City Research Online

Abstract

The escalating complexity and diversity of malware threats present a significant challenge to the cybersecurity domain. Dynamic malware detection methods developed to combat these threats are often complex, black-box systems. This paper proposes a machine learning method for approximating and analyzing black-box malware detectors without privileged access, using only the malware executables and their detection outputs.

Our solution leverages a pre-trained model optimized to interpret Windows API call sequences. Employing a studentteacher learning strategy, the model learns the behaviour of Windows malware detectors, requiring only samples of malicious and benign executables, along with the detector’s output for each sample. We validate the effectiveness of our solution by approximating an artificial black-box detector with known behaviour patterns. Furthermore, we propose an evaluation method to compare the behaviour patterns of the black-box and student models.

Our experiments demonstrate these capabilities, achieving a 95% accuracy rate approximating our artificial black-box detector with a small number of training samples.

Publication Type:	Conference or Workshop Item (Paper)
Additional Information:	© 2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Subjects:	Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments:	School of Science & Technology School of Science & Technology > Computer Science
SWORD Depositor:	Symplectic Administrator

Export

Downloads