To TTP or not to TTP?: Exploiting TTPs to Improve ML-based Malware Detection

In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely demonstrated their effectiveness, they still present limitations, some of which are a consequence of their purely data-driven nature. In this paper, w...

Full description

Saved in:
Bibliographic Details
Published in2023 IEEE International Conference on Cyber Security and Resilience (CSR) pp. 8 - 15
Main Authors Sharma, Yashovardhan, Giunchiglia, Eleonora, Birnbach, Simon, Martinovic, Ivan
Format Conference Proceeding
LanguageEnglish
Published IEEE 31.07.2023
Subjects
Data models
Intrusion Detection
Machine learning
Malware
Measurement
MITRE ATT&CK
Networks
Task analysis
Telecommunication traffic
Training
Online AccessGet full text
DOI10.1109/CSR57506.2023.10225000

Cover

More Information
Summary:In the last decade, machine learning (ML) methods have increasingly been applied to the task of malware detection. While these approaches have surely demonstrated their effectiveness, they still present limitations, some of which are a consequence of their purely data-driven nature. In this paper, we show how the MITRE ATT&CK framework of tactics, techniques, and procedures (TTPs) can be exploited to overcome such limitations and improve their ability to detect malware on networks. We conduct an extensive experimental analysis, testing 7 ML models on 5 large datasets comprising over 37 million flows. Our results clearly demonstrate that adding TTP-based features for training the models robustly improves their performance. Our models outperform the standard ones 922 times out of a total of 952, (i.e., 96.8% of the time), with the biggest improvements (up to 84.9% in terms of FPR) being observed in situations designed to be challenging for ML models.
DOI:10.1109/CSR57506.2023.10225000