{"title":"Enhanced Dynamic Analysis for Malware Detection With Gradient Attack","authors":"Pei Yan;Shunquan Tan;Miaohui Wang;Jiwu Huang","doi":"10.1109/LSP.2024.3475354","DOIUrl":null,"url":null,"abstract":"Malware detection is an effective way to prevent the intrusion of malware into computer systems, and the API-based dynamic analysis method can effectively detect obfuscated and packaged malware. However, existing methods still suffer from limited detection accuracy and weak generalization. To address this issue, this paper presents a gradient attack-based malware dynamic analysis method. Through exerting adversarial noise into the embedding layer, the malware detection model can learn more robust representations of API sequences during training, achieving broader coverage of sample representations. The strategy of normalizing attack noise and recovering attacked representation is designed, which controls the strength of the gradient attack within a reasonable range and prevents a negative impact on the model's detection performance. The proposed method can be applied to existing API-based malware detection models to enhance their detection performance, indicating the strong generality of the proposed method. Experimental results on two benchmark datasets (\n<italic>i.e.</i>\n, \n<italic>Aliyun</i>\n and \n<italic>Catak</i>\n) demonstrate the effectiveness of the proposed gradient attack method, which further improves the detection performance of the mainstream API-based models, with an average accuracy increase of 2.80% and 3.66% on these two datasets, respectively.","PeriodicalId":13154,"journal":{"name":"IEEE Signal Processing Letters","volume":null,"pages":null},"PeriodicalIF":3.2000,"publicationDate":"2024-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Signal Processing Letters","FirstCategoryId":"5","ListUrlMain":"https://ieeexplore.ieee.org/document/10706706/","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
引用次数: 0
Abstract
Malware detection is an effective way to prevent the intrusion of malware into computer systems, and the API-based dynamic analysis method can effectively detect obfuscated and packaged malware. However, existing methods still suffer from limited detection accuracy and weak generalization. To address this issue, this paper presents a gradient attack-based malware dynamic analysis method. Through exerting adversarial noise into the embedding layer, the malware detection model can learn more robust representations of API sequences during training, achieving broader coverage of sample representations. The strategy of normalizing attack noise and recovering attacked representation is designed, which controls the strength of the gradient attack within a reasonable range and prevents a negative impact on the model's detection performance. The proposed method can be applied to existing API-based malware detection models to enhance their detection performance, indicating the strong generality of the proposed method. Experimental results on two benchmark datasets (
i.e.
,
Aliyun
and
Catak
) demonstrate the effectiveness of the proposed gradient attack method, which further improves the detection performance of the mainstream API-based models, with an average accuracy increase of 2.80% and 3.66% on these two datasets, respectively.
恶意软件检测是防止恶意软件入侵计算机系统的有效方法,而基于 API 的动态分析方法可以有效地检测出经过混淆和包装的恶意软件。然而,现有方法仍存在检测精度有限、泛化能力弱等问题。针对这一问题,本文提出了一种基于梯度攻击的恶意软件动态分析方法。通过在嵌入层中施加对抗噪声,恶意软件检测模型可以在训练过程中学习到更健壮的 API 序列表示,从而实现更广泛的样本表示覆盖。设计了攻击噪声归一化和恢复被攻击表示的策略,将梯度攻击的强度控制在合理范围内,避免了对模型检测性能的负面影响。所提出的方法可应用于现有的基于 API 的恶意软件检测模型,以提高其检测性能,这表明所提出的方法具有很强的通用性。在两个基准数据集(即阿里云和 Catak)上的实验结果证明了所提梯度攻击方法的有效性,它进一步提高了基于 API 的主流模型的检测性能,在这两个数据集上的平均准确率分别提高了 2.80% 和 3.66%。
期刊介绍:
The IEEE Signal Processing Letters is a monthly, archival publication designed to provide rapid dissemination of original, cutting-edge ideas and timely, significant contributions in signal, image, speech, language and audio processing. Papers published in the Letters can be presented within one year of their appearance in signal processing conferences such as ICASSP, GlobalSIP and ICIP, and also in several workshop organized by the Signal Processing Society.