Cited from: https://redteamleaders.coursestack.com/courses/3e9e0212-81dc-49ed-9233-ec9ca894fc6a/take/11---detection-types-signature-heuristic-behavioral-and-machine-learning
ML detection involves training models on large datasets of benign and malicious behavior to identify anomalies or malware-like patterns.
Uses supervised, unsupervised, or deep learning models.
Inputs may include:
API call sequence patterns.
Entropy values.
File metadata and PE header features.
Memory structure snapshots.
Model detects abnormal syscall patterns in a newly compiled EXE.
Flags an executable with a high entropy .text section and suspicious imports.
Black-box nature makes them difficult to understand or test against.
High computational cost and susceptibility to adversarial ML.
Adversarial input crafting: inserting benign noise (junk API calls, fake strings).
Using known good behavior (e.g., copying behavior of explorer.exe).
Mimicking benign software entropy and structure.
Last updated 4 months ago