Discovering Malicious Signatures in Software from Structural Interactions

TL;DR

This paper introduces a novel malware detection method that uses deep learning and network science to analyze application behavior, achieving high accuracy in identifying zero-day malware without relying on virtual machine environments.

Contribution

The paper presents a new malware detection approach combining static/dynamic analysis, LLVM profiling, and GraphSAGE to analyze network topologies for improved detection of malicious software.

Findings

Achieved 99.85% AUROC in malware detection

Effectively detects zero-day malware

Outperforms existing detection methods

Abstract

Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.