Obfuscated VBA macro detection using machine learning

Sangwoo Kim; Seokmyung Hong; Jaesang Oh; Heejo Lee

doi:10.1109/DSN.2018.00057

Obfuscated VBA macro detection using machine learning

Sangwoo Kim, Seokmyung Hong, Jaesang Oh, Heejo Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

43 Citations (Scopus)

Abstract

Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

Original language	English
Title of host publication	Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	490-501
Number of pages	12
ISBN (Electronic)	9781538655955
DOIs	https://doi.org/10.1109/DSN.2018.00057
Publication status	Published - 2018 Jul 19
Event	48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 - Luxembourg City, Luxembourg Duration: 2018 Jun 25 → 2018 Jun 28

Publication series

Name	Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

Other

Other	48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
Country/Territory	Luxembourg
City	Luxembourg City
Period	18/6/25 → 18/6/28

Bibliographical note

Publisher Copyright:
© 2018 IEEE.

Keywords

Machine learning
Macro malware
Microsoft Office document
Obfuscation
VBA macro

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications
Hardware and Architecture
Energy Engineering and Power Technology

Access to Document

10.1109/DSN.2018.00057

Cite this

Kim, S., Hong, S., Oh, J., & Lee, H. (2018). Obfuscated VBA macro detection using machine learning. In Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 (pp. 490-501). Article 8416509 (Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2018.00057

Obfuscated VBA macro detection using machine learning. / Kim, Sangwoo; Hong, Seokmyung; Oh, Jaesang et al.
Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 490-501 8416509 (Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, S, Hong, S, Oh, J & Lee, H 2018, Obfuscated VBA macro detection using machine learning. in Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018., 8416509, Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, Institute of Electrical and Electronics Engineers Inc., pp. 490-501, 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, Luxembourg City, Luxembourg, 18/6/25. https://doi.org/10.1109/DSN.2018.00057

Kim S, Hong S, Oh J, Lee H. Obfuscated VBA macro detection using machine learning. In Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 490-501. 8416509. (Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018). doi: 10.1109/DSN.2018.00057

Kim, Sangwoo ; Hong, Seokmyung ; Oh, Jaesang et al. / Obfuscated VBA macro detection using machine learning. Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 490-501 (Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018).

@inproceedings{1dae8000570c4d90b5dfb240a583f3d9,

title = "Obfuscated VBA macro detection using machine learning",

abstract = "Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.",

keywords = "Machine learning, Macro malware, Microsoft Office document, Obfuscation, VBA macro",

author = "Sangwoo Kim and Seokmyung Hong and Jaesang Oh and Heejo Lee",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 ; Conference date: 25-06-2018 Through 28-06-2018",

year = "2018",

month = jul,

day = "19",

doi = "10.1109/DSN.2018.00057",

language = "English",

series = "Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "490--501",

booktitle = "Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018",

}

TY - GEN

T1 - Obfuscated VBA macro detection using machine learning

AU - Kim, Sangwoo

AU - Hong, Seokmyung

AU - Oh, Jaesang

AU - Lee, Heejo

PY - 2018/7/19

Y1 - 2018/7/19

N2 - Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

AB - Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

KW - Machine learning

KW - Macro malware

KW - Microsoft Office document

KW - Obfuscation

KW - VBA macro

UR - http://www.scopus.com/inward/record.url?scp=85051066242&partnerID=8YFLogxK

U2 - 10.1109/DSN.2018.00057

DO - 10.1109/DSN.2018.00057

M3 - Conference contribution

AN - SCOPUS:85051066242

T3 - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

SP - 490

EP - 501

BT - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

Y2 - 25 June 2018 through 28 June 2018

ER -

Obfuscated VBA macro detection using machine learning

Abstract

Publication series

Other

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this