Sysmon event logs for machine learning-based malware detection

Malware poses a significant threat to modern computing environments, necessitating advanced detection techniques that can adapt to evolving attack methods. This study focuses on dynamic malware analysis using machine learning models to process detailed data from Sysmon Event Logs, a crucial sources of system information that record both running program activities. Sysmon events contain various information on what a program is doing during execution, such as created processes, initiated network connection, DNS queries, modified file and registry keys, and other type of events. Such information can be used to classify malicious or benign software. In this research, we employed various machine learning algorithms, both classification (supervised learning) and outlier detection (unsupervised learning) approaches, such as Naive Bayes, Decision Tree, Random Forest, Support Vector Machine (SVM) for supervised learning, and Isolation Forest, Local Outlier Factor (LOF), and One-Class SVM for unsupervised learning. An extensive set of experiment were conducted to look for the best approach and the most relevant features. Principal Component Analysis (PCA) was applied to select the most relevant features for both supervised and unsupervised learning models. The experiments showed that the Local Outlier Factor (LOF) model with its twenty best features achieved the best performance, with an F1 score of 0.9873.