We address the problems of identifying malware in network telemetry logs and
providing emph{indicators of compromise} — comprehensible explanations of
behavioral patterns that identify the threat. In our system, an array of
specialized detectors abstracts network-flow data into comprehensible
emph{network events} in a first step. We develop a neural network that
processes this sequence of events and identifies specific threats, malware
families and broad categories of malware. We then use the
emph{integrated-gradients} method to highlight events that jointly constitute
the characteristic behavioral pattern of the threat. We compare network
architectures based on CNNs, LSTMs, and transformers, and explore the efficacy
of unsupervised pre-training experimentally on large-scale telemetry data. We
demonstrate how this system detects njRAT and other malware based on behavioral
patterns.

By admin