A method for estimating process maliciousness with Seq2Seq model

Abstract

In recent years, cyber-attacks become more sophisticated and the damage caused by these attacks also becomes serious problem. In these attacks, specially-crafted malware, which utilizes countermeasures such as post execution binary elimination or process injection, is used not to be noticed by a target. Therefore, it is hard to detect malware used in these attacks with binary-dependent method before the intrusion, and the countermeasure after intrusion is required. This paper proposes an infection detection method by estimating maliciousness of processes in Windows machines. In our proposal, we extract feature vector sequence from process behavior captured by Process Monitor with Seq2Seq model at first, and then estimate the process maliciousness by classifying with the other Seq2Seq model. We evaluated the performance of our proposal by 5-fold cross validation and compared the performance with the method using uni-gram feature.