Abstract
As malicious operations become gradually very complex and involve advanced attack campaigns even on embedded systems and IoT, there is an increasing need for detecting malicious behavior on a system as it dynamically as it happens. In this paper, a Deep Learning based malicious behavior dynamic, run-time detection methodology is proposed that rely on the collection of Linux OS execution flow metrics/features like CPU, disk and memory usage and their association with ATT &CK MITRE knowledge base exploits. Using that approach, we can emulate the attack sequence of complex malicious activity and use the collected features to train Deep Learning models in order to classify execution operations at run-time as malicious or not. In the paper, we provide a feasibility study of the proposed solution based on the ATT &CK MITRE exploit attack graph emulation of the SysJoker backdoor malware and we train several Deep Learning models acting as classifiers. The provided results showed that in SysJoker use-case study of the proposed approach we managed to obtain more than 99% accuracy and less that 0.5% False Positive and False Negative Rates.
Funded in part by the European Union SecOPERA Project with Grant Agreement Nr. 101070599 and the EnerMAN Project with Grant Agreement Nr. 958478.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Atomic operator “swimlane/atomic-operator” (2023). https://github.com/swimlane/atomic-operator
Atomic-red-team “redcanaryco/atomic-red-team” (2023). https://github.com/redcanaryco/atomic-red-team
AttackIQ’s SysJoker Attack Graph. https://www.attackiq.com/2022/08/02/malware-emulation-attack-graph-for-sysjokers-linux-variant/
Intezer’s SysJoker info. https://www.intezer.com/blog/incident-response/new-backdoor-sysjoker/
Mitre ATT &CK. https://attack.mitre.org
Nicolargo “nicolargo/glances” (2023). https://github.com/nicolargo/glances
SysJoker. https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker
Athiwaratkun, B., Stokes, J.W.: Malware classification with LSTM and GRU language models and a character-level CNN. In: 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 2482–2486. IEEE (2017)
Crawford, R., et al.: A testbed for malicious code detection: a synthesis of static and dynamic analysis techniques. In: Proceedings of the Department of Energy Computer Security Group Conference, vol. 17, pp. 1–23 (1991)
Fairbanks, J., Orbe, A., Patterson, C., Layne, J., Serra, E., Scheepers, M.: Identifying ATT &CK tactics in Android malware control flow graph through graph representation learning and interpretability. In: 2021 IEEE International Conference on Big Data (Big Data), pp. 5602–5608. IEEE (2021)
Fang, Z., Wang, J., Geng, J., Kan, X.: Feature selection for malware detection based on reinforcement learning. IEEE Access 7, 176177–176187 (2019)
Gopinath, M., Sethuraman, S.C.: A comprehensive survey on deep learning based malware detection techniques. Comput. Sci. Rev. 47, 100529 (2023)
Han, W., Xue, J., Wang, Y., Huang, L., Kong, Z., Mao, L.: MalDAE: detecting and explaining malware based on correlation and fusion of static and dynamic characteristics. Comput. Secur. 83, 208–233 (2019)
Hernandez-Castro, J., Cartwright, A., Cartwright, E.: An economic analysis of ransomware and its welfare consequences. R. Soc. Open Sci. 7(3), 190023 (2020)
Huang, W., Stokes, J.W.: MtNet: a multi-task neural network for dynamic malware classification. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 399–418. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_20
Jeon, J., Park, J.H., Jeong, Y.S.: Dynamic analysis for IoT malware detection with convolution neural network model. IEEE Access 8, 96899–96911 (2020)
Sayadi, H., Patel, N., Sasan, A., Rafatirad, S., Homayoun, H.: Ensemble learning for effective run-time hardware-based malware detection: a comprehensive analysis and classification. In: Proceedings of the 55th Annual Design Automation Conference, pp. 1–6 (2018)
Thamer, N., Alubady, R.: A survey of ransomware attacks for healthcare systems: risks, challenges, solutions and opportunity of research. In: 2021 1st Babylon International Conference on Information Technology and Science (BICITS), pp. 210–216. IEEE (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tsakoulis, T., Haleplidis, E., Fournaris, A.P. (2023). Run-Time Detection of Malicious Behavior Based on Exploit Decomposition Using Deep Learning: A Feasibility Study on SysJoker. In: Silvano, C., Pilato, C., Reichenbach, M. (eds) Embedded Computer Systems: Architectures, Modeling, and Simulation. SAMOS 2023. Lecture Notes in Computer Science, vol 14385. Springer, Cham. https://doi.org/10.1007/978-3-031-46077-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-46077-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-46076-0
Online ISBN: 978-3-031-46077-7
eBook Packages: Computer ScienceComputer Science (R0)