Exploiting TTPs to Design an Extensible and Explainable Malware Detection System

Yashovardhan Sharma; Simon Birnbach; Ivan Martinovic

doi:10.3897/jucs.131753

Journal of Universal Computer Science (Sep 2024)

Exploiting TTPs to Design an Extensible and Explainable Malware Detection System

Yashovardhan Sharma,
Simon Birnbach,
Ivan Martinovic

Affiliations

Yashovardhan Sharma: University of Oxford
Simon Birnbach: University of Oxford
Ivan Martinovic: University of Oxford

DOI: https://doi.org/10.3897/jucs.131753
Journal volume & issue: Vol. 30, no. 9
pp. 1140 – 1162

Abstract

Read online Read online Read online

In recent years, numerous sophisticated malware detection systems have been proposed, many of which are based on machine learning. Though such systems attain impressive results, they are often designed having effectiveness as the main, if not only, requirement. As a result, the effectiveness of such systems, especially if based on deep learning models, often comes with (i) poor extensibility, being very difficult to adapt and/or extend to other settings, and (ii) poor explainability, since it is often not possible for humans to understand the reasons behind the model’s predictions, making further analysis of threats a challenge. In this paper we show how it is possible to design an extensible and explainable yet effective malware detection system. Extensibility is obtained thanks to the exploitation of TTPs (Tactics, Techniques, and Procedures) from the popular MITRE ATT&CK framework, which is an ontology of adversarial behaviour that allows us to divide the general problem of malware detection into the smaller problems of detecting the different types of malicious activity that can be carried out. Explainability is obtained by returning (i) which TTPs have been detected and are responsible for the classification of the entire behaviour as malicious, and (ii) why such TTPs have been classified as malicious. To demonstrate the viability of this approach we implement these ideas in a system called RADAR. We evaluate RADAR on a very large dataset comprising of 2,286,907 malicious and benign samples, representing a total of 84,792,452 network flows. The experimental analysis confirms that the proposed methodology can be effectively exploited: RADAR’s ability to detect malware is comparable to other state-of-the-art non-interpretable systems’ capabilities. To the best of our knowledge, RADAR is the first TTP-based system for malware detection that uses machine learning while being extensible and explainable.

Published in Journal of Universal Computer Science

ISSN: 0948-695X (Print); 0948-6968 (Online)
Publisher: Graz University of Technology
Country of publisher: Austria
LCC subjects: Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://lib.jucs.org/

About the journal

Abstract

Keywords