DRLDO: A novel DRL based De-ObfuscationSystem for Defense against Metamorphic Malware

TL;DR

This paper introduces DRLDO, a deep reinforcement learning-based system that normalizes obfuscated malware at the opcode level, enhancing existing intrusion detection systems' ability to detect metamorphic malware without retraining.

Contribution

The paper presents a novel DRL-based de-obfuscation system that can be integrated into existing IDS to detect obfuscated malware without retraining classifiers.

Findings

DRLDO successfully detects obfuscated malware variants.

De-obfuscated malware shows 0.99 correlation with original samples.

Detection probability exceeds 0.6 for existing classifiers.

Abstract

In this paper, we propose a novel mechanism to normalize metamorphic and obfuscated malware down at the opcode level and hence create an advanced metamorphic malware de-obfuscation and defense system. We name this system DRLDO, for Deep Reinforcement Learning based De-Obfuscator. With the inclusion of the DRLDO as a sub-component, an existing Intrusion Detection System could be augmented with defensive capabilities against 'zero-day' attacks from obfuscated and metamorphic variants of existing malware. This gains importance, not only because there exists no system to date that uses advanced DRL to intelligently and automatically normalize obfuscation down even to the opcode level, but also because the DRLDO system does not mandate any changes to the existing IDS. The DRLDO system does not even mandate the IDS' classifier to be retrained with any new dataset containing obfuscated samples. Hence DRLDO could be easily retrofitted into any existing IDS deployment. We designed, developed, and conducted experiments on the system to evaluate the same against multiple-simultaneous attacks from obfuscations generated from malware samples from a standardized dataset that contains multiple generations of malware. Experimental results prove that DRLDO was able to successfully make the otherwise un-detectable obfuscated variants of the malware detectable by an existing pre-trained malware classifier. The detection probability was raised well above the cut-off mark to 0.6 for the classifier to detect the obfuscated malware unambiguously. Further, the de-obfuscated variants generated by DRLDO achieved a very high correlation (of 0.99) with the base malware. This observation validates that the DRLDO system is actually learning to de-obfuscate and not exploiting a trivial trick.