Detecting malware across diverse architectures and evasion techniques has become a critical challenge as modern malware increasingly targets non-traditional platforms such as IoT devices. Traditional signature-based approaches, which rely on architecture-specific bytecode patterns, often fail when malware is recompiled for different platforms or obfuscated to evade detection. In this paper, we propose a novel framework for cross-architecture, signature-based malware detection. Our approach leverages Intermediate Representation (IR) to identify malicious behaviors in a platform-independent manner. By matching higher-level patterns in the IR, our framework generates signatures capable of detecting malware across multiple architectures and resisting common obfuscation techniques. The proposed framework adopts the YARA syntax, a widely used tool for malware detection, while introducing custom high-level primitives that abstract complex IR constructs. These primitives simplify the rule-writing process, enabling more efficient and precise signature creation. Additionally, we discuss the limitations of current approaches and demonstrate how our framework advances the state of the art in signature-based malware detection.
A cross-architecture malware detection approach based on intermediate representation
Greco C.;Ianni M.
2025-01-01
Abstract
Detecting malware across diverse architectures and evasion techniques has become a critical challenge as modern malware increasingly targets non-traditional platforms such as IoT devices. Traditional signature-based approaches, which rely on architecture-specific bytecode patterns, often fail when malware is recompiled for different platforms or obfuscated to evade detection. In this paper, we propose a novel framework for cross-architecture, signature-based malware detection. Our approach leverages Intermediate Representation (IR) to identify malicious behaviors in a platform-independent manner. By matching higher-level patterns in the IR, our framework generates signatures capable of detecting malware across multiple architectures and resisting common obfuscation techniques. The proposed framework adopts the YARA syntax, a widely used tool for malware detection, while introducing custom high-level primitives that abstract complex IR constructs. These primitives simplify the rule-writing process, enabling more efficient and precise signature creation. Additionally, we discuss the limitations of current approaches and demonstrate how our framework advances the state of the art in signature-based malware detection.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
