DeMal: Module decomposition of malware based on community discovery

Abstract

In recent years, malware has grown faster than ever in volume, form and harmfulness. While existing static or dynamic analysis techniques can meet the common user needs for malware detection, analysts desire a more detailed overview to uncover the program architecture. Malware often force research into difficulties due to their complex anti-analysis techniques, which call for a quick analysis of program structure and components to clarify malware functional semantics. In this paper, we use community discovery methods to automate the malware program components analysis from the intuition of modular programing principles. Specifically, we design and implement DeMal, a solution to the malware module decomposition problem. It achieves remodularization by recovering program call relationships, extracting structure-related attributes, and applying an ensemble model of multiple community discovery algorithms. DeMal takes a malicious executable as input and predicts its code composition structure. In an evaluation with 155 malware samples, DeMal performs well on achieving an average F1-score of 71.3%, and 14.5% of the samples reach an average precision of 90%. The analysis time on each sample is about 19.79s. On extended experiments with 1,621 benign programs and over 10,000 stripped malware samples, we also verify DeMal's scalability on common programs as well as the large-scale performance, respectively. The visualization of the results also strongly demonstrates DeMal's module decomposition capabilities.