Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords-Reference-Cited by-同舟云学术

Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords

Published:2023-11-07 Issue:22 Volume:13 Page:12101
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Chen Xiang¹,Wang Wenbo¹,Han Weitao¹

Affiliation:

1. Institute of Information Technology, PLA Strategic Support Force Information Engineering University, Zhengzhou 450001, China

Abstract

Microsoft has implemented several measures to defend against macro viruses, including the use of the Antimalware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to utilize malicious macros as their primary attack method. In this paper, we analyze 77 obfuscation features from the attacker’s perspective and extract 46 suspicious keywords in macros. We first combine the aforementioned two types of features to train machine learning models on a public dataset. Then, we conduct the same experiment on a self-constructed dataset consisting of newly discovered samples, in order to verify if our proposed method can identify previously unseen malicious macros. Experimental results demonstrate that, compared to existing methods, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection can further enhance the detection performance.

Funder

National Natural Science Foundation of China

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/22/12101/pdf

Reference21 articles.

1. Miller, M. (2023, September 08). Trends and Challenges in the Vulnerability Mitigation Landscape. Available online: https://github.com/microsoft/MSRC-Security-Research/blob/master/presentations/2019_08_WOOT/WOOT19%20-%20Trends%20and%20challenges%20in%20vulnerability%20mitigation.pdf.

2. Kim, S., Hong, S., Oh, J., and Lee, H. (2018, January 25–28). Obfuscated VBA macro detection using machine learning. Proceedings of the 2018 48th Annual Ieee/Ifip International Conference on Dependable Systems and Networks (DSN), Luxembourg City, Luxembourg.

3. Laskov, P., and Šrndić, N. (2011, January 5–9). Static Detection of Malicious JavaScript-Bearing PDF Documents. Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, FL, USA.

4. A Practical Approach on Clustering Malicious PDF Documents;Vatamanu;J. Comput. Virol.,2012

5. Corona, I., Maiorca, D., Ariu, D., and Giacinto, G. (2014, January 7). Lux0R: Detection of Malicious PDF-Embedded JavaScript Code through Discriminant Analysis of API References. Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, Scottsdale, AZ, USA.

Cited by 1 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. CAFE: Robust Detection of Malicious Macro based on Cross-modal Feature Extraction;2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD);2024-05-08