Detecting Advanced Persistent Threat Malware Using Machine Learning-Based Threat Hunting

摘要

Malware has always been a threat to computer users. In particular, advanced persistent threats (APTs), which target companies and organizations, often cause considerable losses to victims. Anti-virus software cannot effectively stop APTs from exploiting targets. This occurs because APTs excel at using rootkits to hide their tracks and use code obfuscation to impede efforts to analyze their systems. Moreover, APTs customize malware for every victim. Therefore, signature-based anti-virus software cannot detect malware that is not known from earlier information. Rather than passively waiting for an attack and then extracting the signature of malware, threat hunting, which is an active defensive concept, should be used. The system proposed in this paper focuses on threat hunting, which detects a threat at an early stage and enables immediate response. In addition, we used dynamic analysis to understand the behavior of the process and used machine learning to classify malicious behavior against the user. By using XGBoost as the classifier, ten-fold cross-validation yielded an fl score higher than 0.99 and the classifier could successfully classify real-world malware programs.