Exploiting ftrace’s function_graph Tracer Features for Machine Learning: A Case Study on Encryption Detection
This paper proposes the use of the Linux kernel’s ftrace framework, particularly the function_graph tracer, to generate informative system-level data for machine learning (ML) applications. Experiments on a real-world encryption detection task demonstrate the efficacy of using the proposed features across several learning algorithms. The learner is subjected to the problem of detecting encryption activities across a large dataset of files, where function call traces and graph-based features are used. Empirical results highlight an outstanding accuracy of $99.28 \%$ on the task at hand, underscoring the efficacy of features derived from the function_graph tracer. The results were further validated using an additional experiment targeting a multi-label classification problem by identifying the running programs based on trace data. This work provides comprehensive methodologies for preprocessing raw trace data and extracting graph-based features, offering significant advancements in applying ML to system behavior analysis, program identification, and anomaly detection. By bridging the gap between system tracing and ML, this paper paves the way for innovative solutions in performance monitoring and security analytics.