A Windows Malware Detection Method Based on Semantic Analysis

doi:10.3969/j.issn.1671-1122.2023.10.008

Abstract

Abstract:

Windows malware has posed a serious threat to personal, enterprise, and national security. In order to detect new malware effectively and analyze the working mechanism of malware in depth, this paper proposed a Windows malware detection method based on semantic analysis. The proposed method extracted the API call dependency graph as the low-level behavior feature of the software by leveraging symbolic execution technology. Subsequently, this graph was mapped to the attack techniques in the adversarial tactics, techniques, and common knowledge (ATT & CK) framework through pattern discovery and matching methods, which could reflect the behavioral semantics of malware. Moreover, in this paper, a support vector machine classifier was built, and the attack technique features were used as inputs for the classifier to perform training and testing. Experimental results indicate that the proposed method can effectively discover new malware.

Key words: malware detection, symbolic execution, ATT & CK

CLC Number:

TP309

WANG Yu, LYU Liangshuang, XIA Chunhe. A Windows Malware Detection Method Based on Semantic Analysis[J]. Netinfo Security, 2023, 23(10): 58-63.

Figures/Tables 3

References 21

[1]	KARNIK A, GOSWAMI S, GUHA R. Detecting Obfuscated Viruses Using Cosine Similarity Analysis[C]// IEEE. First Asia International Conference on Modelling & Simulation. New York: IEEE, 2007: 165-170.
[2]	BRUSCHI D, MARTIGNONI L, MONGA M J I S, et al. Code Normalization for Self-Mutating Malware[J]. IEEE Security & Privacy, 2007, 5(2): 46-54.
[3]	BEAUCAMPS P, GNAEDIG I, MARION J Y. Behavior Abstraction in Malware Analysis[C]// Springer. International Conference on Runtime Verification 2010. Berlin:Springer, 2010: 168-182.
[4]	ZHANG Boyun, YIN Jianping, HAO Jingbo, et al. Malicious Codes Detection Based on Ensemble Learning[C]// Springer. International Conference on Autonomic and Trusted Computing 2007. Berlin:Springer, 2007: 468-477.
[5]	VEERAMANI R, RAI N. Windows API Based Malware Detection and Framework Analysis[C]// IEEE. International Conference on Networks and Cyber Security. New York: IEEE, 2012: 1-6.
[6]	TRINIUS P, WILLEMS C, HOLZ T, et al. A Malware Instruction Set for Behavior-Based Analysis[EB/OL]. (2010-01-01) [2023-05-12]. https://www.researchgate.net/publication/221307249_A_Malware_Instruction_Set_for_Behavior-Based_Analysis.
[7]	SEARLES R, XU Lifan, KILLIAN W, et al. Parallelization of Machine Learning Applied to Call Graphs of Binaries for Malware Detection[C]// IEEE. 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP). New York: IEEE, 2017: 69-77.
[8]	KI Y, KIM E, KIM H K. A Novel Approach to Detect Malware Based on API Call Sequence Analysis[J]. International Journal of Distributed Sensor Networks, 2015, 11(6): 1-9.
[9]	MIRA F, BROWN A, HUANG Wei. Novel Malware Detection Methods by Using LCS and LCSS[C]// IEEE. 2016 22nd International Conference on Automation and Computing (ICAC). New York: IEEE, 2016: 554-559.
[10]	DING Yuxin, XIA Xiaoling, CHEN Sheng, et al. A Malware Detection Method Based on Family Behavior Graph[J]. Computers & Security, 2018(73): 73-86.
[11]	MING Jiang, XIN Zhi, LAN Pengwei, et al. Impeding Behavior-Based Malware Analysis via Replacement Attacks to Malware Specifications[J]. Journal of Computer Virology and Hacking Techniques, 2017, 13(3): 193-207. doi: 10.1007/s11416-016-0281-3 URL
[12]	PEKTAS A, ACARMAN T. Classification of Malware Families Based on Runtime Behaviors[J]. Journal of Information Security and Applications, 2017(37): 91-100.
[13]	YUCEL C, KOLTUKSUZ A. Imaging and Evaluating the Memory Access for Malware[EB/OL]. (2020-03-01) [2023-05-12]. https://www.sciencedirect.com/science/article/abs/pii/S1742287619301902.
[14]	OOSTHOEK K, DOERR C. SoK: ATT&CK Techniques and Trends in Windows Malware[C]// Springer. International Conference on Security and Privacy in Communication Systems. Berlin:Springer, 2019: 406-425.
[15]	SMITH M R, JOHNSON N T, INGRAM J B, et al. Mind the Gap: on Bridging the Semantic Gap Between Machine Learning and Malware Analysis[C]// ACM. 13th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2020: 49-60.
[16]	YANG Ping, SHU Hui, KANG Fei, et al. Generating Malicious Code Attack Graph Using Semantic Analysis[J]. Computer Science, 2021, 48(S1): 448-458.
	杨萍, 舒辉, 康绯, 等. 一种基于语义分析的恶意代码攻击图生成方法[J]. 计算机科学, 2021, 48(S1): 448-458.
[17]	LENGAUER T, TARJAN R E. A Fast Algorithm for Finding Dominators in a Flowgraph[J]. ACM Transactions on Programming Languages and Systems, 1979, 1(1): 121-141. doi: 10.1145/357062.357071 URL
[18]	EAGLE C. The IDA Pro Book[M]. San Francisco: No Starch Press, 2011.
[19]	HARDOROUDI A H, DARESHURI A F, SARKAN H M. Robust Corrective and Preventive Action[C]// IEEE. 2011 IEEE International Systems Conference. New York: IEEE, 2011: 21-30.
[20]	ANDERSON H S, ROTH P. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models[EB/OL]. (2018-04-16) [2023-05-12]. https://arxiv.org/abs/1804.04637.
[21]	RAFF E, BARKER J, SYLVESTER J, et al. Malware Detection by Eating a Whole EXE[EB/OL]. (2017-10-25) [2023-05-12]. https://arxiv.org/abs/1710.09435.

任务目标	特征	准确率	精确率	召回率	F1值
未知恶意软件家族样本检测	字节码	81.95%	78.33%	87.29%	82.57%
	操作码（2-gram）	72.50%	68.08%	84.70%	75.49%
	导入API	87.34%	82.89%	93.43%	87.85%
	攻击技术模式	91.91%	89.56%	94.94%	91.96%
新出现的恶意软件样本检测	字节码	78.59%	77.71%	76.71%	77.20%
	操作码（2-gram）	80.19%	77.23%	83.07%	80.04%
	导入API	86.77%	84.60%	88.03%	86.28%
	攻击技术模式	87.07%	88.64%	83.33%	85.90%

任务目标	方法	准确率	精确率	召回率	F1值
未知恶意软件家族样本检测	MalConv	83.51%	78.61%	91.10%	84.40%
	LightGBM	92.32%	89.33%	95.76%	92.43%
	TechSVM	92.95%	89.92%	96.40%	93.05%
新出现的恶意软件样本检测	MalConv	80.10%	75.14%	86.54%	80.44%
	LightGBM	90.81%	89.03%	91.88%	90.43%
	TechSVM	92.83%	92.51%	92.31%	92.41%