A Unified Malicious Documents Detection Model Based on Two Layers of Abstraction.

Due to the ever increasing attacks using malicious documents, the detection of such documents has become a serious and urgent research issue. In the past decade, detection of malicious documents has attracted significant research attentions, and many methods have been proposed, including conventional static detection methods, and dynamic detection methods. However, both of the two categories of methods have limitations under either obfuscated or run-time conditions, and can not achieve a satisfactory detection performance for malicious behaviors. In this work, we firstly present a new descriptive structure of our targeted documents, using a two layers abstraction including the structure and the scripting language. We then propose a unified model for malicious documents detection based on two layers of abstraction. A series of experiments under a real world data set with 20,000 samples show that, our proposed model has a better detection performance for all of the four indicators, the accuracy, precision, recall, and AUC of malicious documents simultaneously, when compared to the Hidost model.