Enhancing Dynamic Malware Behavior Analysis Through Novel Windows Events With Machine Learning

IF 3.6 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-09-02 DOI:10.1109/ACCESS.2025.3604979

Göksun Önal;Mesut Güven

{"title":"Enhancing Dynamic Malware Behavior Analysis Through Novel Windows Events With Machine Learning","authors":"Göksun Önal;Mesut Güven","doi":"10.1109/ACCESS.2025.3604979","DOIUrl":null,"url":null,"abstract":"Malware analysis involves studying harmful software to understand its behavior and find ways to detect and prevent it. As cyberattacks become more advanced, this process becomes increasingly important for safeguarding systems and data. Traditional methods in malware analysis often rely on examining the code itself, which can miss malicious actions that only occur during execution. This study addresses this limitation by combining the dynamic observation of malware behavior with an innovative use of Windows Event Logs as input, a detailed system data source. During the study, a secure environment was created to safely execute malware, collect input, and provide valuable information on how malicious software interacts with systems. New methods were developed to extract meaningful information from the logs, then used to train machine-learning models capable of accurately distinguishing malware from legitimate programs. By demonstrating the untapped potential of Windows Event Logs, this study offers new tools to improve real-time malware detection and enhance cybersecurity. On a dataset of approximate 7000 Windows executable file, roughly sixty percent benign and forty percent malware, the log-feature MLP reached 91.2 % accuracy with a 1.6-point standard deviation across five folds, achieved a ROC-AUC of <inline-formula> <tex-math>$0.962~\\pm ~0.009$ </tex-math></inline-formula> on an unseen hold out set.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"153937-153958"},"PeriodicalIF":3.6000,"publicationDate":"2025-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11146719","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11146719/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Malware analysis involves studying harmful software to understand its behavior and find ways to detect and prevent it. As cyberattacks become more advanced, this process becomes increasingly important for safeguarding systems and data. Traditional methods in malware analysis often rely on examining the code itself, which can miss malicious actions that only occur during execution. This study addresses this limitation by combining the dynamic observation of malware behavior with an innovative use of Windows Event Logs as input, a detailed system data source. During the study, a secure environment was created to safely execute malware, collect input, and provide valuable information on how malicious software interacts with systems. New methods were developed to extract meaningful information from the logs, then used to train machine-learning models capable of accurately distinguishing malware from legitimate programs. By demonstrating the untapped potential of Windows Event Logs, this study offers new tools to improve real-time malware detection and enhance cybersecurity. On a dataset of approximate 7000 Windows executable file, roughly sixty percent benign and forty percent malware, the log-feature MLP reached 91.2 % accuracy with a 1.6-point standard deviation across five folds, achieved a ROC-AUC of

$0.962~\pm ~0.009$

on an unseen hold out set.

查看原文本刊更多论文

基于机器学习的新型Windows事件增强动态恶意软件行为分析

恶意软件分析包括研究有害软件以了解其行为并找到检测和预防它的方法。随着网络攻击变得越来越先进，这个过程对于保护系统和数据变得越来越重要。恶意软件分析的传统方法通常依赖于检查代码本身，这可能会错过仅在执行期间发生的恶意操作。本研究通过将恶意软件行为的动态观察与Windows事件日志作为输入（详细的系统数据源）的创新使用相结合，解决了这一限制。在研究期间，创建了一个安全的环境来安全地执行恶意软件，收集输入，并提供有关恶意软件如何与系统交互的有价值的信息。开发了新的方法从日志中提取有意义的信息，然后用于训练能够准确区分恶意软件和合法程序的机器学习模型。通过展示Windows事件日志未开发的潜力，本研究提供了改进实时恶意软件检测和增强网络安全的新工具。在大约7000个Windows可执行文件的数据集上，大约60%是良性的，40%是恶意软件，日志特征MLP的准确率达到91.2%，标准偏差为1.6点，跨五倍，在一个看不见的hold out集上实现了0.962~\pm ~0.009$的ROC-AUC。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.