Dual-task agent for run-time classification and killing of malicious processes
Malicious software (malware) is one of the key vectors for cyber criminal activity. New malware samples appear every minute. These new samples are distinct from previous examples because the precise file content is new though the software behaviour may not be new. For this reason, static detection methods perform poorly by comparison with methods using behavioural data. Behavioural analysis, however, is typically conducted in a sandboxed or emulated environment. The sandbox takes several minutes to analyse the file, whilst static detection takes seconds. Some malware behaves one way in a sandbox and differently on a target endpoint, risking the sample being be misclassified. Run-time malware analysis examines software behaviour as it executes on the target endpoint. This eliminates the time delay caused by sandbox analysis and ensures that the behaviour monitored is identical to the behaviour on the target endpoint.Malicious software is capable of causing damage within seconds of delivery, only an automated response is capable of acting quickly enough to mitigate its impact. Previous run-time detection research has not considered real damage prevention to the endpoint.This paper proposes an agent for earlier run-time detection and killing of malware than has previously been presented. The agent uses a dual-task recurrent neural network trained both to maximise classification accuracy and to exercise caution in killing processes, as the latter action is irreversible. Real-time testing of the model found that it was able to detect 90 encryption within 30 seconds of launching) and reduce the number of files encrypted in the first 30 seconds by 50
READ FULL TEXT