In EDS ansehen

Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords.

Gespeichert in:

Bibliographische Detailangaben
Titel:	Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords.
Autoren:	Chen, Xiang, Wang, Wenbo, Han, Weitao
Quelle:	Applied Sciences (2076-3417); Nov2023, Vol. 13 Issue 22, p12101, 15p
Schlagwörter:	MACHINE learning, ANTI-malware (Computer software), FEATURE selection, PHISHING, EMAIL security
Firma/Körperschaft:	MICROSOFT Corp.
Abstract:	Microsoft has implemented several measures to defend against macro viruses, including the use of the Antimalware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to utilize malicious macros as their primary attack method. In this paper, we analyze 77 obfuscation features from the attacker's perspective and extract 46 suspicious keywords in macros. We first combine the aforementioned two types of features to train machine learning models on a public dataset. Then, we conduct the same experiment on a self-constructed dataset consisting of newly discovered samples, in order to verify if our proposed method can identify previously unseen malicious macros. Experimental results demonstrate that, compared to existing methods, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection can further enhance the detection performance. [ABSTRACT FROM AUTHOR]
	Copyright of Applied Sciences (2076-3417) is the property of MDPI and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Datenbank:	Complementary Index

Full Text Finder

Nájsť tento článok vo Web of Science

Beschreibung
Abstract:	Microsoft has implemented several measures to defend against macro viruses, including the use of the Antimalware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to utilize malicious macros as their primary attack method. In this paper, we analyze 77 obfuscation features from the attacker's perspective and extract 46 suspicious keywords in macros. We first combine the aforementioned two types of features to train machine learning models on a public dataset. Then, we conduct the same experiment on a self-constructed dataset consisting of newly discovered samples, in order to verify if our proposed method can identify previously unseen malicious macros. Experimental results demonstrate that, compared to existing methods, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection can further enhance the detection performance. [ABSTRACT FROM AUTHOR]
ISSN:	20763417
DOI:	10.3390/app132212101