Table of Contents
Fetching ...

MALIGN: Explainable Static Raw-byte Based Malware Family Classification using Sequence Alignment

Shoumik Saha, Sadia Afroz, Atif Rahman

TL;DR

MAlign presents a novel static malware family classifier that operates directly on raw executables by converting bytes to nucleotide sequences and applying whole-genome sequence alignment to identify conserved code blocks. These blocks yield consensus sequences and per-block conservation scores, which are transformed into alignment-based features for a logistic regression classifier, delivering both high accuracy and interpretable explanations that map decisions back to suspicious code blocks. The approach demonstrates strong performance on the Kaggle Big 2015 and MLSec 2020 datasets, particularly with limited data, and provides a theoretical robustness claim (alignment inversion is NP-hard) plus empirical resilience to gradient-based evasion. By offering explainable signatures and concrete code-block insights, MAlign balances accuracy, interpretability, and robustness, contributing a new perspective to static malware analysis that practitioners can leverage for analysis and defense design.

Abstract

For a long time, malware classification and analysis have been an arms-race between antivirus systems and malware authors. Though static analysis is vulnerable to evasion techniques, it is still popular as the first line of defense in antivirus systems. But most of the static analyzers failed to gain the trust of practitioners due to their black-box nature. We propose MAlign, a novel static malware family classification approach inspired by genome sequence alignment that can not only classify malware families but can also provide explanations for its decision. MAlign encodes raw bytes using nucleotides and adopts genome sequence alignment approaches to create a signature of a malware family based on the conserved code segments in that family, without any human labor or expertise. We evaluate MAlign on two malware datasets, and it outperforms other state-of-the-art machine learning based malware classifiers (by 4.49% - 0.07%), especially on small datasets (by 19.48% - 1.2%). Furthermore, we explain the generated signatures by MAlign on different malware families illustrating the kinds of insights it can provide to analysts, and show its efficacy as an analysis tool. Additionally, we evaluate its theoretical and empirical robustness against some common attacks. In this paper, we approach static malware analysis from a unique perspective, aiming to strike a delicate balance among performance, interpretability, and robustness.

MALIGN: Explainable Static Raw-byte Based Malware Family Classification using Sequence Alignment

TL;DR

MAlign presents a novel static malware family classifier that operates directly on raw executables by converting bytes to nucleotide sequences and applying whole-genome sequence alignment to identify conserved code blocks. These blocks yield consensus sequences and per-block conservation scores, which are transformed into alignment-based features for a logistic regression classifier, delivering both high accuracy and interpretable explanations that map decisions back to suspicious code blocks. The approach demonstrates strong performance on the Kaggle Big 2015 and MLSec 2020 datasets, particularly with limited data, and provides a theoretical robustness claim (alignment inversion is NP-hard) plus empirical resilience to gradient-based evasion. By offering explainable signatures and concrete code-block insights, MAlign balances accuracy, interpretability, and robustness, contributing a new perspective to static malware analysis that practitioners can leverage for analysis and defense design.

Abstract

For a long time, malware classification and analysis have been an arms-race between antivirus systems and malware authors. Though static analysis is vulnerable to evasion techniques, it is still popular as the first line of defense in antivirus systems. But most of the static analyzers failed to gain the trust of practitioners due to their black-box nature. We propose MAlign, a novel static malware family classification approach inspired by genome sequence alignment that can not only classify malware families but can also provide explanations for its decision. MAlign encodes raw bytes using nucleotides and adopts genome sequence alignment approaches to create a signature of a malware family based on the conserved code segments in that family, without any human labor or expertise. We evaluate MAlign on two malware datasets, and it outperforms other state-of-the-art machine learning based malware classifiers (by 4.49% - 0.07%), especially on small datasets (by 19.48% - 1.2%). Furthermore, we explain the generated signatures by MAlign on different malware families illustrating the kinds of insights it can provide to analysts, and show its efficacy as an analysis tool. Additionally, we evaluate its theoretical and empirical robustness against some common attacks. In this paper, we approach static malware analysis from a unique perspective, aiming to strike a delicate balance among performance, interpretability, and robustness.
Paper Structure (52 sections, 11 equations, 13 figures, 14 tables, 1 algorithm)

This paper contains 52 sections, 11 equations, 13 figures, 14 tables, 1 algorithm.

Figures (13)

  • Figure 1: Overview of MAlign. (1) The malware bytes files (executables) from malware of a particular family are first converted to nucleotide sequence files. (2) Then the malware nucleotide sequences are aligned using a multiple sequence alignment tool SibeliaZ. It first identifies similar sequences in different malware to form blocks. Highly similar sequences (colored sequences) can be in different orders in different files. The sequences in each block are then aligned. (3) The aligned sequences in each block are used to construct consensus sequences and conservation scores are calculated for each conserved block. (4) Then two sets of sequences - one corresponding to the malware family of interest and the other corresponding to non-malware or malware from other families are aligned to the consensus sequences and the degrees of conservation of each conserved block in the training sequences are estimated. (5) Finally a machine learning model is learnt to classify sequences based on the alignment scores of the sequences with the blocks. To classify new instances, sequences are aligned to the consensus sequences of the blocks and alignments are scored. The scores are then used as features for the class prediction.
  • Figure 2: Details of consensus sequence, conservation score, and alignment score generation from alignment blocks. (1) Block 1 is generated from a shared common block among 3 Malwares from family A, where the code blocks can be in different orders. (2) Consensus Sequence and Conservation Score are generated from Alignment Block 1. (3) During inference time, for new Malware X-1 and X-2, they are aligned with Alignment Block 1, and scores are generated for every alignment. For example, Malware X-1 has a higher probability of belonging to Family A than Malware X-2.
  • Figure 3: Radar Chart showing Accuracy of all Models along the perimeter on each of the individual 49 malware types in the MLSec Dataset
  • Figure 4: Kelihos (version 1) Backdoor tracking user geological position for botnet connection (MD5 hash = aOCU2V7b0RkgQt9LflYF)
  • Figure 5: Tracur Trojan-Downloader trying to read file from internet (MD5 hash = gEZCMz90lrmI8cx37FNT)
  • ...and 8 more figures