Skip to Main content Skip to Navigation
Conference papers

Attacking and Defending Dynamic Analysis System-Calls Based IDS

Abstract : Machine-learning augments today’s IDS capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS’s classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS based on various classifiers using system calls executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code’s functionality, for decision tree and random forest classifiers. We also present transformations to the classifier’s input, to prevent this camouflage - and a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.
Document type :
Conference papers
Complete list of metadata

Cited literature [15 references]  Display  Hide  Download

https://hal.inria.fr/hal-01639619
Contributor : Hal Ifip <>
Submitted on : Monday, November 20, 2017 - 2:54:20 PM
Last modification on : Tuesday, May 14, 2019 - 1:50:22 PM
Long-term archiving on: : Wednesday, February 21, 2018 - 3:50:01 PM

File

421627_1_En_7_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Ishai Rosenberg, Ehud Gudes. Attacking and Defending Dynamic Analysis System-Calls Based IDS. 10th IFIP International Conference on Information Security Theory and Practice (WISTP), Sep 2016, Heraklion, Greece. pp.103-119, ⟨10.1007/978-3-319-45931-8_7⟩. ⟨hal-01639619⟩

Share

Metrics

Record views

212

Files downloads

274