Transformer-based malware detection using process resource utilization metrics
Malware detection has long relied on signature-based methods limited in detecting zero-day malware attacks. Although efficient, these approaches are vulnerable to obfuscation and evasion techniques. To this end, dynamic approaches utilizing process resource-utilization metrics have emerged as promis...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Elsevier
2025-03-01
|
| Series: | Results in Engineering |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2590123025003366 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1823856791433248768 |
|---|---|
| author | Dimosthenis Natsos Andreas L. Symeonidis |
| author_facet | Dimosthenis Natsos Andreas L. Symeonidis |
| author_sort | Dimosthenis Natsos |
| collection | DOAJ |
| description | Malware detection has long relied on signature-based methods limited in detecting zero-day malware attacks. Although efficient, these approaches are vulnerable to obfuscation and evasion techniques. To this end, dynamic approaches utilizing process resource-utilization metrics have emerged as promising alternatives. They solve the aforementioned issues, but require large datasets for training and struggle with false-positives and false-negatives. This study is the first to explore the application of Transformers for malware detection using process resource-utilization metrics, encoding input data as sequences of processes, with each process represented by its resource-utilization metrics (e.g., CPU, memory, and disk usage). We compare the proposed Transformer-based architecture with the leading LSTM model in terms of accuracy, precision, recall, F1-score and training time, focusing on performance across varying sample sizes and validate our results with rigorous statistical methodologies. Our findings demonstrate Transformers' ability to maintain high performance even with smaller datasets, thus excel in real-world scenarios of limited data availability, and scale effectively with larger datasets, offering lower false-positive and false-negative rates. We shed light on the models' decision-making processes, introducing the concept of dynamic malware signatures derived from resource-utilization metrics and identifying key features that prominently reflect malware activity. Additionally, we showcase that other tenant processes within the operating system act as indirect indicators of malware presence, providing valuable signals for detection even when the malware process itself is not directly observed. This work establishes Transformers as the state-of-the-art solution for malware detection using process resource-utilization metrics, offering improved accuracy, scalability, and robustness over existing methods. |
| format | Article |
| id | doaj-art-f2fbf36bdf9d4dc9bcbb41685f9a9b51 |
| institution | Kabale University |
| issn | 2590-1230 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | Elsevier |
| record_format | Article |
| series | Results in Engineering |
| spelling | doaj-art-f2fbf36bdf9d4dc9bcbb41685f9a9b512025-02-12T05:31:43ZengElsevierResults in Engineering2590-12302025-03-0125104250Transformer-based malware detection using process resource utilization metricsDimosthenis Natsos0Andreas L. Symeonidis1School of Electrical and Computer Engineering, AUTH, Thessaloniki, 54124, Greece; Cyclopt PC, Thessaloniki, 55535, Greece; Corresponding author at: School of Electrical and Computer Engineering, AUTH, Thessaloniki, 54124, Greece.School of Electrical and Computer Engineering, AUTH, Thessaloniki, 54124, Greece; Cyclopt PC, Thessaloniki, 55535, GreeceMalware detection has long relied on signature-based methods limited in detecting zero-day malware attacks. Although efficient, these approaches are vulnerable to obfuscation and evasion techniques. To this end, dynamic approaches utilizing process resource-utilization metrics have emerged as promising alternatives. They solve the aforementioned issues, but require large datasets for training and struggle with false-positives and false-negatives. This study is the first to explore the application of Transformers for malware detection using process resource-utilization metrics, encoding input data as sequences of processes, with each process represented by its resource-utilization metrics (e.g., CPU, memory, and disk usage). We compare the proposed Transformer-based architecture with the leading LSTM model in terms of accuracy, precision, recall, F1-score and training time, focusing on performance across varying sample sizes and validate our results with rigorous statistical methodologies. Our findings demonstrate Transformers' ability to maintain high performance even with smaller datasets, thus excel in real-world scenarios of limited data availability, and scale effectively with larger datasets, offering lower false-positive and false-negative rates. We shed light on the models' decision-making processes, introducing the concept of dynamic malware signatures derived from resource-utilization metrics and identifying key features that prominently reflect malware activity. Additionally, we showcase that other tenant processes within the operating system act as indirect indicators of malware presence, providing valuable signals for detection even when the malware process itself is not directly observed. This work establishes Transformers as the state-of-the-art solution for malware detection using process resource-utilization metrics, offering improved accuracy, scalability, and robustness over existing methods.http://www.sciencedirect.com/science/article/pii/S2590123025003366Dynamic malware signaturesMalware cascading effectMalware detectionMultivariate series classificationPerformance metricsResource utilization metrics |
| spellingShingle | Dimosthenis Natsos Andreas L. Symeonidis Transformer-based malware detection using process resource utilization metrics Results in Engineering Dynamic malware signatures Malware cascading effect Malware detection Multivariate series classification Performance metrics Resource utilization metrics |
| title | Transformer-based malware detection using process resource utilization metrics |
| title_full | Transformer-based malware detection using process resource utilization metrics |
| title_fullStr | Transformer-based malware detection using process resource utilization metrics |
| title_full_unstemmed | Transformer-based malware detection using process resource utilization metrics |
| title_short | Transformer-based malware detection using process resource utilization metrics |
| title_sort | transformer based malware detection using process resource utilization metrics |
| topic | Dynamic malware signatures Malware cascading effect Malware detection Multivariate series classification Performance metrics Resource utilization metrics |
| url | http://www.sciencedirect.com/science/article/pii/S2590123025003366 |
| work_keys_str_mv | AT dimosthenisnatsos transformerbasedmalwaredetectionusingprocessresourceutilizationmetrics AT andreaslsymeonidis transformerbasedmalwaredetectionusingprocessresourceutilizationmetrics |