The main aim of the project is to generate alert signals (when a malign process is detected)using a static approach based on data visualization technique.
Any process which tries to overexploit the available resources qualifies to be called as a malign or malicious process. In the case of a virtual environment, CPU, memory, and network stream are the resources. So, the malign process will try to overexploit these resources by simply wasting the CPU cycles or by creating network traffic or by simply filling memory with unwanted data variables.
There two techniques which are majorly used for detection of the malign process:
1.Dynamic Analysis- Under this, each statement of the process is analyzed individually and observed the changes made in the resources after the successful execution of the statement. Thus a single process gets executed several times in order to classify as malign.
2.Data Visualization technique- Under this, binary images of the processes are created and then different Machine Learning techniques can be applied to the binary images in order to identify statements that qualify to be called malign.
In our case model used for classification is deep learning Convolutional Neural Network especially designed for processing images.
Neural Networks are essentially mathematical models to solve an optimization problem. They are made of neurons, the basic computation unit of neural networks. A neuron takes an input(say x), do some computation on it(say: multiply it with a variable w and adds another variable b ) to produce a value (say; z= wx+b). This value is passed to a non-linear function called activation function(f) to produce the final output(activation) of a neuron. There are many kinds of activation functions. One of the popular activation function is Sigmoid. Depending on the activation functions, neurons are named and there are many kinds of them like RELU, TanH etc. If you stack neurons in a single line, it’s called a layer; which is the next building block of neural networks.
Layers of Neural Network
-
Convolution Layer- is a mathematical operation that’s used in single processing to filter signals, find patterns in signals etc. In a convolutional layer, all neurons apply convolution operation to the inputs, hence they are called convolutional neurons. The most important parameter in a convolutional neuron is the filter size.
-
Pooling layer- is mostly used immediately after the convolutional layer to reduce the spatial size(only width and height, not depth). This reduces the number of parameters, hence computation is reduced. Also, less number of parameters avoid overfitting(don’t worry about it now, will describe it little later). The most common form of pooling is Max pooling where we take a filter of size FF and apply the maximum operation over the FF sized part of the image.
-
Fully Connected Layer- If each neuron in a layer receives input from all the neurons in the previous layer, then this layer is called fully connected layer. The output of this layer is computed by matrix multiplication followed by bias offset.