Obfuscated VBA macro detection using machine learning

Sangwoo Kim, Seokmyung Hong, Jaesang Oh, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Malware using document files as an attack vector has continued to increase and now constitutes a large portion of phishing attacks. To avoid anti-virus detection, malware writers usually implement obfuscation techniques in their source code. Although obfuscation is related to malicious code detection, little research has been conducted on obfuscation with regards to Visual Basic for Applications (VBA) macros. In this paper, we summarize the obfuscation techniques and propose an obfuscated macro code detection method using five machine learning classifiers. To train these classifiers, our proposed method uses 15 discriminant static features, taking into account the characteristics of the VBA macros. We evaluated our approach using a real-world dataset of obfuscated and non-obfuscated VBA macros extracted from Microsoft Office document files. The experimental results demonstrate that our detection approach achieved a F2 score improvement of greater than 23% compared to those of related studies.

Original languageEnglish
Title of host publicationProceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages490-501
Number of pages12
ISBN (Electronic)9781538655955
DOIs
Publication statusPublished - 2018 Jul 19
Event48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 - Luxembourg City, Luxembourg
Duration: 2018 Jun 252018 Jun 28

Other

Other48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
CountryLuxembourg
CityLuxembourg City
Period18/6/2518/6/28

    Fingerprint

Keywords

  • Machine learning
  • Macro malware
  • Microsoft Office document
  • Obfuscation
  • VBA macro

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Hardware and Architecture
  • Energy Engineering and Power Technology

Cite this

Kim, S., Hong, S., Oh, J., & Lee, H. (2018). Obfuscated VBA macro detection using machine learning. In Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 (pp. 490-501). [8416509] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2018.00057