Minami Someya (Institute of Information Security), Yuhei Otsubo (National Police Academy), Akira Otsuka (Institute of Information Security)

Malware classification facilitates static analysis, which is manually intensive but necessary work to understand the inner workings of unknown malware. Machine learning based approaches have been actively studied and have great potential. However, their drawback is that their models are considered black boxes and are challenging to explain their classification results and thus cannot provide patterns specific to malware. To address this problem, we propose FCGAT, the first malware classification method that provides interpretable classification reasons based on program functions. FCGAT applies natural language processing techniques to create function features and updates them to reflect the calling relationships between functions. Then, it applies attention mechanism to create malware feature by emphasizing the functions that are important for classification with attention weights. FCGAT provides an importance ranking of functions based on attention weights as an explanation. We evaluate the performance of FCGAT on two datasets. The results show that the F1-Scores are 98.15% and 98.18%, which are competitive with the cutting-edge methods. Furthermore, we examine how much the functions emphasized by FCGAT contribute to the classification. Surprisingly, our result show that only top 6 (average per sample) highly-weighted functions yield as much as 70% accuracy. We also show that these functions reflect the characteristics of malware by analyzing them. FCGAT can provide analysts with reliable explanations using a small number of functions. These explanations could bring various benefits, such as improved efficiency in malware analysis and comprehensive malware trend analysis.

View More Papers

Short: Certifiably Robust Perception Against Adversarial Patch Attacks: A...

Chong Xiang (Princeton University), Chawin Sitawarin (University of California, Berkeley), Tong Wu (Princeton University), Prateek Mittal (Princeton University)

Read More

Access Your Tesla without Your Awareness: Compromising Keyless Entry...

Xinyi Xie (Shanghai Fudan Microelectronics Group Co., Ltd.), Kun Jiang (Shanghai Fudan Microelectronics Group Co., Ltd.), Rui Dai (Shanghai Fudan...

Read More

Unlocking the Potential of Domain Aware Binary Analysis in...

Dr. Zhiqiang Lin (Distinguished Professor of Engineering at The Ohio State University)

Read More

A Heuristic Approach to Detect Opaque Predicates that Disrupt...

Yu-Jye Tung (University of California, Irvine), Ian Harris (University of California Irvine)

Read More