Machine Learning and Recognition of User Tasks for Malware Detection

Malware often act on a compromised machine with the identifier of a legitimate user. We analyzed numerous malware and user tasks, and found subtle differences between how the two operate on a machine. We have developed a machine learning approach that characterizes user tasks through their resource utilization. We have found that many routine user tasks retain their resource utilization patterns, despite the occurrence of new dynamics each time a user carries out those tasks. On the other hand, upon landing on a target machine, malware perform a substantial amount of work to explore the machine and discover resources that are of interest to threat actors. Our approach collects live performance counter data from the operating system kernel, and subsequently pre-processes and analyzes those data to learn and then recognize the resource utilization of a task. We develop decoy process mechanisms that camouflage performance counter data to prevent malware from learning the resource utilization of a user task. We tested our approach against both legitimate users in real-world work settings and malware samples, and discuss our findings in the paper.