Bifocal Agent: enhancing malicious function detection in malware analysis
摘要
Although numerous solutions have been proposed for the automatic detection of malicious components in executable files, malware analysis remains largely a manual task, with the human analyst often representing the main bottleneck. Recent approaches seek to highlight suspicious code regions to reduce analyst effort, but many still rely on signatures or produce high false-positive rates. To address these limitations within the anomaly-based detection paradigm, we present Bifocal Agent, an unsupervised method that analyzes Windows PE executables at two distinct levels of granularity: functions and basic blocks. Our autoencoder-based architecture leverages semantic-aware features and a new strategy for aggregating reconstruction errors to improve the detection of malicious code regions. Results on a dataset comprising three malware families (Rbot, Pegasus, and Carbanak) show that our proposal increases the ROC AUC by 20% (from 0.73 to 0.88) and improves the area under the precision-recall curve by 154% (from 0.13 to 0.32) compared to the baseline. Furthermore, comparative experiments show that the multi-granularity consensus outperforms the state-of-the-art DeepReflect approach. On a curated dataset of labeled malware samples, it reduces false positives by 52% while strictly maintaining the baseline’s 80% true positive rate. To confirm generalization and prevent overfitting, we validate the framework on a large-scale, cross-dataset corpus of 1.3 million functions. In this realistic scenario, the Bifocal Agent increases the Matthews correlation coefficient by 3.1 times and achieves a higher coverage rate while dropping the false positive rate from 45 to 16%.