Attacking and Defending Dynamic Analysis System-Calls Based IDS

Abstract : Machine-learning augments today’s IDS capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS’s classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS based on various classifiers using system calls executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code’s functionality, for decision tree and random forest classifiers. We also present transformations to the classifier’s input, to prevent this camouflage - and a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.
Document type :
Conference papers
Liste complète des métadonnées

Cited literature [15 references]  Display  Hide  Download
Contributor : Hal Ifip <>
Submitted on : Monday, November 20, 2017 - 2:54:20 PM
Last modification on : Saturday, February 17, 2018 - 5:46:02 PM
Document(s) archivé(s) le : Wednesday, February 21, 2018 - 3:50:01 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Ishai Rosenberg, Ehud Gudes. Attacking and Defending Dynamic Analysis System-Calls Based IDS. Sara Foresti; Javier Lopez. 10th IFIP International Conference on Information Security Theory and Practice (WISTP), Sep 2016, Heraklion, Greece. Springer International Publishing, Lecture Notes in Computer Science, LNCS-9895, pp.103-119, 2016, Information Security Theory and Practice. 〈10.1007/978-3-319-45931-8_7〉. 〈hal-01639619〉



Record views


Files downloads