Obfuscated VBA macro detection using machine learning

Sangwoo Kim; Seokmyung Hong; Jaesang Oh; Heejo Lee

doi:10.1109/DSN.2018.00057

Obfuscated VBA macro detection using machine learning

Sangwoo Kim, Seokmyung Hong, Jaesang Oh, Heejo Lee

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

Abstract

Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

Original language	English
Title of host publication	Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	490-501
Number of pages	12
ISBN (Electronic)	9781538655955
DOIs	https://doi.org/10.1109/DSN.2018.00057
Publication status	Published - 2018 Jul 19
Event	48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 - Luxembourg City, Luxembourg Duration: 2018 Jun 25 → 2018 Jun 28

Other

Other	48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
Country	Luxembourg
City	Luxembourg City
Period	18/6/25 → 18/6/28

Fingerprint

Keywords

Machine learning
Macro malware
Microsoft Office document
Obfuscation
VBA macro

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications
Hardware and Architecture
Energy Engineering and Power Technology

Cite this

Kim, S., Hong, S., Oh, J., & Lee, H. (2018). Obfuscated VBA macro detection using machine learning. In Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 (pp. 490-501). [8416509] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2018.00057

Obfuscated VBA macro detection using machine learning. / Kim, Sangwoo; Hong, Seokmyung; Oh, Jaesang; Lee, Heejo.

Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 490-501 8416509.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, S, Hong, S, Oh, J & Lee, H 2018, Obfuscated VBA macro detection using machine learning. in Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018., 8416509, Institute of Electrical and Electronics Engineers Inc., pp. 490-501, 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, Luxembourg City, Luxembourg, 18/6/25. https://doi.org/10.1109/DSN.2018.00057

@inproceedings{1dae8000570c4d90b5dfb240a583f3d9,

title = "Obfuscated VBA macro detection using machine learning",

abstract = "Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.",

keywords = "Machine learning, Macro malware, Microsoft Office document, Obfuscation, VBA macro",

author = "Sangwoo Kim and Seokmyung Hong and Jaesang Oh and Heejo Lee",

year = "2018",

month = jul

day = "19",

doi = "10.1109/DSN.2018.00057",

language = "English",

pages = "490--501",

booktitle = "Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 ; Conference date: 25-06-2018 Through 28-06-2018",

}

TY - GEN

T1 - Obfuscated VBA macro detection using machine learning

AU - Kim, Sangwoo

AU - Hong, Seokmyung

AU - Oh, Jaesang

AU - Lee, Heejo

PY - 2018/7/19

Y1 - 2018/7/19

N2 - Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

AB - Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

KW - Machine learning

KW - Macro malware

KW - Microsoft Office document

KW - Obfuscation

KW - VBA macro

UR - http://www.scopus.com/inward/record.url?scp=85051066242&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85051066242&partnerID=8YFLogxK

U2 - 10.1109/DSN.2018.00057

DO - 10.1109/DSN.2018.00057

M3 - Conference contribution

AN - SCOPUS:85051066242

SP - 490

EP - 501

BT - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

Y2 - 25 June 2018 through 28 June 2018

ER -

Access to Document

10.1109/DSN.2018.00057