Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection

Amit Deo; Santanu Kumar Dash; Guillermo Suarez-Tangil; Vladimir Vovk; Lorenzo Cavallaro

doi:10.1145/2996758.2996769

Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection

Amit Deo, Santanu Kumar Dash, Guillermo Suarez-Tangil, Vladimir Vovk, Lorenzo Cavallaro

Informatics

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

23 Citations (Scopus)

196 Downloads (Pure)

Abstract

Malware evolves perpetually and relies on increasingly sophisticated
attacks to supersede defense strategies. Datadriven
approaches to malware detection run the risk of becoming
rapidly antiquated. Keeping pace with malware
requires models that are periodically enriched with fresh
knowledge, commonly known as retraining. In this work,
we propose the use of Venn-Abers predictors for assessing
the quality of binary classification tasks as a first step towards
identifying antiquated models. One of the key bene-
fits behind the use of Venn-Abers predictors is that they are
automatically well calibrated and offer probabilistic guidance
on the identification of nonstationary populations of
malware. Our framework is agnostic to the underlying classification
algorithm and can then be used for building better
retraining strategies in the presence of concept drift. Results
obtained over a timeline-based evaluation with about 90K
samples show that our framework can identify when models
tend to become obsolete.

Original language	English
Title of host publication	ACM Workshop on Artificial Intelligence and Security (AISec)
DOIs	https://doi.org/10.1145/2996758.2996769
Publication status	Published - 28 Oct 2016

Access to Document

10.1145/2996758.2996769

Prescience Probabilistic Guidance on_DEO_Accepted7September2016_GREEN AAM Accepted author manuscript, 650 KB

https://pure.royalholloway.ac.uk/portal/en/publications/prescience-probabilistic-guidance-on-the-retraining-conundrum-for-malware-detection(26784ac9-045a-494c-8d1a-24252363ddf4).html

Cite this

@inbook{68340860885846b2bb9a9f82b8c7ce72,

title = "Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection",

abstract = "Malware evolves perpetually and relies on increasingly sophisticatedattacks to supersede defense strategies. Datadrivenapproaches to malware detection run the risk of becomingrapidly antiquated. Keeping pace with malwarerequires models that are periodically enriched with freshknowledge, commonly known as retraining. In this work,we propose the use of Venn-Abers predictors for assessingthe quality of binary classification tasks as a first step towardsidentifying antiquated models. One of the key bene-fits behind the use of Venn-Abers predictors is that they areautomatically well calibrated and offer probabilistic guidanceon the identification of nonstationary populations ofmalware. Our framework is agnostic to the underlying classificationalgorithm and can then be used for building betterretraining strategies in the presence of concept drift. Resultsobtained over a timeline-based evaluation with about 90Ksamples show that our framework can identify when modelstend to become obsolete.",

author = "Amit Deo and Dash, {Santanu Kumar} and Guillermo Suarez-Tangil and Vladimir Vovk and Lorenzo Cavallaro",

note = "Acceptance Rate: 32%",

year = "2016",

month = oct,

day = "28",

doi = "10.1145/2996758.2996769",

language = "English",

booktitle = "ACM Workshop on Artificial Intelligence and Security (AISec)",

}

TY - CHAP

T1 - Prescience

T2 - Probabilistic Guidance on the Retraining Conundrum for Malware Detection

AU - Deo, Amit

AU - Dash, Santanu Kumar

AU - Suarez-Tangil, Guillermo

AU - Vovk, Vladimir

AU - Cavallaro, Lorenzo

N1 - Acceptance Rate: 32%

PY - 2016/10/28

Y1 - 2016/10/28

N2 - Malware evolves perpetually and relies on increasingly sophisticatedattacks to supersede defense strategies. Datadrivenapproaches to malware detection run the risk of becomingrapidly antiquated. Keeping pace with malwarerequires models that are periodically enriched with freshknowledge, commonly known as retraining. In this work,we propose the use of Venn-Abers predictors for assessingthe quality of binary classification tasks as a first step towardsidentifying antiquated models. One of the key bene-fits behind the use of Venn-Abers predictors is that they areautomatically well calibrated and offer probabilistic guidanceon the identification of nonstationary populations ofmalware. Our framework is agnostic to the underlying classificationalgorithm and can then be used for building betterretraining strategies in the presence of concept drift. Resultsobtained over a timeline-based evaluation with about 90Ksamples show that our framework can identify when modelstend to become obsolete.

AB - Malware evolves perpetually and relies on increasingly sophisticatedattacks to supersede defense strategies. Datadrivenapproaches to malware detection run the risk of becomingrapidly antiquated. Keeping pace with malwarerequires models that are periodically enriched with freshknowledge, commonly known as retraining. In this work,we propose the use of Venn-Abers predictors for assessingthe quality of binary classification tasks as a first step towardsidentifying antiquated models. One of the key bene-fits behind the use of Venn-Abers predictors is that they areautomatically well calibrated and offer probabilistic guidanceon the identification of nonstationary populations ofmalware. Our framework is agnostic to the underlying classificationalgorithm and can then be used for building betterretraining strategies in the presence of concept drift. Resultsobtained over a timeline-based evaluation with about 90Ksamples show that our framework can identify when modelstend to become obsolete.

U2 - 10.1145/2996758.2996769

DO - 10.1145/2996758.2996769

M3 - Conference paper

BT - ACM Workshop on Artificial Intelligence and Security (AISec)

ER -

Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection

Abstract

Access to Document

Fingerprint

Cite this