Dynamic Malware Analysis and Model Interpretability: Leveraging Hierarchical Multiple Instance Learning for Enhanced Cybersecurity
摘要
Dynamic malware analysis is crucial for understanding and countering emerging cybersecurity threats. This work presents a novel methodology for analyzing portable executable (PE) files using dynamic analysis techniques. By leveraging the CAPEv2 sandbox, the processes of malware sample collection, distributed execution, and result aggregation were fully automated. The Hierarchical Multiple Instance Learning (HMill) framework was employed to model the relationships between malware signatures and behavioral attributes extracted from sandbox-generated JSON reports. An analysis of 80,000 samples revealed significant signatures and behavioral traits. Moreover, binary classification models for twelve signatures achieved over 90% balanced accuracy in nine cases, thereby improving model interpretability. Finally, key predictive features were distilled using Banzhaf values and minimal subtree selection. These findings enhance the understanding of malware behavior and highlight the importance of model transparency for cybersecurity compliance.