Towards Online Malware Detection using Process Resource Utilization Metrics

TL;DR

This paper introduces an online learning method that uses process resource utilization metrics to detect evolving malware in real-time, addressing limitations of traditional static models and improving zero-day malware detection.

Contribution

It presents a novel online malware detection approach that adapts continuously over time using behavioral features, enhancing detection of new and evolving threats.

Findings

Effective in detecting zero-day malware

Performs well with limited data scenarios

Outperforms traditional batch algorithms

Abstract

The rapid growth of Cloud Computing and Internet of Things (IoT) has significantly increased the interconnection of computational resources, creating an environment where malicious software (malware) can spread rapidly. To address this challenge, researchers are increasingly utilizing Machine Learning approaches to identify malware through behavioral (i.e. dynamic) cues. However, current approaches are limited by their reliance on large labeled datasets, fixed model training, and the assumption that a trained model remains effective over time-disregarding the ever-evolving sophistication of malware. As a result, they often fail to detect evolving malware attacks that adapt over time. This paper proposes an online learning approach for dynamic malware detection, that overcomes these limitations by incorporating temporal information to continuously update its models using behavioral features, specifically process resource utilization metrics. By doing so, the proposed models can incrementally adapt to emerging threats and detect zero-day malware effectively. Upon evaluating our approach against traditional batch algorithms, we find it effective in detecting zero-day malware. Moreover, we demonstrate its efficacy in scenarios with limited data availability, where traditional batch-based approaches often struggle to perform reliably.