Malicious Windows executables still constitute one of the major threats to computer security. Various machine learning-based approaches have been proposed to distinguish them from benign applications or perform family classification, a critical task for threat intelligence. However, most of these techniques do not explicitly model the relationships between the various parts of the code. Additionally, the proposed systems, including deep learning ones, were vulnerable to adversarial attacks. This paper presents a novel, static learning-based method to detect and classify executables based on call graph fingerprinting. In particular, we generate a fingerprint for each call graph based on user-defined and library functions. Then, we represent the information sent to the classifier through a MinHash encoding that increases the overall system robustness against fine-grained modifications. The attained results show that our proposed approach can accurately distinguish malware families from each other by showing intriguing robustness properties. We claim that these results make this approach a promising research direction that deserves further exploration.
Extended Abstract: Effective Call Graph Fingerprinting for the Analysis and Classification of Windows Malware
Maiorca, Davide;Giacinto, Giorgio
2022-01-01
Abstract
Malicious Windows executables still constitute one of the major threats to computer security. Various machine learning-based approaches have been proposed to distinguish them from benign applications or perform family classification, a critical task for threat intelligence. However, most of these techniques do not explicitly model the relationships between the various parts of the code. Additionally, the proposed systems, including deep learning ones, were vulnerable to adversarial attacks. This paper presents a novel, static learning-based method to detect and classify executables based on call graph fingerprinting. In particular, we generate a fingerprint for each call graph based on user-defined and library functions. Then, we represent the information sent to the classifier through a MinHash encoding that increases the overall system robustness against fine-grained modifications. The attained results show that our proposed approach can accurately distinguish malware families from each other by showing intriguing robustness properties. We claim that these results make this approach a promising research direction that deserves further exploration.
| File | Dimensione | Formato | |
|---|---|---|---|
|
Meloni2022_Chapter_ExtendedAbstractEffectiveCallG.pdf
Solo gestori archivio
Tipologia:
versione editoriale
Dimensione
263.97 kB
Formato
Adobe PDF
|
263.97 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
