Dynamic malware analysis is crucial for understanding and countering emerging cybersecurity threats. This work presents a novel methodology for analyzing portable executable (PE) files using dynamic analysis techniques. By leveraging the CAPEv2 sandbox, the processes of malware sample collection, distributed execution, and result aggregation were fully automated. The Hierarchical Multiple Instance Learning (HMill) framework was employed to model the relationships between malware signatures and behavioral attributes extracted from sandbox-generated JSON reports. An analysis of 80,000 samples revealed significant signatures and behavioral traits. Moreover, binary classification models for twelve signatures achieved over 90% balanced accuracy in nine cases, thereby improving model interpretability. Finally, key predictive features were distilled using Banzhaf values and minimal subtree selection. These findings enhance the understanding of malware behavior and highlight the importance of model transparency for cybersecurity compliance.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Dynamic Malware Analysis and Model Interpretability: Leveraging Hierarchical Multiple Instance Learning for Enhanced Cybersecurity

  • Sandeep Malipeddi

摘要

Dynamic malware analysis is crucial for understanding and countering emerging cybersecurity threats. This work presents a novel methodology for analyzing portable executable (PE) files using dynamic analysis techniques. By leveraging the CAPEv2 sandbox, the processes of malware sample collection, distributed execution, and result aggregation were fully automated. The Hierarchical Multiple Instance Learning (HMill) framework was employed to model the relationships between malware signatures and behavioral attributes extracted from sandbox-generated JSON reports. An analysis of 80,000 samples revealed significant signatures and behavioral traits. Moreover, binary classification models for twelve signatures achieved over 90% balanced accuracy in nine cases, thereby improving model interpretability. Finally, key predictive features were distilled using Banzhaf values and minimal subtree selection. These findings enhance the understanding of malware behavior and highlight the importance of model transparency for cybersecurity compliance.