Prompt Engineering-assisted Malware Dynamic Analysis Using GPT-4 (2312.08317v1)
Abstract: Dynamic analysis methods effectively identify shelled, wrapped, or obfuscated malware, thereby preventing them from invading computers. As a significant representation of dynamic malware behavior, the API (Application Programming Interface) sequence, comprised of consecutive API calls, has progressively become the dominant feature of dynamic analysis methods. Though there have been numerous deep learning models for malware detection based on API sequences, the quality of API call representations produced by those models is limited. These models cannot generate representations for unknown API calls, which weakens both the detection performance and the generalization. Further, the concept drift phenomenon of API calls is prominent. To tackle these issues, we introduce a prompt engineering-assisted malware dynamic analysis using GPT-4. In this method, GPT-4 is employed to create explanatory text for each API call within the API sequence. Afterward, the pre-trained LLM BERT is used to obtain the representation of the text, from which we derive the representation of the API sequence. Theoretically, this proposed method is capable of generating representations for all API calls, excluding the necessity for dataset training during the generation process. Utilizing the representation, a CNN-based detection model is designed to extract the feature. We adopt five benchmark datasets to validate the performance of the proposed model. The experimental results reveal that the proposed detection algorithm performs better than the state-of-the-art method (TextCNN). Specifically, in cross-database experiments and few-shot learning experiments, the proposed model achieves excellent detection performance and almost a 100% recall rate for malware, verifying its superior generalization performance. The code is available at: github.com/yan-scnu/Prompted_Dynamic_Detection.
- N. Guizani and A. Ghafoor, “A network function virtualization system for detecting malware in large iot based networks,” IEEE Journal on Selected Areas in Communications, vol. 38, no. 6, pp. 1218–1228, 2020.
- A. Amira, A. Derhab, E. B. Karbab, and O. Nouali, “A survey of malware analysis using community detection algorithms,” ACM Computing Surveys, vol. 56, no. 2, pp. 1–29, 2023.
- M. Gopinath and S. C. Sethuraman, “A comprehensive survey on deep learning based malware detection techniques,” Computer Science Review, vol. 47, p. 100529, 2023.
- D. Uppal, R. Sinha, V. Mehra, and V. Jain, “Malware detection and classification based on extraction of api sequences,” in 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI). IEEE, 2014, pp. 2337–2342.
- R. Pascanu, J. W. Stokes, H. Sanossian, M. Marinescu, and A. Thomas, “Malware classification with recurrent networks,” in 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2015, pp. 1916–1920.
- B. Athiwaratkun and J. W. Stokes, “Malware classification with LSTM and GRU language models and a character-level CNN,” in 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2017, pp. 2482–2486.
- S. Maniath, A. Ashok, P. Poornachandran, V. Sujadevi, P. S. AU, and S. Jan, “Deep learning LSTM based ransomware detection,” in 2017 Recent Developments in Control, Automation & Power Engineering (RDCAPE). IEEE, 2017, pp. 442–446.
- F. O. Catak, A. F. Yazı, O. Elezaj, and J. Ahmed, “Deep learning based sequential model for malware analysis using windows exe API calls,” PeerJ Computer Science, vol. 6, p. e285, 2020.
- A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser, and I. Polosukhin, “Attention is all you need,” Advances in neural information processing systems, vol. 30, 2017.
- J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” arXiv preprint arXiv:1810.04805, 2018.
- A. Radford, J. Wu, R. Child, D. Luan, D. Amodei, I. Sutskever et al., “Language models are unsupervised multitask learners,” OpenAI blog, vol. 1, no. 8, p. 9, 2019.
- A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark et al., “Learning transferable visual models from natural language supervision,” in International conference on machine learning. PMLR, 2021, pp. 8748–8763.
- H. Yao, J. Lou, K. Ren, and Z. Qin, “Promptcare: Prompt copyright protection by watermark injection and verification,” in IEEE Symposium on Security and Privacy (S&P). IEEE, 2024.
- F. Demirkıran, A. Çayır, U. Ünal, and H. Dağ, “An ensemble of pre-trained transformer models for imbalanced multiclass malware classification,” Computers & Security, vol. 121, p. 102846, 2022.
- Z. Xu, X. Fang, and G. Yang, “Malbert: A novel pre-training method for malware detection,” Computers & Security, vol. 111, p. 102458, 2021.
- OpenAI, “GPT-4 technical report,” arXiv preprint arXiv:2303.08774, 2022.
- A. Chowdhery, S. Narang, J. Devlin, M. Bosma, G. Mishra, A. Roberts, P. Barham, H. W. Chung, C. Sutton, S. Gehrmann et al., “Palm: Scaling language modeling with pathways,” arXiv preprint arXiv:2204.02311, 2022.
- H. Touvron, T. Lavril, G. Izacard, X. Martinet, M.-A. Lachaux, T. Lacroix, B. Rozière, N. Goyal, E. Hambro, F. Azhar et al., “Llama: Open and efficient foundation language models,” arXiv preprint arXiv:2302.13971, 2023.
- Z. Du, Y. Qian, X. Liu, M. Ding, J. Qiu, Z. Yang, and J. Tang, “Glm: General language model pretraining with autoregressive blank infilling,” in the 60th Annual Meeting of the Association for Computational Linguistics, 2022, pp. 320–335.
- M. Alazab, S. Venkataraman, and P. Watters, “Towards understanding malware behaviour by the extraction of api calls,” in 2010 Second Cybercrime and Trustworthy Computing Workshop. IEEE, 2010, pp. 52–59.
- S. Gupta, H. Sharma, and S. Kaur, “Malware characterization using windows api call sequences,” in Security, Privacy, and Applied Cryptography Engineering: 6th International Conference. Springer, 2016, pp. 271–280.
- C. Ravi and R. Manoharan, “Malware detection using windows api sequence and machine learning,” International Journal of Computer Applications, vol. 43, no. 17, pp. 12–16, 2012.
- Y. Ki, E. Kim, and H. K. Kim, “A novel approach to detect malware based on api call sequence analysis,” International Journal of Distributed Sensor Networks, vol. 11, no. 6, p. 659101, 2015.
- A. Sami, B. Yadegari, H. Rahimi, N. Peiravian, S. Hashemi, and A. Hamze, “Malware detection based on mining api calls,” in the 2010 ACM Symposium on Applied Computing, 2010, pp. 1020–1025.
- A. Pektaş and T. Acarman, “Malware classification based on api calls and behaviour analysis,” IET Information Security, vol. 12, no. 2, pp. 107–117, 2018.
- B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane, “Graph-based malware detection using dynamic analysis,” Journal in computer Virology, vol. 7, pp. 247–258, 2011.
- P. Shijo and A. Salim, “Integrated static and dynamic analysis for malware detection,” Procedia Computer Science, vol. 46, pp. 804–811, 2015.
- R. Islam, R. Tian, L. M. Batten, and S. Versteeg, “Classification of malware based on integrated static and dynamic features,” Journal of Network and Computer Applications, vol. 36, no. 2, pp. 646–656, 2013.
- L. Yuan, Z. Zeng, Y. Lu, X. Ou, and T. Feng, “A character-level BiGRU-attention for phishing classification,” in Information and Communications Security: 21st International Conference, ICICS 2019. Springer, 2020, pp. 746–762.
- D. Dang, F. Di Troia, and M. Stamp, “Malware classification using long short-term memory models,” arXiv preprint arXiv:2103.02746, 2021.
- B. Qin, Y. Wang, and C. Ma, “API call based ransomware dynamic detection approach using textcnn,” in 2020 International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE). IEEE, 2020, pp. 162–166.
- Y. Kim, “Convolutional neural networks for sentence classification,” in the 2014 Conference on Empirical Methods in Natural Language Processing, EMNLP 2014. ACL, 2014, pp. 1746–1751.
- C. Li, Q. Lv, N. Li, Y. Wang, D. Sun, and Y. Qiao, “A novel deep framework for dynamic malware detection based on API sequence intrinsic features,” Computers & Security, vol. 116, p. 102686, 2022.
- T. B. Brown, B. Mann, N. Ryder, M. Subbiah, J. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askell, S. Agarwal, A. Herbert-Voss, G. Krueger, T. Henighan, R. Child, A. Ramesh, D. M. Ziegler, J. Wu, C. Winter, C. Hesse, M. Chen, E. Sigler, M. Litwin, S. Gray, B. Chess, J. Clark, C. Berner, S. McCandlish, A. Radford, I. Sutskever, and D. Amodei, “Language models are few-shot learners,” in Advances in Neural Information Processing Systems, 2020.
- C. Raffel, N. Shazeer, A. Roberts, K. Lee, S. Narang, M. Matena, Y. Zhou, W. Li, and P. J. Liu, “Exploring the limits of transfer learning with a unified text-to-text transformer,” The Journal of Machine Learning Research, vol. 21, no. 1, pp. 5485–5551, 2020.
- Z. Dai, Z. Yang, Y. Yang, J. G. Carbonell, Q. V. Le, and R. Salakhutdinov, “Transformer-xl: Attentive language models beyond a fixed-length context,” in the 57th Conference of the Association for Computational Linguistics. Association for Computational Linguistics, 2019, pp. 2978–2988.
- Z. Yang, Z. Dai, Y. Yang, J. G. Carbonell, R. Salakhutdinov, and Q. V. Le, “Xlnet: Generalized autoregressive pretraining for language understanding,” in Advances in Neural Information Processing Systems, H. M. Wallach, H. Larochelle, A. Beygelzimer, F. d’Alché-Buc, E. B. Fox, and R. Garnett, Eds., 2019, pp. 5754–5764.
- A. Rahali and M. A. Akhloufi, “Malbert: Malware detection using bidirectional encoder representations from transformers,” in 2021 IEEE International Conference on Systems, Man, and Cybernetics (SMC). IEEE, 2021, pp. 3226–3231.
- D. Demırcı, C. Acarturk et al., “Static malware detection using stacked bilstm and gpt-2,” IEEE Access, vol. 10, pp. 58 488–58 502, 2022.
- A. Rahali and M. A. Akhloufi, “Malbertv2: Code aware bert-based model for malware identification,” Big Data and Cognitive Computing, vol. 7, no. 2, p. 60, 2023.
- M. A. Ferrag, M. Ndhlovu, N. Tihanyi, L. C. Cordeiro, M. Debbah, and T. Lestable, “Revolutionizing cyber threat detection with large language models,” arXiv preprint arXiv:2306.14263, 2023.
- J. Wei, X. Wang, D. Schuurmans, M. Bosma, F. Xia, E. Chi, Q. V. Le, D. Zhou et al., “Chain-of-thought prompting elicits reasoning in large language models,” Advances in Neural Information Processing Systems, vol. 35, pp. 24 824–24 837, 2022.
- Z. Yang, L. Li, K. Lin, J. Wang, C.-C. Lin, Z. Liu, and L. Wang, “The dawn of lmms: Preliminary explorations with gpt-4v (ision),” arXiv preprint arXiv:2309.17421, 2023.
- Z. Zhang, P. Qi, and W. Wang, “Dynamic malware analysis with feature engineering and feature learning,” in The Thirty-Fourth AAAI Conference on Artificial Intelligence, AAAI 2020, vol. 34, no. 01, 2020, pp. 1210–1217.
- B. Kolosnjaji, A. Zarras, G. Webster, and C. Eckert, “Deep learning for classification of malware system call sequences,” in Advances in Artificial Intelligence: 29th Australasian Joint Conference. Springer International Publishing, 2016, pp. 137–149.
- S. Zhang, J. Wu, M. Zhang, and W. Yang, “Dynamic malware analysis based on api sequence semantic fusion,” Applied Sciences, vol. 13, no. 11, p. 6526, 2023.
- Alibaba Cloud, “Alibaba cloud malware detection based on behaviors,” 2018, [Online; accessed 11-November-2018]. [Online]. Available: https://tianchi.aliyun.com/getStart/information.htm?raceId=231694
- A. Oliveira and R. Sassi, “Behavioral malware detection using deep graph convolutional neural networks,” TechRxiv, p. preprint, 2019.
- khas ccip, “Api sequences malware datasets,” 2021, 2023-10. [Online]. Available: https://github.com/khas-ccip/api_sequences_malware_datasets
- Y. Chai, L. Du, J. Qiu, L. Yin, and Z. Tian, “Dynamic prototype network based on sample adaptation for few-shot malware detection,” IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 5, pp. 4754–4766, 2022.
- K. Tran, H. Sato, and M. Kubo, “Mannware: A malware classification approach with a few samples using a memory augmented neural network,” Information, vol. 11, no. 1, p. 51, 2020.
- P. Wang, Z. Tang, and J. Wang, “A novel few-shot malware classification approach for unknown family recognition with multi-prototype modeling,” Computers & Security, vol. 106, p. 102273, 2021.
- N. Lu, G. Zhang, and J. Lu, “Concept drift detection via competence models,” Artificial Intelligence, vol. 209, pp. 11–28, 2014.
- J. Lu, A. Liu, F. Dong, F. Gu, J. Gama, and G. Zhang, “Learning under concept drift: A review,” IEEE Transactions on Knowledge and Data Engineering, vol. 31, no. 12, pp. 2346–2363, 2018.