Litcius/Paper detail

Transformer-based malware detection using process resource utilization metrics

Dimosthenis Natsos, Andreas L. Symeonidis

2025Results in Engineering12 citationsDOIOpen Access PDF

Abstract

Malware detection has long relied on signature-based methods limited in detecting zero-day malware attacks. Although efficient, these approaches are vulnerable to obfuscation and evasion techniques. To this end, dynamic approaches utilizing process resource-utilization metrics have emerged as promising alternatives. They solve the aforementioned issues, but require large datasets for training and struggle with false-positives and false-negatives. This study is the first to explore the application of Transformers for malware detection using process resource-utilization metrics, encoding input data as sequences of processes, with each process represented by its resource-utilization metrics (e.g., CPU, memory, and disk usage). We compare the proposed Transformer-based architecture with the leading LSTM model in terms of accuracy, precision, recall, F1-score and training time, focusing on performance across varying sample sizes and validate our results with rigorous statistical methodologies. Our findings demonstrate Transformers' ability to maintain high performance even with smaller datasets, thus excel in real-world scenarios of limited data availability, and scale effectively with larger datasets, offering lower false-positive and false-negative rates. We shed light on the models' decision-making processes, introducing the concept of dynamic malware signatures derived from resource-utilization metrics and identifying key features that prominently reflect malware activity. Additionally, we showcase that other tenant processes within the operating system act as indirect indicators of malware presence, providing valuable signals for detection even when the malware process itself is not directly observed. This work establishes Transformers as the state-of-the-art solution for malware detection using process resource-utilization metrics, offering improved accuracy, scalability, and robustness over existing methods. • Transformers outperform existing detection solutions using performance metrics • Transformers outperform SOTA on limited data and scale efficiently on larger datasets • Process status, memory, ionice, nice and network metrics are pivotal for detection • Malware manifestation on other OS tenant processes, the primary detection indicator

Topics & Concepts

Computer scienceMalwareProcess (computing)Data miningComputer securityOperating systemAdvanced Malware Detection TechniquesNetwork Security and Intrusion DetectionSmart Grid Security and Resilience
Transformer-based malware detection using process resource utilization metrics | Litcius