TL;DR
This paper presents a neural network-based system that detects malware in network logs and provides explainable indicators of compromise by highlighting key behavioral patterns.
Contribution
It introduces a novel approach combining specialized detectors, neural networks, and integrated gradients for explainability in malware detection from network telemetry.
Findings
Effective detection of njRAT and other malware
Comparison of CNN, LSTM, and transformer architectures
Improved interpretability of behavioral patterns
Abstract
We address the problems of identifying malware in network telemetry logs and providing \emph{indicators of compromise} -- comprehensible explanations of behavioral patterns that identify the threat. In our system, an array of specialized detectors abstracts network-flow data into comprehensible \emph{network events} in a first step. We develop a neural network that processes this sequence of events and identifies specific threats, malware families and broad categories of malware. We then use the \emph{integrated-gradients} method to highlight events that jointly constitute the characteristic behavioral pattern of the threat. We compare network architectures based on CNNs, LSTMs, and transformers, and explore the efficacy of unsupervised pre-training experimentally on large-scale telemetry data. We demonstrate how this system detects njRAT and other malware based on behavioral patterns.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
