On the Effectiveness of Binary Emulation in Malware Classification
read the original abstract
Malware authors are continuously evolving their code base to include counter-analysis methods that can significantly hinder their detection and blocking. While the execution of malware in a sandboxed environment may provide a lot of insightful feedback about what the malware actually does in a machine, anti-virtualisation and hooking evasion methods may allow malware to bypass such detection methods. The main objective of this work is to complement sandbox execution with the use of binary emulation frameworks. The core idea is to exploit the fact that binary emulation frameworks may quickly test samples quicker than a sandbox environment as they do not need to open a whole new virtual machine to execute the binary. While with this approach, we lose the granularity of the data that can be collected through a sandbox, due to scalability issues, one may need to simply determine whether a file is malicious or to which malware family it belongs. To this end, we record the API calls that are performed and use them to explore the efficacy of using them as features for binary and multiclass classification. Our extensive experiments with real-world malware illustrate that this approach is very accurate, achieving state-of-the art outcomes with a statistically robust set of classification experiments while simultaneously having a relatively low computational overhead compared to traditional sandbox approaches. In fact, we compare the binary analysis results with a commercial sandbox, and our classification outperforms it at the expense of the fine-grained results that a sandbox provides.
This paper has not been read by Pith yet.
Forward citations
Cited by 1 Pith paper
-
Burnyard: Future of Malware Analysis
Burnyard proposes binary emulation for malware analysis to produce CSV event traces as a lighter alternative to sandboxing.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.