Short- versus long-term performance of detection models for obfuscated MSOffice-embedded malware

Abstract

This paper analyzes the efficiency of various machine learning models (artificial neural networks, random forest, decision tree, AdaBoost and XGBoost) against the evolution of VBA-based (Visual Basic for Applications) malware over a large period of time (1995–2021). The file set used in our research is comprehensive—approximately 1.9 million files (out of which 944,595 are malicious and the rest are benign)—which allowed to gain insights on the resilience of various machine learning models against the diversity and the evolution of file features that reflect obfuscation techniques in VBA-based malware. In studying detection of VBA-based malware, we focus on characteristics of both the classifiers—proactivity (short-term detection efficiency against future malware), endurance (long-term detection robustness)—and of the detection-wise relevant file features—feature perishability (dynamics of feature relevance). We also describe in some detail—as a prerequisite of the study—various obfuscation techniques used by the malware under investigation during the last decade.

Details

Subject

Evolution;
Machine learning;
Visual Basic for Applications;
Artificial neural networks;
Malware;
Decision trees;
Neural networks;
Long term;
Decision making;
Robustness;
Resilience;
Proactivity

Business indexing term

Subject:

Machine learning

Title

Short- versus long-term performance of detection models for obfuscated MSOffice-embedded malware

Author

Viţel, Silviu¹; Lupaşcu, Marilena¹; Gavriluţ, Dragoş Teodor¹; Luchian, Henri²

¹ “Al.I. Cuza” University, Faculty of Computer Science, Iaşi, Romania (GRID:grid.8168.7) (ISNI:0000000419371784); Bitdefender Labs, Iaşi, Romania (GRID:grid.8168.7)
² “Al.I. Cuza” University, Faculty of Computer Science, Iaşi, Romania (GRID:grid.8168.7) (ISNI:0000000419371784)

Publication title

International Journal of Information Security; Heidelberg

Volume

Issue

Pages

271-297

Publication year

2024

Publication date

Feb 2024

Publisher

Springer Nature B.V.

Place of publication

Heidelberg

Country of publication

Netherlands

Publication subject

Computers--Computer Security

ISSN

16155262

e-ISSN

16155270

Source type

Scholarly Journal

Language of publication

English

Document type

Journal Article

Publication history

Online publication date

2023-08-14

Milestone dates

2023-07-18 (Registration); 2023-07-18 (Accepted)

Publication history

First posting date

14 Aug 2023

DOI

https://doi.org/10.1007/s10207-023-00736-5

ProQuest document ID

2917414646

Document URL

https://www.proquest.com/scholarly-journals/short-versus-long-term-performance-detection/docview/2917414646/se-2?accountid=208611

© The Author(s), under exclusive licence to Springer-Verlag GmbH, DE 2023. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Last updated

2025-11-19

Database

ProQuest One Academic

Short- versus long-term performance of detection models for obfuscated MSOffice-embedded malware

Content area

Abstract

Details