning with complex sequences of data, we develop the SK-Tree algorithm. SK-Tree is a supervised learning method for systematic malware detection on streaming trees that is robust to irregular sampling and high dimensionality of the underlying streams. We demonstrate the effectiveness of SK-Tree to detect malicious events on a portion of the publicly available DARPA OpTC dataset, achieving an AUROC score of 98%.