HAPSSA: Holistic Approach to PDF Malware Detection Using Signal and Statistical Analysis

TL;DR

This paper presents a holistic PDF malware detection method combining signal and statistical analysis, achieving high accuracy and robustness against obfuscation, outperforming traditional ML-based approaches.

Contribution

The paper introduces a novel holistic detection approach that integrates static and dynamic features for improved robustness against malware obfuscation.

Findings

Achieves 99.92% detection rate on a large dataset

Detects malware obfuscation techniques undetected by antiviruses

Outperforms existing machine learning methods in robustness

Abstract

Malicious PDF documents present a serious threat to various security organizations that require modern threat intelligence platforms to effectively analyze and characterize the identity and behavior of PDF malware. State-of-the-art approaches use machine learning (ML) to learn features that characterize PDF malware. However, ML models are often susceptible to evasion attacks, in which an adversary obfuscates the malware code to avoid being detected by an Antivirus. In this paper, we derive a simple yet effective holistic approach to PDF malware detection that leverages signal and statistical analysis of malware binaries. This includes combining orthogonal feature space models from various static and dynamic malware detection methods to enable generalized robustness when faced with code obfuscations. Using a dataset of nearly 30,000 PDF files containing both malware and benign samples, we show that our holistic approach maintains a high detection rate (99.92%) of PDF malware and even detects new malicious files created by simple methods that remove the obfuscation conducted by malware authors to hide their malware, which are undetected by most antiviruses.