Malware Classification through Abstract Syntax Trees and L-moments

Authors

Anthony J. Rose [*], Air Force Institute of Technology
Christine M. Schubert Kabban, Air Force Institute of Technology
Scott R. Graham, Air Force Institute of TechnologyFollow
Wayne C. Henry, Air Force Institute of TechnologyFollow
Christopher M. Rondeau, Air Force Institute of TechnologyFollow

Document Type

Article

Publication Date

9-11-2024

Abstract

The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and F₁ score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.

Comments

© 2024 The Authors.

This article is published by Elseiver, licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Sourced from the published version of record cited below.

This article is scheduled to appear in the January 2025 issue of the journal. The version of record was published online at the publisher's website ahead of the issue.

[*] Author Anthony Rose was an AFIT PhD student at the time of this article.

DOI

10.1016/j.cose.2024.104082

Source Publication

Computers & Security (ISSN 0167-4048)

Recommended Citation

Rose, A. J., Kabban, C. M. S., Graham, S. R., Henry, W. C., & Rondeau, C. M. (2025). Malware classification through Abstract Syntax Trees and L-moments. Computers & Security, 148, 104082. https://doi.org/10.1016/j.cose.2024.104082