MalXCap: A Method for Malware Capability Extraction

Abstract

In the present cyber landscape, the sophistication level of malware attacks is rising steadily. Advanced Persistent Threats (APT) and other sophisticated attacks employ complex and intelligent malware. Such malware integrates numerous malignant capabilities into a single complex form of malware, known as multipurpose malware. As attacks get more complicated, it is increasingly important to be aware of what the detected malware can do and comprehend the complete range of functionalities. Traditional malware analysis focuses on malware detection and family classification. The family classification provides insights about the dominant capability rather than the full range of capabilities present in the malware, which is insufficient. Hence, we propose MalXCap to extract multiple functionalities (named malware capabilities) hidden within a single malware sample. MalXCap employs dynamic analysis and captures malware capabilities by identifying patterns of API call sequences to achieve the goal. In the current workflow, there is no publicly available malware capability dataset. Therefore, we analyze 8k malware samples collected from the public domain, identify 12 different capabilities, and prepare a dataset. We use this dataset to train MalXCap and learn the patterns of API sequences to detect different malignant capabilities. MalXCap demonstrates its efficiency by achieving 97.02% accuracy score and 0.0025 hamming loss. Analyzing the capabilities of malware enables security professionals to understand the advanced techniques used in malware, summarize the attack, and develop better countermeasures.

Appendix

Binary Relevance (BR). Binary Relevance is a popular and straightforward problem transformation method. In this method we chose 12 different gaussian naive bayes based single-label binary classifiers to predict 12 capabilities.

Fig. 5.

Multi-Label classification based on Binary-Relevance

As illustrated in Fig. 5, each classifier produce output as 0/1 for each malware capability. We take the union of all outputs predicted by every classifier and consider them multi-label outputs for the given sample. This model’s effectiveness suffers if the dataset’s target labels are dependent or correlated with each other.

Classifier Chain (CC). This method solves the limitation of Binary Relevance by addressing the label correlation problem by using a chain of binary classifiers with same length as the number of target labels. As shown in Fig. 6, \(m_i\) represents a data sample which \(C_1\) uses as input (step 1) and predicts output as \(l_1\) (step 2), where \(l_1 \in \{0,1\}\). Further, \(C_2\) uses \(m_i\) and \(l_1\) combined as input (step 3) and produces output as \(l_2\) (step 4), where \(l_2 \in \{0,1\}\). Similarly, this chain goes on till \(C_n\), and we compute the union of each \(C_x\), where \(1 \le x \le n\), and produce a multi-label output of \(1 \times n\) dimensions. Following this approach, the CC method solves the label correlation problem present in the binary Relevance method.

Fig. 6.

Multi-Label classification based on Classifier-Chain

Label Powerset (LP). This method addresses the issue of simultaneously assigning multiple labels to an instance. This method considers all possible label combinations for every instance in the dataset. As shown in the Table 6, If a data sample associates with two target labels, \(L_1\) and \(L_3\), it obtains a new target label as \(L_{1,3}\) in the dataset and repeat this for all data samples to transformed the dataset into single-label dataset. In the worst-case scenario, the LP method generates \(2^{|L|}\) number of new single-label target classes for L multi-label target classes. Thus, this method’s computational complexity poses a problem and it grows exponentially with the number of target classes.

Table 6. Label Powerset Transformation

Multi-label k Nearest Neighbors (ML-KNN). ML-kNN is a lazy learning approach and combines the concepts of KNN and Bayesian probability to make predictions for multi-label classification. It consists of two phases: training phase and prediction phase. In the training phase, the first step is to preprocess the data. Let N denote training instances and L denote total target labels. Each training instance i is denoted by a feature vector \(X_i\) of dimension D (where D depends on the type of feature transformation method), and its label vector \(Y_i\) is a binary vector of length L, indicating the presence or absence of each label. After that, For each class j, we estimate the prior probability \(P(Y_j)\) and the conditional probabilities \(P(X|Y_j)\) for each feature given the class using maximum likelihood estimation. We follow formula as given below:

$$\begin{aligned} P(Y_j) = \frac{\text {Number of instances with label } Y_j}{N} \end{aligned}$$

(10)

$$\begin{aligned} P(X_k|Y_j) = \frac{\text {Number of samples with label } Y_j \text { and feature value } X_k}{ \text {Number of samples with label } Y_j} \end{aligned}$$

(11)

where \(P(Y_j)\) represent prior probability and \(P(X_k|Y_j)\) represent conditional probabilities. After that, we store the transformed training instances and their corresponding label vectors. In next prediction phase, we convert the test instance into the same format as the training instances. Let \(X_{test}\) denote the feature vector of test instance. We use euclidean distance as distance metric to find K training instances that are most similar to \(X_{test}\) test instance based on the feature values. Let \(N_k\) denote the indices of nearest neighbors. Now, for each label j, we calculate the conditional probabilities \(P(Y_j|X_{test})\) using Bayes’ theorem:

$$\begin{aligned} P(Y_j|X_{test}) = \frac{P(Y_j) * \prod _k P(X_k|Y_j)}{Z} \end{aligned}$$

(12)

where \(X_k\) represents the feature values of \(k^{th}\) nearest neighbor, and Z represent a normalization constant. The product \(\prod \) is taken over all K nearest neighbors.

Further, we select the top labels with the highest probabilities \(P(Y_j|X_{test})\) as the predicted labels for the given test instance. By considering the label probabilities and feature similarities, ML-kNN finds the K nearest neighbors and assigns labels based on their votes.