Behavior Speaks Louder: Rethinking Malware Analysis Beyond Family Classification

Fei Zhang; Xiaohong Li; Sen Chen; Ruitao Feng

doi:10.1109/TrustCom63139.2024.00048

Back

Conference proceeding

Behavior Speaks Louder: Rethinking Malware Analysis Beyond Family Classification

Fei Zhang, Xiaohong Li, Sen Chen and Ruitao Feng

2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp.166-175

2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 23 (Sanya, China, 17/12/2024–21/12/2024)

17/12/2024

DOI: https://doi.org/10.1109/TrustCom63139.2024.00048

Appears in Recent Faculty of Science and Engineering Publications

Metrics

24 Record Views

Abstract

Accuracy

Android malware

Companies

family definitions

Labeling

Large language models

malicious behaviors

Malware

Manuals

Reliability

Security

Surveys

The classification of malicious families is essential in Android malware analysis. However, inconsistent naming standards across different antivirus companies hinder accurate identification and understanding of malicious behaviors. This study conducts an extensive analysis of Android malware families to address these challenges. First, we compared family definitions from various antivirus companies and found significant inconsistencies in the level of detail and descriptions of malicious behaviors. These inconsistencies undermine effective malware classification and analysis. Second, we assessed the alignment between described and exhibited malicious behaviors, revealing that family definitions often provide only a broad outline, omitting critical details. Additionally, evolving malware behaviors often surpass existing family definitions. To address these issues, we propose using specific behavior labels to directly indicate malicious behaviors in malware attack chains. Leveraging large language models (LLMs) and a detailed analysis of Android malicious behaviors, we identified six key behavior labels. To streamline the labeling process, we designed the AMBL frame-work, which automates the generation of behavior labels for malware. Our novel feedback mechanism-based LLM analysis method establishes relationships between APIs and behavior labels, crucial for accurate label updating. Through AMBL, a dataset with behavior analysis reports has been outputed and open sourced. An online survey and manual analysis are also conducted to validate the effectiveness of the AMBL framework and the reliability of the dataset.

Details

Title: Behavior Speaks Louder: Rethinking Malware Analysis Beyond Family Classification
Creators: Fei Zhang - Tianjin University
Xiaohong Li - Tianjin University
Sen Chen - Tianjin University
Ruitao Feng - Southern Cross University
Publication Details: 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp.166-175
Conference: 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 23 (Sanya, China, 17/12/2024–21/12/2024)
Publisher: IEEE
Number of pages: 165-175
Grant note: National Natural Science Foundation of China (10.13039/501100001809)
Identifiers: 991013274247302368
Academic Unit: Faculty of Science and Engineering
Language: English
Resource Type: Conference proceeding

Behavior Speaks Louder: Rethinking Malware Analysis Beyond Family Classification

Related links

Metrics

Abstract

Details

Southern Cross University Social media