SUNDEW: An Ensemble of Predictors for Case-Sensitive Detection of Malware

TL;DR

SUNDEW is a novel ensemble framework that detects malware by leveraging class-specific data sources and features, effectively resolving conflicts among predictors to achieve high accuracy with minimal overhead.

Contribution

It introduces a class-aware ensemble approach that optimally combines diverse data sources and features for malware detection, addressing limitations of existing agnostic solutions.

Findings

Achieves an average F1-Score of 0.93 across malware classes.

Demonstrates high detection accuracy with minimal 1.5% overhead.

Effectively resolves conflicts among predictors using hierarchical aggregation.

Abstract

Malware programs are diverse, with varying objectives, functionalities, and threat levels ranging from mere pop-ups to financial losses. Consequently, their run-time footprints across the system differ, impacting the optimal data source (Network, Operating system (OS), Hardware) and features that are instrumental to malware detection. Further, the variations in threat levels of malware classes affect the user requirements for detection. Thus, the optimal tuple of <data-source, features, user-requirements> is different for each malware class, impacting the state-of-the-art detection solutions that are agnostic to these subtle differences. This paper presents SUNDEW, a framework to detect malware classes using their optimal tuple of <data-source, features, user-requirements>. SUNDEW uses an ensemble of specialized predictors, each trained with a particular data source (network, OS, and hardware) and tuned for features and requirements of a specific class. While the specialized ensemble with a holistic view across the system improves detection, aggregating the independent conflicting inferences from the different predictors is challenging. SUNDEW resolves such conflicts with a hierarchical aggregation considering the threat-level, noise in the data sources, and prior domain knowledge. We evaluate SUNDEW on a real-world dataset of over 10,000 malware samples from 8 classes. It achieves an F1-Score of one for most classes, with an average of 0.93 and a limited performance overhead of 1.5%.