Malicious Windows executables still constitute one of the major threats to computer security. Various machine learning-based approaches have been proposed to distinguish them from benign applications or perform family classification, a critical task for threat intelligence. However, most of these techniques do not explicitly model the relationships between the various parts of the code. Additionally, the proposed systems, including deep learning ones, were vulnerable to adversarial attacks. This paper presents a novel, static learning-based method to detect and classify executables based on call graph fingerprinting. In particular, we generate a fingerprint for each call graph based on user-defined and library functions. Then, we represent the information sent to the classifier through a MinHash encoding that increases the overall system robustness against fine-grained modifications. The attained results show that our proposed approach can accurately distinguish malware families from each other by showing intriguing robustness properties. We claim that these results make this approach a promising research direction that deserves further exploration.

Extended Abstract: Effective Call Graph Fingerprinting for the Analysis and Classification of Windows Malware

Maiorca, Davide;Giacinto, Giorgio
2022

Abstract

Malicious Windows executables still constitute one of the major threats to computer security. Various machine learning-based approaches have been proposed to distinguish them from benign applications or perform family classification, a critical task for threat intelligence. However, most of these techniques do not explicitly model the relationships between the various parts of the code. Additionally, the proposed systems, including deep learning ones, were vulnerable to adversarial attacks. This paper presents a novel, static learning-based method to detect and classify executables based on call graph fingerprinting. In particular, we generate a fingerprint for each call graph based on user-defined and library functions. Then, we represent the information sent to the classifier through a MinHash encoding that increases the overall system robustness against fine-grained modifications. The attained results show that our proposed approach can accurately distinguish malware families from each other by showing intriguing robustness properties. We claim that these results make this approach a promising research direction that deserves further exploration.
978-3-031-09483-5
978-3-031-09484-2
Malware detection; Machine learning; Robustness; ×86
File in questo prodotto:
File Dimensione Formato  
Meloni2022_Chapter_ExtendedAbstractEffectiveCallG.pdf

Solo gestori archivio

Tipologia: versione editoriale
Dimensione 263.97 kB
Formato Adobe PDF
263.97 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11584/341332
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact