Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware. The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model which is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.
翻译:由于抗病毒(AV)产品被终端检测和反应(EDR)产品所取代,后者使机器活动能见度,而不是依靠AV过滤恶意人工制品。本文认为,由于某些恶意软件的快速和破坏性性质,实时检测恶意软件已经不足以减轻恶意软件造成的威胁。 拟议的模型在机器学习动态行为恶意软件检测模型之上使用统计过滤器,以检测飞行上的个人恶意过程并杀死那些被视为恶意的。在测量该系统有形影响的实验中,我们发现快速操作的赎金软件无法以14 % 的假正率腐蚀92%的文件。 虽然目前假正率仍然太高,无法采用这种方法,但这些初步结果显示,需要一种能够在恶意软件执行开始数秒内采取行动的检测模型;以前的工作没有涉及这一时间尺度。