DitDetector: Bimodal Learning based on Deceptive Image and Text for Macro Malware Detection

Yan, Jia; Wan, Ming; Jia, Xiangkun; Ying, Lingyun; Su, Purui; Wang, Zhanyi

doi:10.1145/3564625.3567982

Cited by 10 publications

(4 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The integration of perceptual hashing and OCR for the detection of deceptive visual elements and textual content, respectively, alongside a novel application of the visual encoder MobileNetV3 and text encoder TextCNN, culminates in a binary classifier. DitDetector excels in mapping images and deceptive textual captures into a shared space, thereby significantly enhancing the accuracy of malicious macro detection through the adept utilization of P-code analysis [30].…”

Section: ) Machine Learning Based Approachesmentioning

confidence: 99%

Enhancing Cybersecurity With P-Code Analysis and XGBoost: A Novel Approach for Malicious VBA Macro Detection in Office Documents

Ahmadi,

Chen,

Lai

2024

IEEE Access

View full text Add to dashboard Cite

In the evolving landscape of cybersecurity, the prevalence of malicious Visual Basic for Applications (VBA) macros embedded in Office documents presents a formidable challenge. These macros, while integral to automation, have become potent vehicles for cyber-attacks, necessitating advanced detection techniques. This study introduces a comprehensive framework employing P-Code Analysis and XGBoost, a leading-edge machine learning algorithm, to address this issue. The proposed solution synergizes static analysis of VBA source code with dynamic P-Code structural analysis, enhanced by Natural Language Processing (NLP) techniques for effective feature extraction. By integrating these methodologies, our model adeptly distinguishes between benign and malicious macros, achieving an unprecedented detection accuracy of 98.70% and an F1-score of 98.81% in rigorous testing environments. The core contribution of this research lies in its innovative approach to malicious macro detection, offering a robust framework that significantly improves upon existing methods. Additionally, the utilization of XGBoost for machine learning analysis introduces a novel application in cybersecurity defenses against macro-based threats. The results underscore the efficacy of combining P-Code analysis with machine learning for cybersecurity, marking a significant stride in the detection of sophisticated cyber threats. This study not only advances the domain of cybersecurity but also lays the groundwork for future research, advocating for the exploration of further optimizations and the adaptation of our model to combat evolving attack vectors.

show abstract

Section: ) Machine Learning Based Approachesmentioning

confidence: 99%

Enhancing Cybersecurity With P-Code Analysis and XGBoost: A Novel Approach for Malicious VBA Macro Detection in Office Documents

Ahmadi,

Chen,

Lai

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Their detection models were trained and tested using a very large database of malicious and benign MSOffice documents (1.8 million files), collected over a long period of time . Yan et al propose DitDetector for macro malware detection, which leverages bimodal learning based on deceptive images and text [23]. They extracted preview images of documents based on an image export SDK of Oracle and textual information from preview images based on an open-source OCR engine.…”

Section: B Macro Malware Detectionmentioning

confidence: 99%

A Feasibility Study on Evasion Attacks Against NLP-Based Macro Malware Detection Algorithms

Mimura,

Yamamoto

2023

IEEE Access

View full text Add to dashboard Cite

Machine learning-based models for malware detection have gained prominence in order to detect obfuscated malware. These models extract malicious features and endeavor to classify samples as either malware or benign entities. Conversely, these benign features can be employed to imitate benign samples. With respect to Android applications, numerous researchers have assessed the hazard and tackled the problem. This evasive technique can be extended to other malicious scripts, such as macro malware. In this paper, we investigate the potential for evasive attacks against natural language processing (NLP)-based macro malware detection algorithms. We assess three language models as methods for feature extraction: Bag of Words, Latent Semantic Analysis, and Paragraph Vector. Our experimental result demonstrates that the detection rate declines to 2 percent when benign features are inserted into actual macro malware. This approach is effective even against advanced language models.

show abstract

“…1. Classification models take token representations and train supervised models to predict texts [124,219,220].…”

Section: Data-driven Modelsmentioning

confidence: 99%

“…Classification has been used to determine whether a text is relevant to analyze [168,220], or, once it is determined to be relevant, classified into different TTP categories [88,124,185,219,225]. Hybrid approaches [88,185,225] classify individual tokens or parts of sentences, whereas purely data-driven approaches classify paragraphs or entire documents [124,219,220]. While requiring less a priori knowledge of CTI texts, data-driven classification approaches rely on vast labeled datasets, limiting their application.…”

Section: Classification Modelsmentioning

confidence: 99%

Comprehending security events: context-based identification and explanation

van Ede

View full text Add to dashboard Cite

With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss. As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity. By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization. This detection can be done internally or is outsourced to a Security Operations Center (SOC). The SOC deploys automated detectors that monitor devices and network traffic for suspicious events, which are subsequently sent to the SOC. Here, security operators manually analyze these events, verify whether they constitute an attack and, if required, take action.Analyzing security events is not straightforward and requires highly skilled operators. We identified three major challenges that operators face during analysis:

show abstract

DitDetector: Bimodal Learning based on Deceptive Image and Text for Macro Malware Detection

Cited by 10 publications

References 36 publications

Enhancing Cybersecurity With P-Code Analysis and XGBoost: A Novel Approach for Malicious VBA Macro Detection in Office Documents

Enhancing Cybersecurity With P-Code Analysis and XGBoost: A Novel Approach for Malicious VBA Macro Detection in Office Documents

A Feasibility Study on Evasion Attacks Against NLP-Based Macro Malware Detection Algorithms

Comprehending security events: context-based identification and explanation

Contact Info

Product

Resources

About