* update 2024-04-27 06:18:56

arXiv_db/Malware/2024.md

@@ -1110,3 +1110,27 @@
 
 </details>
 
+<details>
+
+<summary>2024-04-25 06:54:32 - Feature graph construction with static features for malware detection</summary>
+
+- *Binghui Zou, Chunjie Cao, Longjuan Wang, Yinan Cheng, Jingzhang Sun*
+
+- `2404.16362v1` - [abs](http://arxiv.org/abs/2404.16362v1) - [pdf](http://arxiv.org/pdf/2404.16362v1)
+
+> Malware can greatly compromise the integrity and trustworthiness of information and is in a constant state of evolution. Existing feature fusion-based detection methods generally overlook the correlation between features. And mere concatenation of features will reduce the model's characterization ability, lead to low detection accuracy. Moreover, these methods are susceptible to concept drift and significant degradation of the model. To address those challenges, we introduce a feature graph-based malware detection method, MFGraph, to characterize applications by learning feature-to-feature relationships to achieve improved detection accuracy while mitigating the impact of concept drift. In MFGraph, we construct a feature graph using static features extracted from binary PE files, then apply a deep graph convolutional network to learn the representation of the feature graph. Finally, we employ the representation vectors obtained from the output of a three-layer perceptron to differentiate between benign and malicious software. We evaluated our method on the EMBER dataset, and the experimental results demonstrate that it achieves an AUC score of 0.98756 on the malware detection task, outperforming other baseline models. Furthermore, the AUC score of MFGraph decreases by only 5.884% in one year, indicating that it is the least affected by concept drift.
+
+</details>
+
+<details>
+
+<summary>2024-04-25 17:00:08 - JITScanner: Just-in-Time Executable Page Check in the Linux Operating System</summary>
+
+- *Pasquale Caporaso, Giuseppe Bianchi, Francesco Quaglia*
+
+- `2404.16744v1` - [abs](http://arxiv.org/abs/2404.16744v1) - [pdf](http://arxiv.org/pdf/2404.16744v1)
+
+> Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner's effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner's capability to effectively identify malware while minimizing runtime overhead.
+
+</details>
+