Abstract
The accuracy of Artificial Intelligence (AI) in malware detection is dependent on the features it is trained with, where the quality and authenticity of these features is dependent on the dataset and the analysis tool. Evasive malware, that alters its behavior in analysis environments, is challenging to extract authentic features from where widely used static and dynamic analysis tools have several limitations. However, Dynamic Binary Instrumentation (DBI) allows deep and precise control of the malware sample, thereby facilitating the extraction of authentic behavior from evasive malware. Considering the limitations of malware analysis for use with AI, this research had two primary objectives: investigation of the evasive techniques used by modern malware and the creation of Peekaboo, a DBI tool to extract authentic data from live Windows malware samples. Peekaboo instruments and defeats evasive techniques that target analysis tools and virtual environments. A dataset of 20,500 samples was assembled and each sample was run for up to 15 min to observe not only the anti-analysis techniques used but also its complete behavior. Peekaboo outperforms other tools on several fronts, it is the only tool to measure start and completion rates, capture the executed Assembly (ASM) instructions, record all network traffic and implements the largest coverage against evasive techniques.
Document Type
Journal Article
Date of Publication
12-1-2025
Volume
95
Publication Title
Journal of Information Security and Applications
Publisher
Elsevier
School
School of Science
RAS ID
84431
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License
Comments
Gaber, M., Ahmed, M., & Janicke, H. (2025). Defeating evasive malware with Peekaboo: Extracting authentic malware behavior with dynamic binary instrumentation. Journal of Information Security and Applications, 95, 104290. https://doi.org/10.1016/j.jisa.2025.104290