Open Access iconOpen Access



Byte-Level Function-Associated Method for Malware Detection

Jingwei Hao*, Senlin Luo, Limin Pan

Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology, Beijing, 100081, China

* Corresponding Author: Jingwei Hao. Email: email

Computer Systems Science and Engineering 2023, 46(1), 719-734.


The byte stream is widely used in malware detection due to its independence of reverse engineering. However, existing methods based on the byte stream implement an indiscriminate feature extraction strategy, which ignores the byte function difference in different segments and fails to achieve targeted feature extraction for various byte semantic representation modes, resulting in byte semantic confusion. To address this issue, an enhanced adversarial byte function associated method for malware backdoor attack is proposed in this paper by categorizing various function bytes into three functions involving structure, code, and data. The Minhash algorithm, grayscale mapping, and state transition probability statistics are then used to capture byte semantics from the perspectives of text signature, spatial structure, and statistical aspects, respectively, to increase the accuracy of byte semantic representation. Finally, the three-channel malware feature image is constructed based on different function byte semantics, and a convolutional neural network is applied for detection. Experiments on multiple data sets from 2018 to 2021 show that the method can effectively combine byte functions to achieve targeted feature extraction, avoid byte semantic confusion, and improve the accuracy of malware detection.


Cite This Article

J. Hao, S. Luo and L. Pan, "Byte-level function-associated method for malware detection," Computer Systems Science and Engineering, vol. 46, no.1, pp. 719–734, 2023.

cc This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 844


  • 328


  • 0


Share Link