Graphite: Real-Time Graph-Based Detection of Windows Fileless Malware Attacks
摘要
Advanced malware attacks often employ sophisticated tactics such as DLL injection, script-based attacks, and the exploitation of zero-day vulnerabilities. As evidenced by the recent high-profile cyberattacks, these techniques have enabled attackers to infiltrate computer systems that were thought to be well-protected. There is thus an urgent need to enhance current malware defenses with advanced Artificial Intelligence (AI) techniques that can effectively detect in real-time the elusive traces of malware attacks concealed within the extensive realm of normal activities. This paper introduces Graphite, a graph-based approach for real-time detection of advanced malware attacks based on the event data collected from Event Tracing for Windows (ETW). Graphite first abstracts various entities and their relationships embodied within system events into computation graphs, which are amenable to graph-based machine learning methods. As a computation graph can be gigantic, making real-time malware detection inefficient, we project the graph into smaller graphlets, which are then subsequently fed into our graph-based approach to detect malicious activities. Our experimental results show that Graphite achieves \(87.7\%\) classification accuracy in offline testing and \(86.7\%\) accuracy in real-time detection.