SIGL: Securing Software Installations Through Deep Graph Learning


Xueyuan Han, Harvard University; Xiao Yu, NEC Laboratories America; Thomas Pasquier, University of Bristol; Ding Li, Peking University; Junghwan Rhee, NEC Laboratories America; James Mickens, Harvard University; Margo Seltzer, University of British Columbia; Haifeng Chen, NEC Laboratories America


Many users implicitly assume that software can only be exploited after it is installed. However, recent supply-chain attacks demonstrate that application integrity must be ensured during installation itself. We introduce SIGL, a new tool for detecting malicious behavior during software installation. SIGL collects traces of system call activity, building a data provenance graph that it analyzes using a novel autoencoder architecture with a graph long short-term memory network (graph LSTM) for the encoder and a standard multilayer perceptron for the decoder. SIGL flags suspicious installations as well as the specific installation-time processes that are likely to be malicious. Using a test corpus of 625 malicious installers containing real-world malware, we demonstrate that SIGL has a detection accuracy of 96%, outperforming similar systems from industry and academia by up to 87% in precision and recall and 45% in accuracy. We also demonstrate that SIGL can pinpoint the processes most likely to have triggered malicious behavior, works on different audit platforms and operating systems, and is robust to training data contamination and adversarial attack. It can be used with application-specific models, even in the presence of new software versions, as well as application-agnostic meta-models that encompass a wide range of applications and installers.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {272316,
author = {Xueyuan Han and Xiao Yu and Thomas Pasquier and Ding Li and Junghwan Rhee and James Mickens and Margo Seltzer and Haifeng Chen},
title = {{SIGL}: Securing Software Installations Through Deep Graph Learning},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {2345--2362},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video