DeMal: Module decomposition of malware based on community discovery

In recent years, malware has grown faster than ever in volume, form and harmfulness. While existing static or dynamic analysis techniques can meet the common user needs for malware detection, ana -lysts desire a more detailed overview to uncover the program architecture. Malware often force research into difficulties due to their complex anti-analysis techniques, which call for a quick analysis of program structure and components to clarify malware functional semantics. In this paper, we use community dis-covery methods to automate the malware program components analysis from the intuition of modular programing principles. Specifically, we design and implement DeMal, a solution to the malware module decomposition problem. It achieves remodularization by recovering program call relationships, extract-ing structure-related attributes, and applying an ensemble model of multiple community discovery algo-rithms. DeMal takes a malicious executable as input and predicts its code composition structure. In an evaluation with 155 malware samples, DeMal performs well on achieving an average F1-score of 71.3%, and 14.5% of the samples reach an average precision of 90%. The analysis time on each sample is about 19.79s. On extended experiments with 1,621 benign programs and over 10,0 0 0 stripped malware sam-ples, we also verify DeMal's scalability on common programs as well as the large-scale performance, respectively. The visualization of the results also strongly demonstrates DeMal's module decomposition capabilities.(c) 2022 Published by Elsevier Ltd.

Automated summary

This paper proposes a solution called DeMal that automates the analysis of malware program components using community discovery methods. By recovering program call relationships, extracting structure-related attributes, and applying a combination model of multiple community discovery algorithms, DeMal can predict the code composition structure of malicious software. In experiments, DeMal performs well with an average F1 score of 71.3% and 14.5% of samples achieving an average precision of 90%. The analysis time for each sample is about 19.79 seconds. DeMal also demonstrates scalability on common programs and large-scale performance, and the visualization of results showcases its module decomposition capabilities.