A cross-architecture malware detection approach based on intermediate representation

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-06-13 DOI:10.1016/j.jisa.2025.104117

Claudia Greco , Michele Ianni

{"title":"A cross-architecture malware detection approach based on intermediate representation","authors":"Claudia Greco , Michele Ianni","doi":"10.1016/j.jisa.2025.104117","DOIUrl":null,"url":null,"abstract":"<div><div>Detecting malware across diverse architectures and evasion techniques has become a critical challenge as modern malware increasingly targets non-traditional platforms such as IoT devices. Traditional signature-based approaches, which rely on architecture-specific bytecode patterns, often fail when malware is recompiled for different platforms or obfuscated to evade detection. In this paper, we propose a novel framework for cross-architecture, signature-based malware detection. Our approach leverages Intermediate Representation (IR) to identify malicious behaviors in a platform-independent manner. By matching higher-level patterns in the IR, our framework generates signatures capable of detecting malware across multiple architectures and resisting common obfuscation techniques. The proposed framework adopts the YARA syntax, a widely used tool for malware detection, while introducing custom high-level primitives that abstract complex IR constructs. These primitives simplify the rule-writing process, enabling more efficient and precise signature creation. Additionally, we discuss the limitations of current approaches and demonstrate how our framework advances the state of the art in signature-based malware detection.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104117"},"PeriodicalIF":3.8000,"publicationDate":"2025-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001541","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Detecting malware across diverse architectures and evasion techniques has become a critical challenge as modern malware increasingly targets non-traditional platforms such as IoT devices. Traditional signature-based approaches, which rely on architecture-specific bytecode patterns, often fail when malware is recompiled for different platforms or obfuscated to evade detection. In this paper, we propose a novel framework for cross-architecture, signature-based malware detection. Our approach leverages Intermediate Representation (IR) to identify malicious behaviors in a platform-independent manner. By matching higher-level patterns in the IR, our framework generates signatures capable of detecting malware across multiple architectures and resisting common obfuscation techniques. The proposed framework adopts the YARA syntax, a widely used tool for malware detection, while introducing custom high-level primitives that abstract complex IR constructs. These primitives simplify the rule-writing process, enabling more efficient and precise signature creation. Additionally, we discuss the limitations of current approaches and demonstrate how our framework advances the state of the art in signature-based malware detection.

查看原文本刊更多论文

一种基于中间表示的跨架构恶意软件检测方法

随着现代恶意软件越来越多地针对非传统平台（如物联网设备），检测跨不同架构和规避技术的恶意软件已成为一项关键挑战。传统的基于签名的方法依赖于特定于体系结构的字节码模式，当恶意软件针对不同平台重新编译或混淆以逃避检测时，通常会失败。在本文中，我们提出了一种新的跨架构、基于签名的恶意软件检测框架。我们的方法利用中间表示（IR）以与平台无关的方式识别恶意行为。通过匹配IR中的高级模式，我们的框架生成能够检测跨多个架构的恶意软件并抵抗常见混淆技术的签名。该框架采用了广泛用于恶意软件检测的YARA语法，同时引入了抽象复杂IR结构的自定义高级原语。这些原语简化了规则编写过程，支持更高效、更精确的签名创建。此外，我们还讨论了当前方法的局限性，并演示了我们的框架如何在基于签名的恶意软件检测方面取得进展。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.