Top

Published in:

2019 | OriginalPaper | Chapter

Towards Efficient Detection of Malicious VBA Macros with LSI

Authors : Mamoru Mimura, Taro Ohminami

Published in: Advances in Information and Computer Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Targeted email attacks are one of main threats for organizations of all sizes and across every field. In targeted email attacks, malicious VBA (Visual Basic for Applications) macros are often contained in the attachment files to exploit the target computers. These malicious VBA macros are obfuscated in several ways to evade detection. Hence, pattern-based detection has a limitation in detecting these new malicious VBA macros. To detect new malicious VBA macros, some methods with machine learning techniques have been proposed. A method extracts words from the source code, and constructs a language model to represent VBA macros for machine learning techniques. This method, however, constructs a language model from all the extracted words. Therefore, this model might contain unnecessary words to classify. To construct an efficient language model, we focus on LSI (Latent Semantic Indexing). LSI is one of the foundational techniques in topic modeling, and calculates similarity of documents. Our method uses LSI to construct an efficient language model, which produces more accuracy and efficiency. To the best of our knowledge, our method is the first method to detect new malicious VBA macros with LSI. Our method extracts words from the source code and converts into feature vectors with some Natural Language Processing techniques. Our method trains a classifier with benign and malicious VBA macros and detects new malicious VBA macros. Several thousands of samples for evaluation are obtained from Virus Total. The experimental result shows that our method can detect new malicious VBA macros more accurately and efficiently. The best F-measure achieves 0.95.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Correlating High- and Low-Level Features:

next chapter IDS Alert Priority Determination Based on Traffic Behavior

gensim topic modelling for humans. https://radimrehurek.com/gensim/

olevba. https://github.com/decalage2/oletools/wiki/olevba

scikit-learn machine learning in Python. https://scikit-learn.org/

Virus total. https://www.virustotal.com/

Windows defender antivirus. https://www.microsoft.com/en-us/windows/windows-defender/

Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA. https://nakedsecurity.sophos.com/2017/05/31/wolf-in-sheeps-clothing-a-sophoslabs-investigation-into-delivering-malware-via-vba/

Bearden, R., Lo, D.C.T.: Automated microsoft office macro malware detection using machine learning. In: Nie, J.Y., et al. (eds.) 2017 IEEE International Conference on Big Data, BigData 2017, Boston, MA, USA, 11–14 December 2017, pp. 4448–4452. IEEE (2017). http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=8241556

Boldewin, F.: Analyzing msoffice malware with officemalscanner, 30 July 2009

Cohen, A., Nissim, N., Rokach, L., Elovici, Y.: SFEM: structural feature extraction methodology for the detection of malicious office documents using machine learning methods. Expert Syst. Appl. 63, 324–343 (2016)CrossRef

10.

Kancherla, K., Mukkamala, S.: Image visualization based malware detection. In: 2013 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), pp. 40–44, April 2013

11.

Kim, S., Hong, S., Oh, J., Lee, H.: Obfuscated VBA macro detection using machine learning. In: DSN, pp. 490–501. IEEE Computer Society (2018). http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=8415926

12.

Le, Q.V., Mikolov, T.: Distributed representations of sentences and documents. In: Proceedings of the 31th International Conference on Machine Learning, ICML 2014, Beijing, China, 21–26 June 2014, pp. 1188–1196 (2014). http://jmlr.org/proceedings/papers/v32/le14.html

13.

Mimura, M., Miura, H.: Detecting unseen malicious VBA macros with NLP techniques. J. Inf. Process. (JIP) 27 (2019, in press)

14.

Mimura, M., Otsubo, Y., Tanaka, H.: Evaluation of a brute forcing tool that extracts the rat from a malicious document file. In: AsiaJCIS, pp. 147–154. IEEE Computer Society (2016). http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=7781470

15.

Mimura, M., Otsubo, Y., Tanaka, H., Goto, A.: Is emulating “binary grep in eyes” possible with machine learning? In: CANDAR, pp. 337–343. IEEE Computer Society (2017). http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=8338657

16.

Miura, H., Mimura, M., Tanaka, H.: Discovering new malware families using a linguistic-based macros detection method. In: 2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW), pp. 431–437, November 2018

17.

Miura, H., Mimura, M., Tanaka, H.: Macros finder: do you remember LOVELETTER? In: Su, C., Kikuchi, H. (eds.) ISPEC 2018. LNCS, vol. 11125, pp. 3–18. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99807-7_1CrossRef

18.

Nissim, N., Cohen, A., Elovici, Y.: ALDOCX: detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12(3), 631–646 (2017)CrossRef

19.

Otsubo, Y., Mimura, M., Tanaka, H.: O-checker : detection of malicious documents through deviation from file format specifications. In: Black Hat USA (2016)

Title: Towards Efficient Detection of Malicious VBA Macros with LSI
Authors: Mamoru Mimura
Taro Ohminami
Publisher: Springer International Publishing
Book: Advances in Information and Computer Security
Print ISBN: 978-3-030-26833-6

Electronic ISBN: 978-3-030-26834-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-26834-3_10

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner