Journal article
Exploiting TTPs to design an extensible and explainable malware detection system
- Abstract:
- In recent years, numerous sophisticated malware detection systems have been proposed, many of which are based on machine learning. Though such systems attain impressive results, they are often designed having effectiveness as the main, if not only, requirement. As a result, the effectiveness of such systems, especially if based on deep learning models, often comes with (i) poor extensibility, being very difficult to adapt and/or extend to other settings, and (ii) poor explainability, since it is often not possible for humans to understand the reasons behind the model’s predictions, making further analysis of threats a challenge. In this paper we show how it is possible to design an extensible and explainable yet effective malware detection system. Extensibility is obtained thanks to the exploitation of TTPs (Tactics, Techniques, and Procedures) from the popular MITRE ATT&CK framework, which is an ontology of adversarial behaviour that allows us to divide the general problem of malware detection into the smaller problems of detecting the different types of malicious activity that can be carried out. Explainability is obtained by returning (i) which TTPs have been detected and are responsible for the classification of the entire behaviour as malicious, and (ii) why such TTPs have been classified as malicious. To demonstrate the viability of this approach we implement these ideas in a system called RADAR. We evaluate RADAR on a very large dataset comprising of 2,286,907 malicious and benign samples, representing a total of 84,792,452 network flows. The experimental analysis confirms that the proposed methodology can be effectively exploited: RADAR’s ability to detect malware is comparable to other state-of-the-art non-interpretable systems’ capabilities. To the best of our knowledge, RADAR is the first TTP-based system for malware detection that uses machine learning while being extensible and explainable.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Version of record, pdf, 985.6KB, Terms of use)
-
- Publisher copy:
- 10.3897/jucs.131753
Authors
- Publisher:
- Graz University of Technology
- Journal:
- Journal of Universal Computer Science More from this journal
- Volume:
- 30
- Issue:
- 9
- Pages:
- 1140-1162
- Publication date:
- 2024-09-14
- Acceptance date:
- 2024-05-30
- DOI:
- EISSN:
-
0948-6968
- ISSN:
-
0948-695X
- Language:
-
English
- Keywords:
- Pubs id:
-
2013587
- Local pid:
-
pubs:2013587
- Deposit date:
-
2024-07-10
Terms of use
- Copyright holder:
- Sharma et al.
- Copyright date:
- 2024
- Rights statement:
- © Yashovardhan Sharma, Simon Birnbach, Ivan Martinovic. This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-ND 4.0). This license allows reusers to copy and distribute the material in any medium or format in unadapted form only, and only so long as attribution is given to the creator. The license allows for commercial use.
If you are the owner of this record, you can report an update to it here: Report update to this record