Abstract
AbstractNowadays, the malicious MS-Office document has already become one of the most effective attacking vectors in APT attacks. Though many protection mechanisms are provided, they have been proved easy to bypass, and the existed detection methods show poor performance when facing malicious documents with unknown vulnerabilities or with few malicious behaviors. In this paper, we first introduce the definition of im-documents, to describe those vulnerable documents which show implicitly malicious behaviors and escape most of public antivirus engines. Then we present GLDOC—a GCN based framework that is aimed at effectively detecting im-documents with dynamic analysis, and improving the possible blind spots of past detection methods. Besides the system call which is the only focus in most researches, we capture all dynamic behaviors in sandbox, take the process tree into consideration and reconstruct both of them into graphs. Using each line to learn each graph, GLDOC trains a 2-channel network as well as a classifier to formulate the malicious document detection problem into a graph learning and classification problem. Experiments show that GLDOC has a comprehensive balance of accuracy rate and false alarm rate − 95.33% and 4.33% respectively, outperforming other detection methods. When further testing in a simulated 5-day attacking scenario, our proposed framework still maintains a stable and high detection accuracy on the unknown vulnerabilities.
Funder
Natural Science Foundation of China
Publisher
Springer Science and Business Media LLC
Reference37 articles.
1. 2020 Global Advanced Persistent Threat APT Research Report. Available at https://www.freebuf.com/sectool/242507.html
2. A roundup of the world's top 10 APT attacks in 2018. Available at https://www.freebuf.com/articles/193393.html
3. An update on MD5 poisoning. Available in https://blog.silentsignal.eu/2016/11/28/an-update-on-md5-poisoning/
4. Anderson B, Quist D, Neil J, Storlie C, Lane T (2011) Graph-based malware detection using dynamic analysis. J Comput Virol 7(4):247–258
5. Domain takeover report in Hackerone. Available in https://hackerone.com/reports/1253926