Graph Learning on Instruction Stream-Augmented CFG for Malware Variant Detection

Abstract

As malware as a service (MaaS) and organized attacks develop and drive a shift in malware variant generation mechanism, current variant detection, designed to counter conventional obfuscation and anti-detection strategies, falls short in facing new challenges, particularly in identifying variants that maintain core functionalities while altering local behaviors, or those sharing similar code logic but diverge in actual functionalities. To tackle the problems, we present ISCMVD, an Instruction Stream-augmented CFG-based Malware Variant Detection scheme, melding control flow structures with machine semantic information from instruction streams within blocks to build a comprehensive functional representation for variants’ basic and detailed behaviors. Leveraging a global-enhanced attentive graph neural network to integrate local and global functional features, we significantly boost the capture of representative stable primary behaviors’ similarity from variants within the same family identifying variants generated under attackers’ code rewriting, module modification, and other transformation means. Additionally, through cross-family associative analysis, we eliminate classification interference of variants’ logic similarities stemming from the same organization generating. Evaluation results on public and real-world datasets demonstrate the superiority and robustness of ISCMVD with an average of 99.29% in AC and 99.25% in F1 and perform well even in few-shot cases. What’s more important, we achieve a breakthrough in two special sample sets including variants related to MaaS and APT group, and outperform state-of-the-art methods under the current variant generation mechanism, proving its suitability for future trends.