Malicious Code Detection: Run Trace Output Analysis by LSTM

Malicious software threats and their detection have been gaining importance as a subdomain of information security due to the expansion of ICT applications in daily settings. A major challenge in designing and developing anti-malware systems is the coverage of the detection, particularly the develop...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access 2021, Vol.9, p.9625-9635
Main Authors: Acarturk, Cengiz, Sirlanci, Melih, Balikcioglu, Pinar Gurkan, Demirci, Deniz, Sahin, Nazenin, Kucuk, Ozge Acar
Format: Article
Language:English
Subjects:
Cybersecurity
Datasets
Dynamic analysis
Feature extraction
LSTM
Machine learning
Malware
malware detection
Natural language processing
Operating systems
run trace
Semantics
Static analysis
Threat evaluation
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malicious software threats and their detection have been gaining importance as a subdomain of information security due to the expansion of ICT applications in daily settings. A major challenge in designing and developing anti-malware systems is the coverage of the detection, particularly the development of dynamic analysis methods that can detect polymorphic and metamorphic malware efficiently. In the present study, we propose a methodological framework for detecting malicious code by analyzing run trace outputs by Long Short-Term Memory (LSTM). We developed models of run traces of malicious and benign Portable Executable (PE) files. We created our dataset from run trace outputs obtained from dynamic analysis of PE files. The obtained dataset was in the instruction format as a sequence and was called Instruction as a Sequence Model (ISM). By splitting the first dataset into basic blocks, we obtained the second one called Basic Block as a Sequence Model (BSM). The experiments showed that the ISM achieved an accuracy of 87.51% and a false positive rate of 18.34%, while BSM achieved an accuracy of 99.26% and a false positive rate of 2.62%.
ISSN:2169-3536
2169-3536
DOI:10.1109/ACCESS.2021.3049200