DEVELOPMENT OF A MULTIDIMENSIONAL FACETED TAXONOMY OF MALWARE OBFUSCATION TECHNIQUES
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1254Keywords:
malware obfuscation, faceted taxonomy, anti-analysis techniques, behavioural invariance, classification scheme, malware detection, Nickerson methodology, multidimensional classification, malwareAbstract
The article addresses the problem of systematisation of malware obfuscation techniques, which is complicated by the structural limitations of existing classification schemes in the field and the absence of an integrated approach to describing classical obfuscation techniques and anti-analysis techniques. In this work, obfuscation is understood in a broad sense, encompassing both classical obfuscation techniques and anti-analysis techniques, united by the common purpose of concealing the malicious behaviour of a program from analytical tools. Classical and modern obfuscation taxonomies are analysed, among which common systemic limitations are identified, including the inability to describe multi-aspect techniques by several independent characteristics simultaneously, the absence of an integrated approach to classical obfuscation techniques and anti-analysis techniques, and the construction of existing schemes without the application of a formal taxonomy development method. The goal of the work is to develop a multidimensional faceted taxonomy of malware obfuscation techniques that eliminates the identified limitations. To achieve this goal, the taxonomy development method of Nickerson, Varshney and Muntermann is applied with alternation of empirical-to-conceptual and conceptual-to-empirical iterations. As a result, a faceted taxonomy with five independent dimensions has been formed, namely the level of observability, the scope of impact, the mechanism of transformation, the phase of effect manifestation, and the behavioural invariance. The proposed taxonomy is applied to 16 representative obfuscation techniques of contemporary malware. The behavioural invariance dimension is proposed separately; it operationally distinguishes classical obfuscation techniques from anti-analysis techniques and ensures the integration of these two directions of concealment techniques into a common classification framework while preserving the structural distinction between them. The proposed taxonomy provides a methodological basis for the systematisation of obfuscation techniques and the design of detection systems for obfuscated malware.
Downloads
References
AV-TEST Institute. (2025). Malware statistics & trends report (2024-2025). https://www.av-test.org/en/statistics/malware/
MITRE. (n.d.). Obfuscated files or information (Technique T1027). MITRE ATT&CK® Framework. https://attack.mitre.org/techniques/T1027/
Brezinski, K., & Ferens, K. (2023). Metamorphic malware and obfuscation: A survey of techniques, variants, and generation kits. Security and Communication Networks, 2023, Article 8227751, 1-41. https://doi.org/10.1155/2023/8227751
Galloro, N., Polino, M., Carminati, M., Continella, A., & Zanero, S. (2022). A systematical and longitudinal study of evasive behaviors in Windows malware. Computers & Security, 113, 102550. https://doi.org/10.1016/j.cose.2021.102550
Collberg, C., Thomborson, C., & Low, D. (1997). A taxonomy of obfuscating transformations (Technical Report No. 148). Department of Computer Science, The University of Auckland. https://researchspace.auckland.ac.nz/handle/2292/3491
Afianian, A., Niksefat, S., Sadeghiyan, B., & Baptiste, D. (2019). Malware dynamic analysis evasion techniques: A survey. ACM Computing Surveys, 52(6), Article 126, 1-28. https://doi.org/10.1145/3365001
Nickerson, R. C., Varshney, U., & Muntermann, J. (2013). A method for taxonomy development and its application in information systems. European Journal of Information Systems, 22(3), 336-359. https://doi.org/10.1057/ejis.2012.26
You, I., & Yim, K. (2010). Malware obfuscation techniques: A brief survey. In Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA 2010) (pp. 297-300). IEEE. https://doi.org/10.1109/BWCCA.2010.85
Opirskyi, I., Dzioban, T., & Vasylyshyn, S. (2025). Bypassing EDR in combination with SIEM: Analysis of methods for hiding attacks in logs – A study of tactics used by attackers to avoid detection. Cybersecurity: Education, Science, Technique, 1(29), 8-26. https://doi.org/10.28925/2663-4023.2025.29.865
Xu, H., Zhou, Y., Ming, J., & Lyu, M. (2020). Layered obfuscation: A taxonomy of software obfuscation techniques for layered security. Cybersecurity, 3, Article 9. https://doi.org/10.1186/s42400-020-00049-3
Aboaoja, F. A., Zainal, A., Ghaleb, F. A., Al-Rimy, B. A. S., Eisa, T. A. E., & Elnour, A. A. H. (2022). Malware detection issues, challenges, and future directions: A survey. Applied Sciences, 12(17), 8482. https://doi.org/10.3390/app12178482
Asghar, H. J., Zhao, B. Z. H., Ikram, M., Nguyen, G., Kaafar, D., Lamont, S., & Coscia, D. (2024). Use of cryptography in malware obfuscation. Journal of Computer Virology and Hacking Techniques, 20(1), 135-152. https://doi.org/10.1007/s11416-023-00504-y
Park, J., Jang, Y.-H., Hong, S., & Park, Y. (2019). Automatic detection and bypassing of anti-debugging techniques for Microsoft Windows environments. Advances in Electrical and Computer Engineering, 19(2), 23-28. https://doi.org/10.4316/AECE.2019.02003
Carrier, T., Victor, P., Tekeoglu, A., & Lashkari, A. H. (2022). Detecting obfuscated malware using memory feature engineering. In P. Mori, G. Lenzini, & S. Furnell (Eds.), Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022) (Vol. 1, pp. 177-188). SCITEPRESS. https://doi.org/10.5220/0010908200003120
Geng, J., Wang, J., Fang, Z., Zhou, Y., Wu, D., & Ge, W. (2024). A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack. Computers & Security, 137, 103595. https://doi.org/10.1016/j.cose.2023.103595
Alkhateeb, E., Ghorbani, A., & Habibi Lashkari, A. (2024). A survey on run-time packers and mitigation techniques. International Journal of Information Security, 23(2), 887-913. https://doi.org/10.1007/s10207-023-00759-y
Alkhateeb, E., Ghorbani, A., & Habibi Lashkari, A. (2024). Identifying malware packers through multilayer feature engineering in static analysis. Information, 15(2), 102. https://doi.org/10.3390/info15020102
Kundisch, D., Muntermann, J., Oberländer, A. M., Rau, D., Röglinger, M., Schoormann, T., & Szopinski, D. (2022). An update for taxonomy designers: Methodological guidance from information systems research. Business & Information Systems Engineering, 64(4), 421-439. https://doi.org/10.1007/s12599-021-00723-x
De Sutter, B., Schrittwieser, S., Coppens, B., & Kochberger, P. (2025). Evaluation methodologies in software protection research. ACM Computing Surveys, 57(4), Article 86, 1-41. https://doi.org/10.1145/3702314
Muralidharan, T., Cohen, A., Gerson, N., & Nissim, N. (2022). File packing from the malware perspective: Techniques, analysis approaches, and directions for enhancements. ACM Computing Surveys, 55(5), Article 108, 1-45. https://doi.org/10.1145/3530810
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Назарій Четвертуха, Віктор Отенко
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
