Malware classification through Abstract Syntax Trees and L-moments

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-09-06 DOI:10.1016/j.cose.2024.104082

Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau

{"title":"Malware classification through Abstract Syntax Trees and L-moments","authors":"Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau","doi":"10.1016/j.cose.2024.104082","DOIUrl":null,"url":null,"abstract":"<div><p>The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104082"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824003870/pdfft?md5=255011e2faf3909f24dc4575c4f50f4f&pid=1-s2.0-S0167404824003870-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824003870","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and $F_{1}$ score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.

查看原文本刊更多论文

通过抽象语法树和 L-moments 进行恶意软件分类

恶意软件的不断演变给网络安全带来了严峻的挑战：识别未知威胁。传统的检测方法，如签名和各种形式的静态分析，本质上落后于这些不断演变的威胁。本研究利用 L-moments 的强大统计功能和抽象语法树 (AST) 提供的结构洞察力，并将其应用于 PowerShell，从而为恶意软件检测引入了一种新方法。L-moments 因其对异常值的复原力和对不同分布形状的适应性而得到认可，它是从 AST 的度中心性、间中心性和接近中心性等网络分析指标中提取出来的。这些指标提供了代码的详细结构表示，有助于深入理解代码的内在行为和模式。这种方法不仅能检测已知的恶意软件，还能发现以前未发现的新威胁。与传统静态分析方法的综合比较表明，这种方法在准确率、精确度、召回率和 F1 分数等关键性能指标方面表现出色。这些结果表明，将网络分析得出的 L-moments 与 AST 相结合，在增强恶意软件检测方面具有巨大潜力。虽然静态分析仍然是网络安全的重要工具，但 L-moments 与高级网络分析的整合能更有效、更高效地应对网络威胁的动态变化。这项研究为今后的研究铺平了道路，特别是在将 L-moments 和网络分析的应用扩展到更多领域方面。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.