MALIGN: Explainable Static Raw-byte Based Malware Family Classification using Sequence Alignment
Shoumik Saha, Sadia Afroz, Atif Rahman
TL;DR
MAlign presents a novel static malware family classifier that operates directly on raw executables by converting bytes to nucleotide sequences and applying whole-genome sequence alignment to identify conserved code blocks. These blocks yield consensus sequences and per-block conservation scores, which are transformed into alignment-based features for a logistic regression classifier, delivering both high accuracy and interpretable explanations that map decisions back to suspicious code blocks. The approach demonstrates strong performance on the Kaggle Big 2015 and MLSec 2020 datasets, particularly with limited data, and provides a theoretical robustness claim (alignment inversion is NP-hard) plus empirical resilience to gradient-based evasion. By offering explainable signatures and concrete code-block insights, MAlign balances accuracy, interpretability, and robustness, contributing a new perspective to static malware analysis that practitioners can leverage for analysis and defense design.
Abstract
For a long time, malware classification and analysis have been an arms-race between antivirus systems and malware authors. Though static analysis is vulnerable to evasion techniques, it is still popular as the first line of defense in antivirus systems. But most of the static analyzers failed to gain the trust of practitioners due to their black-box nature. We propose MAlign, a novel static malware family classification approach inspired by genome sequence alignment that can not only classify malware families but can also provide explanations for its decision. MAlign encodes raw bytes using nucleotides and adopts genome sequence alignment approaches to create a signature of a malware family based on the conserved code segments in that family, without any human labor or expertise. We evaluate MAlign on two malware datasets, and it outperforms other state-of-the-art machine learning based malware classifiers (by 4.49% - 0.07%), especially on small datasets (by 19.48% - 1.2%). Furthermore, we explain the generated signatures by MAlign on different malware families illustrating the kinds of insights it can provide to analysts, and show its efficacy as an analysis tool. Additionally, we evaluate its theoretical and empirical robustness against some common attacks. In this paper, we approach static malware analysis from a unique perspective, aiming to strike a delicate balance among performance, interpretability, and robustness.
