Saved in:
Bibliographic Details
Main Authors: Ahmed, Muhammad Ejaz, Cody, Christopher, Ikram, Muhammad, Lamont, Sean, Abuadbba, Alsharif, Camtepe, Seyit, Nepal, Surya, Kaafar, Muhammad Ali
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2509.04887
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909771819384832
author Ahmed, Muhammad Ejaz
Cody, Christopher
Ikram, Muhammad
Lamont, Sean
Abuadbba, Alsharif
Camtepe, Seyit
Nepal, Surya
Kaafar, Muhammad Ali
author_facet Ahmed, Muhammad Ejaz
Cody, Christopher
Ikram, Muhammad
Lamont, Sean
Abuadbba, Alsharif
Camtepe, Seyit
Nepal, Surya
Kaafar, Muhammad Ali
contents Malware authors commonly use obfuscation to hide API identities in binary files, making analysis difficult and time-consuming for a human expert to understand the behavior and intent of the program. Automatic API prediction tools are necessary to efficiently analyze unknown binaries, facilitating rapid malware triage while reducing the workload on human analysts. In this paper, we present RINSER (AccuRate API predictioN using maSked languagE model leaRning), an automated framework for predicting Windows API (WinAPI) function names. RINSER introduces the novel concept of API codeprints, a set of API-relevant assembly instructions, and supports x86 PE binaries. RINSER relies on BERT's masked language model (LM) to predict API names at scale, achieving 85.77% accuracy for normal binaries and 82.88% accuracy for stripped binaries. We evaluate RINSER on a large dataset of 4.7M API codeprints from 11,098 malware binaries, covering 4,123 unique Windows APIs, making it the largest publicly available dataset of this type. RINSER successfully discovered 65 obfuscated Windows APIs related to C2 communication, spying, and evasion in our dataset, which the commercial disassembler IDA failed to identify. Furthermore, we compared RINSER against three state-of-the-art approaches, showing over 20% higher prediction accuracy. We also demonstrated RINSER's resilience to adversarial attacks, including instruction randomization and code displacement, with a performance drop of no more than 3%.
format Preprint
id arxiv_https___arxiv_org_abs_2509_04887
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle RINSER: Accurate API Prediction Using Masked Language Models
Ahmed, Muhammad Ejaz
Cody, Christopher
Ikram, Muhammad
Lamont, Sean
Abuadbba, Alsharif
Camtepe, Seyit
Nepal, Surya
Kaafar, Muhammad Ali
Computers and Society
Malware authors commonly use obfuscation to hide API identities in binary files, making analysis difficult and time-consuming for a human expert to understand the behavior and intent of the program. Automatic API prediction tools are necessary to efficiently analyze unknown binaries, facilitating rapid malware triage while reducing the workload on human analysts. In this paper, we present RINSER (AccuRate API predictioN using maSked languagE model leaRning), an automated framework for predicting Windows API (WinAPI) function names. RINSER introduces the novel concept of API codeprints, a set of API-relevant assembly instructions, and supports x86 PE binaries. RINSER relies on BERT's masked language model (LM) to predict API names at scale, achieving 85.77% accuracy for normal binaries and 82.88% accuracy for stripped binaries. We evaluate RINSER on a large dataset of 4.7M API codeprints from 11,098 malware binaries, covering 4,123 unique Windows APIs, making it the largest publicly available dataset of this type. RINSER successfully discovered 65 obfuscated Windows APIs related to C2 communication, spying, and evasion in our dataset, which the commercial disassembler IDA failed to identify. Furthermore, we compared RINSER against three state-of-the-art approaches, showing over 20% higher prediction accuracy. We also demonstrated RINSER's resilience to adversarial attacks, including instruction randomization and code displacement, with a performance drop of no more than 3%.
title RINSER: Accurate API Prediction Using Masked Language Models
topic Computers and Society
url https://arxiv.org/abs/2509.04887