Zero-day malware represents a significant threat due to its novel attack vectors. Traditional detection mechanisms, which rely on predefined rules, often fail to identify these unprecedented techniques. Although dynamic analysis can expose malicious activities, most dynamic detection approaches lack the flexibility to detect zero-day malware due to the limited generalizability. In response to these challenges, we introduce a new malware detection engine, DMoE, designed to identify zero-day malware by analyzing behavioral patterns using security knowledge. Since zero-day malware may obscure its malicious activities, DMoE conducts a multi-view examination of behaviors, encompassing API calls, registry modifications, file operations, process interactions, and network communications. DMoE achieves a balance between precision and generalizability during behavior representation: sensitive behavior matching for precision and semantic-aware representations enhanced by security knowledge for generalizability. We propose a heterogeneous Mixture of Experts (MoE) architecture, incorporating both inter-view and intra-view experts, further improving the capacity to represent complex behaviors. Our evaluation of DMoE on a million-scale dataset composed of 11 malware categories demonstrates its superior performance over state-of-the-art methods. Moreover, when deployed an operational threat intelligence platform, DMoE detected over 100 zero-day malware within 2 weeks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

DMoE: A Semantic-Aware Engine with Mixture of Experts for Detecting Zero-Day Malware

  • Chenming Yang,
  • Kejiang Ye

摘要

Zero-day malware represents a significant threat due to its novel attack vectors. Traditional detection mechanisms, which rely on predefined rules, often fail to identify these unprecedented techniques. Although dynamic analysis can expose malicious activities, most dynamic detection approaches lack the flexibility to detect zero-day malware due to the limited generalizability. In response to these challenges, we introduce a new malware detection engine, DMoE, designed to identify zero-day malware by analyzing behavioral patterns using security knowledge. Since zero-day malware may obscure its malicious activities, DMoE conducts a multi-view examination of behaviors, encompassing API calls, registry modifications, file operations, process interactions, and network communications. DMoE achieves a balance between precision and generalizability during behavior representation: sensitive behavior matching for precision and semantic-aware representations enhanced by security knowledge for generalizability. We propose a heterogeneous Mixture of Experts (MoE) architecture, incorporating both inter-view and intra-view experts, further improving the capacity to represent complex behaviors. Our evaluation of DMoE on a million-scale dataset composed of 11 malware categories demonstrates its superior performance over state-of-the-art methods. Moreover, when deployed an operational threat intelligence platform, DMoE detected over 100 zero-day malware within 2 weeks.