TagSeq: Malicious behavior discovery using dynamic analysis

• Published in: PloS one Vol. 17; no. 5; p. e0263644
• Main Authors: Huang, Yi-Ting, Sun, Yeali S., Chen, Meng Chang
• Format: Journal Article
• Language: English
• Published: United States Public Library of Science 16.05.2022; Public Library of Science (PLoS)
• Subjects: Analysis; Biology and Life Sciences; Computer and Information Sciences; Computer security; Computer viruses; Cybersecurity; Embedding; Engineering and Technology; Internet; Malware; Modules; Neural networks; Prevention; Safety and security measures; Security; Semantics; Social Sciences; Spyware; Tags; United States
• ISSN: 1932-6203; 1932-6203
• DOI: 10.1371/journal.pone.0263644

In recent years, studies on malware analysis have noticeably increased in the cybersecurity community. Most recent studies concentrate on malware classification and detection or malicious patterns identification, but as to malware activity, it still relies heavily on manual analysis for high-level semantic descriptions. We develop a sequence-to-sequence (seq2seq) neural network, called TagSeq, to investigate a sequence of Windows API calls recorded from malware execution, and produce tags to label their malicious behavior. We propose embedding modules to transform Windows API function parameters, registry, filenames, and URLs into low-dimension vectors, while still preserving the closeness property. Moreover, we utilize an attention mechanism to capture the relations between generated tags and certain API invocation calls. Results show that the most possible malicious actions are identified by TagSeq. Examples and a case study demonstrate that the proposed embedding modules preserve semantic-physical relations and that the predicted tags reflect malicious intentions. We believe this work is suitable as a tool to help security analysts recognize malicious behavior and intent with easy-to-understand tags.