Premium
Bypassing system calls–based intrusion detection systems
Author(s) -
Rosenberg Ishai,
Gudes Ehud
Publication year - 2016
Publication title -
concurrency and computation: practice and experience
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.309
H-Index - 67
eISSN - 1532-0634
pISSN - 1532-0626
DOI - 10.1002/cpe.4023
Subject(s) - camouflage , computer science , malware , classifier (uml) , decision tree , machine learning , artificial intelligence , intrusion detection system , random forest , system call , decision tree learning , data mining , computer security , programming language
Summary Machine learning augments today's intrusion detection system (IDS) capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS' classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS on the basis of various classifiers using system calls, executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. We also present transformations to the classifier's input, to prevent this camouflage ‐ and a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.