Probabilistic Inference on Integrity for Access Behavior Based Malware Detection

Abstract

Integrity protection has proven an effective way of malware detection and defense. Determining the integrity of subjects (programs) and objects (files and registries) plays a fundamental role in integrity protection. However, the large numbers of subjects and objects, and intricate behaviors place burdens on revealing their integrities either manually or by a set of rules. In this paper, we propose a probabilistic model of integrity in modern operating system. Our model builds on two primary security policies, “no read down” and “no write up”, which make connections between observed access behaviors and the inherent integrity ordering between pairs of subjects and objects. We employ a message passing based inference to determine the integrity of subjects and objects under a probabilistic graphical model. Furthermore, by leveraging a statistical classifier, we build an integrity based access behavior model for malware detection. Extensive experimental results on a real-world dataset demonstrate that our model is capable of detecting 7,257 malware samples from 27,840 benign processes at 99.88 % true positive rate under 0.1 % false positive rate. These results indicate the feasibility of our probabilistic integrity model.

Appendix- Derivation of Eq. (8)

\(P(E_I|Acc)\propto \sum _{T}{P(Acc|T)P(T|E_I)\sum _{D}{P(E_I|D)P(D)}}\), where

$$\begin{aligned} \sum _{D}{P(E_I|D)P(D)}= {\left\{ \begin{array}{ll} \sum _{D}{d_1P(D)}=\mathbb {E}_D(d_1)=\frac{\alpha _1}{\alpha _1+\alpha _2+\alpha _3}, &{} \text {if } I(s)<I(o), \\ \sum _{D}{d_2P(D)}=\mathbb {E}_D(d_2)=\frac{\alpha _2}{\alpha _1+\alpha _2+\alpha _3}, &{} \text {if } I(s)=I(o), \\ \sum _{D}{d_3P(D)}=\mathbb {E}_D(d_3)=\frac{\alpha _3}{\alpha _1+\alpha _2+\alpha _3}, &{} \text {if } I(s)>I(o). \end{array}\right. } \end{aligned}$$

(18)

And then,

1. (1.)

   If \(I(s)<I(o)\):

   $$ \begin{aligned} P(<|Acc)\propto & {} \frac{\alpha _1}{\alpha _1+\alpha _2+\alpha _3}\Delta \int _{T}{t_1^{N_r}t_2^{N_w}t_3^{N_{r \& w}} \frac{t_1^{\beta _1}t_2^{\beta _2-1}t_3^{\beta _3-1}}{B(1+\beta _1, \beta _2, \beta _3)}} \mathop {}\!\mathrm {d}T, \nonumber \\= & {} \frac{\alpha _1}{\alpha _1+\alpha _2+\alpha _3}\Delta \frac{B(N_r+\beta _1+1, N_w+\beta _2, N_{r \& w}\beta _3)}{B(1+\beta _1, \beta _2, \beta _3)}, \nonumber \\= & {} \frac{\alpha _1}{\alpha _1+\alpha _2+\alpha _3}\Delta \frac{\beta _1+\beta _2+\beta _3}{\beta _1}\frac{N_r+\beta _1}{N+\beta _1+\beta _2+\beta _3}\Omega , \end{aligned}$$

   (19)

   where \( \Delta =\frac{\Gamma (N+1)}{\Gamma (N_r+1)\Gamma (N_w+1)\Gamma (N_{r \& w}+1)}\), \( \Omega =\frac{B(N_r+\beta _1, N_w+\beta _2, N_{r \& w}+\beta _3)}{B(\beta _1, \beta _2, \beta _3)}\), and \(B(\beta _1, \beta _2, \beta _3)=\frac{\Gamma (\beta _1)\Gamma (\beta _2)\Gamma (\beta _3)}{\Gamma (\beta _1+\beta _2+\beta _3)}\).

2. (2.)

   If \(I(s)=I(o)\):

   $$ \begin{aligned} P(=|Acc) \propto \frac{\alpha _2}{\alpha _1+\alpha _2+\alpha _3}\Delta \int _{T}{t_1^{N_r}t_2^{N_w}t_3^{N_{r \& w}} \frac{t_1^{\beta _1-1}t_2^{\beta _2-1}t_3^{\beta _3-1}}{B(\beta _1, \beta _2, \beta _3)}} \mathop {}\!\mathrm {d}T = \frac{\alpha _2}{\alpha _1+\alpha _2+\alpha _3}\Delta \Omega . \end{aligned}$$

   (20)
3. (3.)

   If \(I(s)>I(o)\):

   $$ \begin{aligned} P(>|Acc)\propto & {} \frac{\alpha _3}{\alpha _1+\alpha _2+\alpha _3}\Delta \int _{T}{t_1^{N_r}t_2^{N_w}t_3^{N_{r \& w}} \frac{t_1^{\beta _1-1}t_2^{\beta _2}t_3^{\beta _3-1}}{B(\beta _1, \beta _2+1, \beta _3)}} \mathop {}\!\mathrm {d}T, \nonumber \\= & {} \frac{\alpha _3}{\alpha _1+\alpha _2+\alpha _3}\Delta \frac{\beta _1+\beta _2+\beta _3}{\beta _2}\frac{N_w+\beta _2}{N+\beta _1+\beta _2+\beta _3}\Omega . \nonumber \\ \end{aligned}$$

   (21)

Summing up Eqs. (19)–(21), we derive the posterior distribution of \(E_I\) given Acc, i.e., \(P(E_I|Acc)\), as shown in Eqs. (9)–(11).