* update 2024-04-23 06:18:09

arXiv_db/Malware/2024.md

@@ -1050,3 +1050,27 @@
 
 </details>
 
+<details>
+
+<summary>2024-04-18 19:07:51 - Explainable Deep Learning Models for Dynamic and Online Malware Classification</summary>
+
+- *Quincy Card, Daniel Simpson, Kshitiz Aryal, Maanak Gupta, Sheikh Rabiul Islam*
+
+- `2404.12473v1` - [abs](http://arxiv.org/abs/2404.12473v1) - [pdf](http://arxiv.org/pdf/2404.12473v1)
+
+> In recent years, there has been a significant surge in malware attacks, necessitating more advanced preventive measures and remedial strategies. While several successful AI-based malware classification approaches exist categorized into static, dynamic, or online analysis, most successful AI models lack easily interpretable decisions and explanations for their processes. Our paper aims to delve into explainable malware classification across various execution environments (such as dynamic and online), thoroughly analyzing their respective strengths, weaknesses, and commonalities. To evaluate our approach, we train Feed Forward Neural Networks (FFNN) and Convolutional Neural Networks (CNN) to classify malware based on features obtained from dynamic and online analysis environments. The feature attribution for malware classification is performed by explainability tools, SHAP, LIME and Permutation Importance. We perform a detailed evaluation of the calculated global and local explanations from the experiments, discuss limitations and, ultimately, offer recommendations for achieving a balanced approach.
+
+</details>
+
+<details>
+
+<summary>2024-04-19 08:55:03 - Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection</summary>
+
+- *Yifan Xia, Ping He, Xuhong Zhang, Peiyu Liu, Shouling Ji, Wenhai Wang*
+
+- `2310.17304v2` - [abs](http://arxiv.org/abs/2310.17304v2) - [pdf](http://arxiv.org/pdf/2310.17304v2)
+
+> The emergence of WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations, termed JavaScript-WebAssembly multilingual malware (JWMM). However, existing anti-virus solutions based on static program analysis are still limited to monolingual code. As a result, their detection effectiveness decreases significantly against JWMM. The detection of JWMM is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly. To bridge this gap, we present JWBinder, the first technique aimed at enhancing the static detection of JWMM. JWBinder performs a language-specific data-flow analysis to capture the cross-language interoperations and then characterizes the functionalities of JWMM through a unified high-level structure called Inter-language Program Dependency Graph. The extensive evaluation on one of the most representative real-world anti-virus platforms, VirusTotal, shows that \system effectively enhances anti-virus systems from various vendors and increases the overall successful detection rate against JWMM from 49.1\% to 86.2\%. Additionally, we assess the side effects and runtime overhead of JWBinder, corroborating its practical viability in real-world applications.
+
+</details>
+