MAIL: Malware Analysis Intermediate Language: a step towards automating and optimizing malware detection
The paper developed MAIL as a new intermediate language, and shown through experimental evaluation its effectiveness in malware analysis and detection.
Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. (such as instruction reordering, deadcode insertion, and register renaming) Such malware are very difficult to analyse and detect manually even with the help of tools.
To analyzer the behavior of a program and make a better detection decision with few false positives. One approach consists of translating the program into an intermediate language that provides an platform-unrelated abstract format.
We propose, in this paper, a new intermediate language named MAIL (Malware Analysis Intermediate Language) for malware analysis that can enhance the detection ofmetamorphic malware.
The basic purpose of MAIL is to represent structural and behavioral information of an assembly program. Details about the language are given in MAIL .
we expalin in detail with examples of translating a x86 and an ARM assembly program into a MAIL program. The MAIL program is then annotated with patterns. We then build a CFG of the annotated MAIL program. This annotated CFG becomes part of the signature of the program and is matched against a database of known malware samples to see if the program contains a malware or not.
The dataset used for the experiments consisted of total 1387 sample Windows programs collected from two different resources. Out of the 1387 programs, 250 are metamorphic malware samples, and the other 1137 are benign programs.
The evaluation was carried out using 10-fold cross validation, and prototype implementation of our detector named MARD.
- MAIL is designed to perform static binary analysis and is not suitable for performing dynamic binary analysis.
- If the patterns are used alone, it may not produce the desired results.
- Providing platform independence and automation for malware analysis and detection tools, as is shown by its use in the tool MARD.
- Optimizing the creation of a behavioral signature of a program, as is shown by creating a ACFG, a CFG with patterns, of a binary program. We have shown how this ACFG is used for reliable malware analysis and detection in real-time.
Optimizing the tool to increase its accuracy and efficiency for detecting unknown metamorphic malware.