Sysmon event logs for machine learning-based malware detection
Malware poses a significant threat to modern computing environments, necessitating advanced detection techniques that can adapt to evolving attack methods. This study focuses on dynamic malware analysis using machine learning models to process detailed data from Sysmon Event Logs, a crucial sources...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
KeAi Communications Co., Ltd.
2025-12-01
|
| Series: | Cyber Security and Applications |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S277291842500027X |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850075036005695488 |
|---|---|
| author | Riki Mi’roj Achmad Dyah Putri Nariswari Baskoro Adi Pratomo Hudan Studiawan |
| author_facet | Riki Mi’roj Achmad Dyah Putri Nariswari Baskoro Adi Pratomo Hudan Studiawan |
| author_sort | Riki Mi’roj Achmad |
| collection | DOAJ |
| description | Malware poses a significant threat to modern computing environments, necessitating advanced detection techniques that can adapt to evolving attack methods. This study focuses on dynamic malware analysis using machine learning models to process detailed data from Sysmon Event Logs, a crucial sources of system information that record both running program activities. Sysmon events contain various information on what a program is doing during execution, such as created processes, initiated network connection, DNS queries, modified file and registry keys, and other type of events. Such information can be used to classify malicious or benign software. In this research, we employed various machine learning algorithms, both classification (supervised learning) and outlier detection (unsupervised learning) approaches, such as Naive Bayes, Decision Tree, Random Forest, Support Vector Machine (SVM) for supervised learning, and Isolation Forest, Local Outlier Factor (LOF), and One-Class SVM for unsupervised learning. An extensive set of experiment were conducted to look for the best approach and the most relevant features. Principal Component Analysis (PCA) was applied to select the most relevant features for both supervised and unsupervised learning models. The experiments showed that the Local Outlier Factor (LOF) model with its twenty best features achieved the best performance, with an F1 score of 0.9873. |
| format | Article |
| id | doaj-art-ca4fd75577cf41f2b2f1a1b7bda08c6f |
| institution | DOAJ |
| issn | 2772-9184 |
| language | English |
| publishDate | 2025-12-01 |
| publisher | KeAi Communications Co., Ltd. |
| record_format | Article |
| series | Cyber Security and Applications |
| spelling | doaj-art-ca4fd75577cf41f2b2f1a1b7bda08c6f2025-08-20T02:46:25ZengKeAi Communications Co., Ltd.Cyber Security and Applications2772-91842025-12-01310011010.1016/j.csa.2025.100110Sysmon event logs for machine learning-based malware detectionRiki Mi’roj Achmad0Dyah Putri Nariswari1Baskoro Adi Pratomo2Hudan Studiawan3Department of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, 60111, East Java, IndonesiaDepartment of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, 60111, East Java, IndonesiaCorresponding author.; Department of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, 60111, East Java, IndonesiaDepartment of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, 60111, East Java, IndonesiaMalware poses a significant threat to modern computing environments, necessitating advanced detection techniques that can adapt to evolving attack methods. This study focuses on dynamic malware analysis using machine learning models to process detailed data from Sysmon Event Logs, a crucial sources of system information that record both running program activities. Sysmon events contain various information on what a program is doing during execution, such as created processes, initiated network connection, DNS queries, modified file and registry keys, and other type of events. Such information can be used to classify malicious or benign software. In this research, we employed various machine learning algorithms, both classification (supervised learning) and outlier detection (unsupervised learning) approaches, such as Naive Bayes, Decision Tree, Random Forest, Support Vector Machine (SVM) for supervised learning, and Isolation Forest, Local Outlier Factor (LOF), and One-Class SVM for unsupervised learning. An extensive set of experiment were conducted to look for the best approach and the most relevant features. Principal Component Analysis (PCA) was applied to select the most relevant features for both supervised and unsupervised learning models. The experiments showed that the Local Outlier Factor (LOF) model with its twenty best features achieved the best performance, with an F1 score of 0.9873.http://www.sciencedirect.com/science/article/pii/S277291842500027XMalware detectionDynamic analysisSysmonWindows event logsMachine learning |
| spellingShingle | Riki Mi’roj Achmad Dyah Putri Nariswari Baskoro Adi Pratomo Hudan Studiawan Sysmon event logs for machine learning-based malware detection Cyber Security and Applications Malware detection Dynamic analysis Sysmon Windows event logs Machine learning |
| title | Sysmon event logs for machine learning-based malware detection |
| title_full | Sysmon event logs for machine learning-based malware detection |
| title_fullStr | Sysmon event logs for machine learning-based malware detection |
| title_full_unstemmed | Sysmon event logs for machine learning-based malware detection |
| title_short | Sysmon event logs for machine learning-based malware detection |
| title_sort | sysmon event logs for machine learning based malware detection |
| topic | Malware detection Dynamic analysis Sysmon Windows event logs Machine learning |
| url | http://www.sciencedirect.com/science/article/pii/S277291842500027X |
| work_keys_str_mv | AT rikimirojachmad sysmoneventlogsformachinelearningbasedmalwaredetection AT dyahputrinariswari sysmoneventlogsformachinelearningbasedmalwaredetection AT baskoroadipratomo sysmoneventlogsformachinelearningbasedmalwaredetection AT hudanstudiawan sysmoneventlogsformachinelearningbasedmalwaredetection |