期刊
JOURNAL OF INFORMATION SECURITY AND APPLICATIONS
卷 68, 期 -, 页码 -出版社
ELSEVIER
DOI: 10.1016/j.jisa.2022.103258
关键词
Malware; Binary emulation; Classification; Machine learning
资金
- European Commission [832735, 101021801, 830929]
- Beatriu de Pin's programme of theGovernment of Catalonia [2020 BP 00035]
Malware authors constantly improve their code to evade analysis, making detection difficult. This research proposes complementing sandbox execution with binary emulation frameworks, achieving high accuracy and low computational overhead.
Malware authors continuously evolve their code base to include counter-analysis methods that can significantly hinder their detection and blocking. While malware execution in a sandboxed environment may provide insightful feedback about what the malware does in a machine, anti-virtualisation and hooking evasion methods may allow malware to bypass such detection methods. The main objective of this work is to complement sandbox execution with the use of binary emulation frameworks. The core idea is to exploit the fact that binary emulation frameworks may test samples quicker than a sandbox environment as they do not need to open a whole new virtual machine to execute the binary. While with this approach we lose the granularity of the data collected through a sandbox, one may only need to efficiently determine whether a file is malicious or to which malware family it belongs. To this end, we record the performed API calls and use them to explore the efficacy of using them as features for binary and multiclass classification. Our extensive experiments with real-world malware illustrate that this approach is very accurate, achieving state -of-the art outcomes with a statistically robust set of classification experiments while simultaneously having a relatively low computational overhead compared to traditional sandbox approaches. In fact, we compare the binary analysis results with a commercial sandbox, and our classification outperforms it at the expense of the fine-grained results that a sandbox provides.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据