English

Monotonic models for real-time dynamic malware detection

Cryptography and Security 2018-04-11 v1

Abstract

In dynamic malware analysis, programs are classified as malware or benign based on their execution logs. We propose a concept of applying monotonic classification models to the analysis process, to make the trained model's predictions consistent over execution time and provably stable to the injection of any noise or `benign-looking' activity into the program's behavior. The predictions of such models change monotonically through the log in the sense that the addition of new lines into the log may only increase the probability of the file being found malicious, which make them suitable for real-time classification on a user's machine. We evaluate monotonic neural network models based on the work by Chistyakovet al. (2017) and demonstrate that they provide stable and interpretable results.

Keywords

Cite

@article{arxiv.1804.03643,
  title  = {Monotonic models for real-time dynamic malware detection},
  author = {Alexander Chistyakov and Ekaterina Lobacheva and Alexander Shevelev and Alexey Romanenko},
  journal= {arXiv preprint arXiv:1804.03643},
  year   = {2018}
}

Comments

Published at Workshop track of ICLR 2018

R2 v1 2026-06-23T01:19:38.361Z