FEEBO: An Empirical Evaluation Framework for Malware Behavior Obfuscation

Program obfuscation is increasingly popular among malware creators. Objectively comparing different malware detection approaches with respect to their resilience against obfuscation is challenging. To the best of our knowledge, there is no common empirical framework for evaluating the resilience of malware detection approaches w.r.t. behavior obfuscation. We propose and implement such a framework that obfuscates the observable behavior of malware binaries. To assess the framework’s utility, we use it to obfuscate known malware binaries and then investigate the impact on detection effectiveness of different n-gram based detection approaches. We find that the obfuscation transformations employed by FEEBO significantly affect the precision of such detection approaches. Several n-gram-based approaches can hence be concluded not to be resilient against this simple kind of obfuscation.