RecMaL: Rectify the malware family label via hybrid analysis

Abstract

Intelligent applications can be significantly impacted by incorrectly categorized data. Recently, artificial intelligence technology has been deployed in an increasing number of security-related scenarios, but the issue of data mislabeling has received little attention. We concentrate on the problem of malware mislabeling in this paper. Unfortunately, in the security field, the mislabeling issue of malware is not taken seriously. Existing work attempts to aggregate the AV labels to alleviate malware mislabeling. This will mislead the security analyst and pass the error to subsequent data-driven applications. Therefore, we conduct an in-depth analysis to explore the severity of the malware mislabel issue, and try to rectify the description of malware generated from anti-virus engines. We first propose a malware label correction tool called RecMaL. It employs hybrid analyses for malware label rectifying.According to the thorough exploratory analysis, we figure out the core reasons for mislabeling issues and summarize them into 3 types. To verify the effectiveness and how RecMaL benefits the downstream applications (e.g., malware classification), we evaluate RecMaL through a series of experiments and show that the main components of RecMaL improve the performance, which proves our method effectively alleviates the mislabeling issue.