Monotonic models for real-time dynamic malware detection
This addresses the need for reliable real-time malware detection on user devices, though it is incremental as it builds on existing monotonic neural network methods.
The paper tackles the problem of dynamic malware detection by proposing monotonic classification models that ensure predictions are consistent over time and stable against noise, making them suitable for real-time use on user machines. The evaluation shows these models provide stable and interpretable results.
In dynamic malware analysis, programs are classified as malware or benign based on their execution logs. We propose a concept of applying monotonic classification models to the analysis process, to make the trained model's predictions consistent over execution time and provably stable to the injection of any noise or `benign-looking' activity into the program's behavior. The predictions of such models change monotonically through the log in the sense that the addition of new lines into the log may only increase the probability of the file being found malicious, which make them suitable for real-time classification on a user's machine. We evaluate monotonic neural network models based on the work by Chistyakovet al. (2017) and demonstrate that they provide stable and interpretable results.