Adversaries are increasingly motivated to spend energy trying to evade automatic malware detection tools. Dynamic analysis examines the behavioural trace of malware, which is difficult to obfuscate, but the time required for dynamic analysis means it is not typically used in practice for endpoint protection but rather as an analysis tool. This paper presents a run-time model to detect malicious processes and automatically kill them as they run on a real endpoint in use. This approach enables dynamic analysis to be used to prevent harm to the endpoint, rather than to analyse the cause of damage after the event. Run-time detection introduces the risk of malicious damage to the endpoint and necessitates that malicious processes are detected and killed as early as possible to minimise the opportunities for damage to take place. A distilled machine learning model is used to improve inference speed whilst benefiting from the parameters learned by larger, more computationally intensive model. This paper is the first to focus on tangible benefits of process killing to the user, showing that the distilled model is able to prevent 86.34% of files being corrupted by ransomware whilst maintaining a low false positive rate for unseen benignware of 4.72%.
Download