Countering Malware Via Decoy Processes with Improved Resource Utilization Consistency

2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA) Pub Date : 2019-12-01 DOI:10.1109/TPS-ISA48467.2019.00022

Sara Sutton, Benjamin Bond, Sementa Tahiri, J. Rrushi

{"title":"Countering Malware Via Decoy Processes with Improved Resource Utilization Consistency","authors":"Sara Sutton, Benjamin Bond, Sementa Tahiri, J. Rrushi","doi":"10.1109/TPS-ISA48467.2019.00022","DOIUrl":null,"url":null,"abstract":"The concept of a decoy process is a new development of defensive deception beyond traditional honeypots. Decoy processes can be exceptionally effective in detecting malware, directly upon contact or by redirecting malware to decoy I/O. A key requirement is that they resemble their real counterparts very closely to withstand adversarial probes by threat actors. To be usable, decoy processes need to consume only a small fraction of the resources consumed by their real counterparts. Our contribution in this paper is twofold. We attack the resource utilization consistency of decoy processes provided by a neural network with a heatmap training mechanism, which we find to be insufficiently trained. We then devise machine learning over control flow graphs that improves the heatmap training mechanism. A neural network retrained by our work shows higher accuracy and defeats our attacks without a significant increase in its own resource utilization.","PeriodicalId":129820,"journal":{"name":"2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)","volume":"106 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/TPS-ISA48467.2019.00022","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

The concept of a decoy process is a new development of defensive deception beyond traditional honeypots. Decoy processes can be exceptionally effective in detecting malware, directly upon contact or by redirecting malware to decoy I/O. A key requirement is that they resemble their real counterparts very closely to withstand adversarial probes by threat actors. To be usable, decoy processes need to consume only a small fraction of the resources consumed by their real counterparts. Our contribution in this paper is twofold. We attack the resource utilization consistency of decoy processes provided by a neural network with a heatmap training mechanism, which we find to be insufficiently trained. We then devise machine learning over control flow graphs that improves the heatmap training mechanism. A neural network retrained by our work shows higher accuracy and defeats our attacks without a significant increase in its own resource utilization.

查看原文本刊更多论文

通过提高资源利用一致性的诱饵进程对抗恶意软件

诱骗过程的概念是传统蜜罐防御欺骗的新发展。诱饵进程可以非常有效地检测恶意软件，直接在接触或通过重定向恶意软件到诱饵I/O。一个关键的要求是，它们与真实的对应物非常相似，以抵御威胁行为者的对抗性探测。为了可用，诱饵进程只需要消耗其实际对应进程所消耗资源的一小部分。我们在这篇论文中的贡献是双重的。我们对具有热图训练机制的神经网络提供的诱饵进程的资源利用一致性进行了攻击，发现其训练不足。然后，我们在控制流图上设计机器学习，以改进热图训练机制。通过我们的工作重新训练的神经网络显示出更高的准确性，并且在不显著增加自身资源利用率的情况下击败了我们的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)

自引率

0.00%

发文量