Malicious Code Detection: Run Trace Output Analysis by LSTM

• Published in: IEEE access Vol. 9; pp. 9625 - 9635
• Main Authors: Acarturk, Cengiz, Sirlanci, Melih, Balikcioglu, Pinar Gurkan, Demirci, Deniz, Sahin, Nazenin, Kucuk, Ozge Acar
• Format: Journal Article
• Language: English
• Published: Piscataway IEEE 2021; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Cybersecurity; Datasets; Dynamic analysis; Feature extraction; LSTM; Machine learning; Malware; malware detection; Natural language processing; Operating systems; run trace; Semantics; Static analysis; Threat evaluation
• ISSN: 2169-3536; 2169-3536
• DOI: 10.1109/ACCESS.2021.3049200

Malicious software threats and their detection have been gaining importance as a subdomain of information security due to the expansion of ICT applications in daily settings. A major challenge in designing and developing anti-malware systems is the coverage of the detection, particularly the development of dynamic analysis methods that can detect polymorphic and metamorphic malware efficiently. In the present study, we propose a methodological framework for detecting malicious code by analyzing run trace outputs by Long Short-Term Memory (LSTM). We developed models of run traces of malicious and benign Portable Executable (PE) files. We created our dataset from run trace outputs obtained from dynamic analysis of PE files. The obtained dataset was in the instruction format as a sequence and was called Instruction as a Sequence Model (ISM). By splitting the first dataset into basic blocks, we obtained the second one called Basic Block as a Sequence Model (BSM). The experiments showed that the ISM achieved an accuracy of 87.51% and a false positive rate of 18.34%, while BSM achieved an accuracy of 99.26% and a false positive rate of 2.62%.