The escalating sophistication of cyber-attacks and the widespread utilization of stealth tactics have led to significant security threats globally. Nevertheless, the existing static detection methods exhibit limited coverage, and traditional dynamic monitoring approaches encounter challenges in bypassing evasion techniques. Thus, it has become imperative to implement nuanced and dynamic analysis to achieve precise behavior detection in real time. There are two pressing concerns associated with current dynamic malware behavior detection solutions. Firstly, the collection and processing of data entail a significant amount of overhead, making it challenging to be employed for real-time detection on the end host. Secondly, these approaches tend to treat malware as a singular entity, thereby overlooking varied behaviors within one instance. To fill these gaps, we propose PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks, significantly reducing the data collection overhead. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior. We implemented a prototype of PARIS and evaluated the system overhead, the accuracy of comparative behavior recognition, and the impact of different models and parameters. The result demonstrates that PARIS can reduce over 98.8% of data compared to the raw ETW trace and hence decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead. Furthermore, a breakdown evaluation shows that 80% of the memory and bandwidth savings and a complete reduction in CPU usage can be attributed to our adaptive trace-fetching collector.

翻译：网络攻击日益复杂化及隐蔽战术的广泛使用已在全球范围内引发重大安全威胁。然而，现有静态检测方法覆盖范围有限，传统动态监控手段在规避绕过技术方面面临挑战。因此，实施精细化的动态分析以实现实时精准行为检测变得至关重要。当前动态恶意软件行为检测方案存在两个紧迫问题：首先，数据采集与处理产生大量开销，难以在终端主机上实现实时检测；其次，现有方法倾向于将恶意软件视为单一实体，从而忽略了单个实例中行为模式的多样性。为填补这些空白，我们提出PARIS——一种自适应追踪获取、轻量级的实时恶意行为检测系统。具体而言，我们通过Windows事件追踪（ETW）监控恶意行为，并学习选择性采集与恶意性相关的API或调用堆栈，从而显著降低数据采集开销。这使得我们能够监控更广泛的API并检测更复杂的攻击行为。我们实现了PARIS的原型系统，并评估了系统开销、对比行为识别的准确性以及不同模型与参数的影响。实验结果表明，与原始ETW追踪数据相比，PARIS能减少超过98.8%的数据量，在保持与高开销基线模型相近检测精度的同时，显著降低了主机在内存、带宽和CPU使用方面的开销。进一步的分解评估表明，80%的内存与带宽节省以及CPU使用的完全降低可归功于我们自适应的追踪获取收集器。