Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau
{"title":"通过抽象语法树和 L-moments 进行恶意软件分类","authors":"Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau","doi":"10.1016/j.cose.2024.104082","DOIUrl":null,"url":null,"abstract":"<div><p>The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104082"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824003870/pdfft?md5=255011e2faf3909f24dc4575c4f50f4f&pid=1-s2.0-S0167404824003870-main.pdf","citationCount":"0","resultStr":"{\"title\":\"Malware classification through Abstract Syntax Trees and L-moments\",\"authors\":\"Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau\",\"doi\":\"10.1016/j.cose.2024.104082\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.</p></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"148 \",\"pages\":\"Article 104082\"},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2024-09-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S0167404824003870/pdfft?md5=255011e2faf3909f24dc4575c4f50f4f&pid=1-s2.0-S0167404824003870-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824003870\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824003870","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Malware classification through Abstract Syntax Trees and L-moments
The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.