DLL hijacking is an attack technique where malicious DLLs replace legitimate ones within trusted processes, making detection challenging. Kaspersky identified key features indicative of DLL hijacking, including unusual library locations, renamed executables, and modified library structures. They trained machine learning models using a large, manually labeled dataset of millions of clean and malicious library-loading events collected from telemetry and internal systems.
The first-generation model demonstrated basic feasibility but suffered from high false positives. Successive models incorporated refined labeling, additional features, and techniques like one-hot encoding to improve accuracy and reduce false positives. By the third generation, the model achieved a balance with about 80% true positive rate at very low false positive rates. The models are evaluated continuously and integrated into Kaspersky’s detection pipeline, processing millions of daily security events.
These models have practical implications, detecting thousands of DLL hijacking cases monthly and identifying novel attack variations. They have been deployed in services like Kaspersky SIEM and MDR, where they assist analysts by prioritizing high-confidence alerts. Overall, the project exemplifies effective use of AI in cybersecurity but carries risks related to detection errors and requires ongoing model refinement and human verification to maintain effectiveness.
👉 Pročitaj original: Kaspersky Securelist
