However, for the internal approach, it is susceptible to attacks and may cause antivirus storm and rollback vulnerability problems. According to where the antivirus system resides, the existing approaches can be categorized into three classes: internal approach, external approach and hybrid approach. In short, this paper provides the first objective, evidence-based comparison of user and kernel level data for the purposes of malware classification.Īntivirus is an important issue to the security of virtual machine (VM). Despite this, there exist more established user-level tools than kernel-level tools, suggesting more research effort should be directed at kernel-level. Our results show that capturing data at different privilege levels will affect the classifier's ability to detect malware, with kernel-level providing more utility than user-level for malware classification. Whereas, when trained on data from our kernel driver, machine learning algorithms seemed to use the differences in the general behaviour of the system to make their prediction, which explains why they complement each other so well.
Additionally, we observed that machine learning algorithms trained on data from the user-level tended to use the anti-debug/anti-vm features in malware to distinguish it from benignware. This may seem intuitive but was hitherto not empirically demonstrated. The combination of user and kernel level data gave the best classification results with an accuracy of 96.0% for Random Forest.
#KIDLOGGER NET DOWNLOAD DRIVER#
Random Forest was the best performing classifier with an accuracy of 95.2% for the kernel driver and 94.0% at a user-level. We then tested the performance of several state-of-the-art machine learning classifiers on the data. To study the effects of collecting system calls at different privilege levels and viewpoints, we collected data at a process-specific user-level using a virtualised sandbox environment and a system-wide kernel-level using a custom-built kernel driver. There are several techniques to capture system calls, the most popular of which is a user-level hook. During dynamic analysis it is common practice to capture the system calls that are made to better understand the behaviour of malware. Dynamic malware analysis is fast gaining popularity over static analysis since it is not easily defeated by evasion tactics such as obfuscation and polymorphism.
0 kommentar(er)
