Enhancing Dynamic Malware Behavior Analysis Through Novel Windows Events With Machine Learning

Abstract

Malware analysis involves studying harmful software to understand its behavior and find ways to detect and prevent it. As cyberattacks become more advanced, this process becomes increasingly important for safeguarding systems and data. Traditional methods in malware analysis often rely on examining the code itself, which can miss malicious actions that only occur during execution. This study addresses this limitation by combining the dynamic observation of malware behavior with an innovative use of Windows Event Logs as input, a detailed system data source. During the study, a secure environment was created to safely execute malware, collect input, and provide valuable information on how malicious software interacts with systems. New methods were developed to extract meaningful information from the logs, then used to train machine-learning models capable of accurately distinguishing malware from legitimate programs. By demonstrating the untapped potential of Windows Event Logs, this study offers new tools to improve real-time malware detection and enhance cybersecurity. On a dataset of approximate 7000 Windows executable file, roughly sixty percent benign and forty percent malware, the log-feature MLP reached 91.2 % accuracy with a 1.6-point standard deviation across five folds, achieved a ROC-AUC of 0.962 +/- 0.009 on an unseen hold out set.