Danish Vasan,Mamoun Alazab,Sobia Wassan,Hamad Naeem,Babak Safaei,Qin Zheng

DOI: https://doi.org/10.1016/j.comnet.2020.107138

IF: 5.493

2020-01-01

Computer Networks

Abstract:The volume, type, and sophistication of malware is increasing. Deep convolutional neural networks (CNNs) have lately proven their effectiveness in malware binary detection through image classification. In this paper, we propose a novel classifier to detect variants of malware families and improve malware detection using CNN-based deep learning architecture, called IMCFN (Image-based Malware Classification using Fine-tuned Convolutional Neural Network Architecture). Differing from existing solutions, we propose a new method for multiclass classification problems. Our proposed method converts the raw malware binaries into color images that are used by the fine-tuned CNN architecture to detect and identify malware families. Our method previously trained with the ImageNet dataset (≥10 million) and utilized the data augmentation to handle the imbalance dataset during the fine-tuning process. For evaluations, an extensive experiment was conducted using 2 datasets: Malimg malware dataset (9,435 samples), and IoT- android mobile dataset (14,733 malware and 2,486 benign samples). Empirical evidence has shown that the IMCFN stands out among the deep learning models including other CNN models with an accuracy of 98.82% in Malimg malware dataset and more than 97.35% for IoT-android mobile dataset. Furthermore, it demonstrates that colored malware dataset performed better in terms of accuracy than grayscale malware images. We compared the performance of IMCFN with the three architectures VGG16, ResNet50 and Google's InceptionV3. We found that our method can effectively detect hidden code, obfuscated malware and malware family variants with little run-time. Our method is resilient to straight forward obfuscation technique commonly used by hackers to disguise malware such as encryption and packing.

Sanjeev Kumar,B. Janet,Subramanian Neelakantan

DOI: https://doi.org/10.1016/j.comcom.2023.12.036

IF: 5.047

2024-02-01

Computer Communications

Abstract:Traditional malware detection systems based on signature-based detection methods cannot detect new and unseen malware. Moreover, conventional machine learning methods for malware detection have utilized features extracted through static program analysis or dynamic analysis, which requires code debugging and execution primarily through offline processing; hence not a scalable approach. This paper proposes a novel intelligent malware classification using a deep convolution neural network (IMCNN) in organizational networks enabled with Honeypots. Systematic customization of pre-trained convolutional neural networks(CNN) as a transfer learning and ensemble learning as a classification is presented to detect intelligent modern-day malware. Real-world malware samples are systematically labeled and visualized into grayscale images. Four cutting-edge deep CNN models - VGG16, VGG19, InceptionV3, and ResNet50, are trained on the ImageNet database ( ≥ 1 million) and fine-tuned as feature extractors along with a basic CNN model. Three strategies are designed for feature extraction and selection: Rectified linear unit (ReLU) fully connected layer embedded in a deep CNN model, principal component analysis (PCA), and singular value decomposition(SVD). Reduced sets of features are stacked and used to train k-nearest neighbor (k-NN), support vector machine (SVM), and random forest (RF) classifiers for predictions. Subsequently, the predictive probabilities of different machine-learned models are ensembled using a soft voting method for final classification. The proposed method is evaluated on MalImg datasets (9339 malware samples of 25 families) and real-world modern malware datasets (690 malware of 22 families). The experimental results reveal that despite using a reduced feature set, the IMCNN effectively detects malware with 99.36% test accuracy on unseen data for MalImg datasets and 92.11% for real-world malware. In addition, the proposed method is compared with several existing state-of-art malware detection models in terms of performance accuracy and found performing as the best. Experiments demonstrated that the proposed method is resilient to polymorphic code obfuscation used by the malware authors.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zilin Zhao,Dawei Zhao,Shumian Yang,Lijuan Xu

DOI: https://doi.org/10.1155/2023/6390023

IF: 1.968

2023-04-19

Security and Communication Networks

Abstract:In recent years, malware has experienced explosive growth and has become one of the most severe security threats. However, feature engineering easily restricts the traditional machine learning methods-based malware classification and is hard to deal with massive malware. At the same time, the dynamic analysis methods have the problems of complex operation and high cost, which are not suitable for efficiently classifying large quantities of malware. Therefore, we propose a novel static malware detection method based on this study's AlexNet convolutional neural network (CNN). Unlike existing solutions, we convert all malware bytes into color images, propose an improved AlexNet architecture, and solve the unbalanced datasets with the data enhancement method. Extensive experiments are performed using the Microsoft malware dataset and the Google Code Jam (GCJ) dataset. The experimental results show that the accuracy of the Microsoft malware dataset reaches 99.99%, and the GCJ dataset reaches 99.38%. We also verify that our method can better extract the texture features of malware and improve the accuracy and detection efficiency.

computer science, information systems,telecommunications

Dandan Zhang,Yafei Song,Qian Xiang,Yang Wang

DOI: https://doi.org/10.1016/j.aej.2024.10.055

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:Rapid and accurate identification of unknown malware and its variants is the premise and basis for the effective prevention of malicious attacks. However, with the explosive growth of malware variants, the efficiency of manual updating of the sample database is getting worse and worse. It is difficult for the traditional identification methods to effectively capture the sample feature information operated by the confusion method only based on the delayed database information. The research into the direction of malware detection is dedicated to surmounting the limitations of conventional detection methodologies, and delves deeply into the application of cutting-edge technologies such as data visualization, machine learning, and hybrid detection within the realm of malware detection. Through these investigations, our goal is to construct a detection system that is both more precise and efficient, capable of addressing the ever-evolving threats to cybersecurity. Pursuing research in this direction is not only vital for enhancing network security defenses and safeguarding user data, but it will also foster the advancement of related state-of-the-art technologies and further mitigate the economic and societal repercussions of malware attacks. In light of this issue, this paper proposes the Image-based Malware Classification with Multi-scale Kernels (IMCMK), a Convolutional Neural Network (CNN) architecture using multi-scale convolution kernels mixing action to improve malware variants detection capabilities. First, we propose the Multi-scale Kernels (MK) block combining deep large kernel convolution and standard small kernel convolution with shortcuts to improve the accuracy. Furthermore, we propose Multi-scale Kernel Fusion (MKF) to reduce the number of parameters that come with the large kernels. The improved Squeeze-and-Excitation (SE) block can obtain the correlation between different channels to further increase the model performance. Experimental results show that IMCMK outperforms the state-of-the-art methods in malware family classification accuracy, which has achieved 99.25 %.

Anil Singh Parihar,Shashank Kumar,Savya Khosla

DOI: https://doi.org/10.1007/s11042-022-12615-7

IF: 2.577

2022-04-08

Multimedia Tools and Applications

Abstract:Malware classification continues to be exceedingly difficult due to the exponential growth in the number and variants of malicious files. It is crucial to classify malicious files based on their intent, activity, and threat to have a robust malware protection and post-attack recovery system in place. This paper proposes a novel deep learning-based model, S-DCNN, to classify malware binary files into their respective malware families efficiently. S-DCNN uses the image-based representation of the malware binaries and leverages the concepts of transfer learning and ensemble learning. The model incorporates three deep convolutional neural networks, namely ResNet50, Xception, and EfficientNet-B4. The ensemble technique is used to combine these component models’ predictions and a multilayered perceptron is used as a meta classifier. The ensemble technique fuses the diverse knowledge of the component models, resulting in high generalizability and low variance of the S-DCNN. Further, it eliminates the use of feature engineering, reverse engineering, disassembly, and other domain-specific techniques earlier used for malware classification. To establish S-DCNN’s robustness and generalizability, the performance of proposed model is evaluated on the Malimg dataset, a dataset collected from VirusShare, and packed malware dataset counterparts of both Malimg and VirusShare datasets. The proposed method achieves a state-of-the-art 10-fold accuracy of 99.43% on the Malimg dataset and an accuracy of 99.65% on the VirusShare dataset.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Atharva Khadilkar,Mark Stamp

2024-12-12

Abstract:In recent years, the use of image-based techniques for malware detection has gained prominence, with numerous studies demonstrating the efficacy of deep learning approaches such as Convolutional Neural Networks (CNN) in classifying images derived from executable files. In this paper, we consider an innovative method that relies on an image conversion process that consists of transforming features extracted from executable files into QR and Aztec codes. These codes capture structural patterns in a format that may enhance the learning capabilities of CNNs. We design and implement CNN architectures tailored to the unique properties of these codes and apply them to a comprehensive analysis involving two extensive malware datasets, both of which include a significant corpus of benign samples. Our results yield a split decision, with CNNs trained on QR and Aztec codes outperforming the state of the art on one of the datasets, but underperforming more typical techniques on the other dataset. These results indicate that the use of QR and Aztec codes as a form of feature engineering holds considerable promise in the malware domain, and that additional research is needed to better understand the relative strengths and weaknesses of such an approach.

Cryptography and Security,Machine Learning

Ferhat Ozgur Catak,Javed Ahmed,Kevser Sahinbas,Zahid Hussain Khand

DOI: https://doi.org/10.7717/peerj-cs.346

2021-01-22

Abstract:Due to advancements in malware competencies, cyber-attacks have been broadly observed in the digital world. Cyber-attacks can hit an organization hard by causing several damages such as data breach, financial loss, and reputation loss. Some of the most prominent examples of ransomware attacks in history are WannaCry and Petya, which impacted companies' finances throughout the globe. Both WannaCry and Petya caused operational processes inoperable by targeting critical infrastructure. It is quite impossible for anti-virus applications using traditional signature-based methods to detect this type of malware because they have different characteristics on each contaminated computer. The most important feature of this type of malware is that they change their contents using their mutation engines to create another hash representation of the executable file as they propagate from one computer to another. To overcome this method that attackers use to camouflage malware, we have created three-channel image files of malicious software. Attackers make different variants of the same software because they modify the contents of the malware. In the solution to this problem, we created variants of the images by applying data augmentation methods. This article aims to provide an image augmentation enhanced deep convolutional neural network (CNN) models for detecting malware families in a metamorphic malware environment. The main contributions of the article consist of three components, including image generation from malware samples, image augmentation, and the last one is classifying the malware families by using a CNN model. In the first component, the collected malware samples are converted into binary file to 3-channel images using the windowing technique. The second component of the system create the augmented version of the images, and the last part builds a classification model. This study uses five different deep CNN model for malware family detection. The results obtained by the classifier demonstrate accuracy up to 98%, which is quite satisfactory.

Ahmed Bensaoud,Nawaf Abudawaood,Jugal Kalita

DOI: https://doi.org/10.6633/IJNS.202011_22%286%29.17

2020-10-30

Abstract:Due to increasing threats from malicious software (malware) in both number and complexity, researchers have developed approaches to automatic detection and classification of malware, instead of analyzing methods for malware files manually in a time-consuming effort. At the same time, malware authors have developed techniques to evade signature-based detection techniques used by antivirus companies. Most recently, deep learning is being used in malware classification to solve this issue. In this paper, we use several convolutional neural network (CNN) models for static malware classification. In particular, we use six deep learning models, three of which are past winners of the ImageNet Large-Scale Visual Recognition Challenge. The other three models are CNN-SVM, GRU-SVM and MLP-SVM, which enhance neural models with support vector machines (SVM). We perform experiments using the Malimg dataset, which has malware images that were converted from Portable Executable malware binaries. The dataset is divided into 25 malware families. Comparisons show that the Inception V3 model achieves a test accuracy of 99.24%, which is better than the accuracy of 98.52% achieved by the current state-of-the-art system called the M-CNN model.

Cryptography and Security,Computer Vision and Pattern Recognition

Moses Ashawa,Nsikak Owoh,Salaheddin Hosseinzadeh,Jude Osamor

DOI: https://doi.org/10.3390/electronics13204081

IF: 2.9

2024-10-18

Electronics

Abstract:As malware samples grow in complexity and employ advanced evasion techniques, traditional detection methods are insufficient for accurately classifying large volumes of sophisticated malware variants. To address this issue, image-based malware classification techniques leveraging machine learning algorithms have been developed as a more optimal solution to this challenge. However, accurately classifying content distribution-based features with unique pixel intensities from grayscale images remains a challenge. This paper proposes an enhanced image-based malware classification system using convolutional neural networks (CNNs) using ResNet-152 and vision transformer (ViT). The two architectures are then compared to determine their classification abilities. A total of 6137 benign files and 9861 malicious executables are converted from text files to unsigned integers and then to images. The ViT examined unsigned integers as pixel values, while ResNet-152 converted the pixel values into floating points for classification. The result of the experiments demonstrates a high-performance accuracy of 99.62% with effective hyperparameters of 10-fold cross-validation. The findings indicate that the proposed model is capable of being implemented in dynamic and complex malware environments, achieving a practical computational efficiency of 47.2 s for the identification and classification of new malware samples.

engineering, electrical & electronic,computer science, information systems,physics, applied

Binayak Panda,Sudhanshu Shekhar Bisoyi,Sidhanta Panigrahy

DOI: https://doi.org/10.7717/peerj-cs.1677

2023-11-14

Abstract:Dependence on the internet and computer programs demonstrates the significance of computer programs in our day-to-day lives. Such demands motivate malware developers to create more malware, both in terms of quantity and variety. Researchers are constantly faced with hurdles while attempting to protect themselves from potential hazards and risks due to malware authors' usage of code obfuscation techniques. Metamorphic and polymorphic variations are easily able to elude the widely utilized signature-based detection procedures. Researchers are more interested in deep learning approaches than machine learning techniques to analyze the behavior of such a vast number of virus variants. Researchers have been drawn to the categorization of malware within itself in addition to the classification of malware against benign programs to examine the behavioral differences between them. In order to investigate the relationship between the application programming interface (API) calls throughout API sequences and classify them, this work uses the one-dimensional convolutional neural network (1D-CNN) model to solve a multiclass classification problem. On API sequences, feature vectors for distinctive APIs are created using the Word2Vec word embedding approach and the skip-gram model. The one-vs.-rest approach is used to train 1D-CNN models to categorize malware, and all of them are then combined with a suggested ModifiedSoftVoting algorithm to improve classification. On the open benchmark dataset Mal-API-2019, the suggested ensembled 1D-CNN architecture captures improved evaluation scores with an accuracy of 0.90, a weighted average F1-score of 0.90, and an AUC score of more than 0.96 for all classes of malware.

Sumit S. Lad,Amol C. Adamuthe,

DOI: https://doi.org/10.5815/ijcnis.2020.06.03

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Malware is a threat to people in the cyber world. It steals personal information and harms computer systems. Various developers and information security specialists around the globe continuously work on strategies for detecting malware. From the last few years, machine learning has been investigated by many researchers for malware classification. The existing solutions require more computing resources and are not efficient for datasets with large numbers of samples. Using existing feature extractors for extracting features of images consumes more resources. This paper presents a Convolutional Neural Network model with pre-processing and augmentation techniques for the classification of malware gray-scale images. An investigation is conducted on the Malimg dataset, which contains 9339 gray-scale images. The dataset created from binaries of malware belongs to 25 different families. To create a precise approach and considering the success of deep learning techniques for the classification of raising the volume of newly created malware, we proposed CNN and Hybrid CNN+SVM model. The CNN is used as an automatic feature extractor that uses less resource and time as compared to the existing methods. Proposed CNN model shows (98.03%) accuracy which is better than other existing CNN models namely VGG16 (96.96%), ResNet50 (97.11%) InceptionV3 (97.22%), Xception (97.56%). The execution time of the proposed CNN model is significantly reduced than other existing CNN models. The proposed CNN model is hybridized with a support vector machine. Instead of using Softmax as activation function, SVM performs the task of classifying the malware based on features extracted by the CNN model. The proposed fine-tuned model of CNN produces a well-selected features vector of 256 Neurons with the FC layer, which is input to SVM. Linear SVC kernel transforms the binary SVM classifier into multi-class SVM, which classifies the malware samples using the one-against-one method and delivers the accuracy of 99.59%.

Muhammad Asam,Saddam Hussain Khan,Tauseef Jamal,Asifullah Khan

DOI: https://doi.org/10.48550/arXiv.2202.04121

2022-02-09

Abstract:Interaction between devices, people, and the Internet has given birth to a new digital communication model, the Internet of Things (IoT). The seamless network of these smart devices is the core of this IoT model. However, on the other hand, integrating smart devices to constitute a network introduces many security challenges. These connected devices have created a security blind spot, where cybercriminals can easily launch an attack to compromise the devices using malware proliferation techniques. Therefore, malware detection is considered a lifeline for the survival of IoT devices against cyberattacks. This study proposes a novel IoT Malware Detection Architecture (iMDA) using squeezing and boosting dilated convolutional neural network (CNN). The proposed architecture exploits the concepts of edge and smoothing, multi-path dilated convolutional operations, channel squeezing, and boosting in CNN. Edge and smoothing operations are employed with split-transform-merge (STM) blocks to extract local structure and minor contrast variation in the malware images. STM blocks performed multi-path dilated convolutional operations, which helped recognize the global structure of malware patterns. Additionally, channel squeezing and merging helped to get the prominent reduced and diverse feature maps, respectively. Channel squeezing and boosting are applied with the help of STM block at the initial, middle and final levels to capture the texture variation along with the depth for the sake of malware pattern hunting. The proposed architecture has shown substantial performance compared with the customized CNN models. The proposed iMDA has achieved Accuracy: 97.93%, F1-Score: 0.9394, Precision: 0.9864, MCC: 0. 8796, Recall: 0.8873, AUC-PR: 0.9689 and AUC-ROC: 0.9938.

Cryptography and Security,Artificial Intelligence

Wei Wu,Haipeng Peng,Haotian Zhu,Derun Zhang

DOI: https://doi.org/10.3390/s24134253

2024-06-30

Abstract:With the rapid development of the Internet of Things (IoT), the sophistication and intelligence of sensors are continually evolving, playing increasingly important roles in smart homes, industrial automation, and remote healthcare. However, these intelligent sensors face many security threats, particularly from malware attacks. Identifying and classifying malware is crucial for preventing such attacks. As the number of sensors and their applications grow, malware targeting sensors proliferates. Processing massive malware samples is challenging due to limited bandwidth and resources in IoT environments. Therefore, compressing malware samples before transmission and classification can improve efficiency. Additionally, sharing malware samples between classification participants poses security risks, necessitating methods that prevent sample exploitation. Moreover, the complex network environments also necessitate robust classification methods. To address these challenges, this paper proposes CSMC (Compressed Sensing Malware Classification), an efficient malware classification method based on compressed sensing. This method compresses malware samples before sharing and classification, thus facilitating more effective sharing and processing. By introducing deep learning, the method can extract malware family features during compression, which classical methods cannot achieve. Furthermore, the irreversibility of the method enhances security by preventing classification participants from exploiting malware samples. Experimental results demonstrate that for malware targeting Windows and Android operating systems, CSMC outperforms many existing methods based on compressed sensing and machine or deep learning. Additionally, experiments on sample reconstruction and noise demonstrate CSMC's capabilities in terms of security and robustness.

Walid El-Shafai,Iman Almomani,Aala AlKhayer

DOI: https://doi.org/10.3390/app11146446

2021-07-13

Applied Sciences

Abstract:There is a massive growth in malicious software (Malware) development, which causes substantial security threats to individuals and organizations. Cybersecurity researchers makes continuous efforts to defend against these malware risks. This research aims to exploit the significant advantages of Transfer Learning (TL) and Fine-Tuning (FT) methods to introduce efficient malware detection in the context of imbalanced families without the need to apply complex features extraction or data augmentation processes. Therefore, this paper proposes a visualized malware multi-classification framework to avoid false positives and imbalanced datasets’ challenges through using the fine-tuned convolutional neural network (CNN)-based TL models. The proposed framework comprises eight different FT CNN models including VGG16, AlexNet, DarkNet-53, DenseNet-201, Inception-V3, Places365-GoogleNet, ResNet-50, and MobileNet-V2. First, the binary files of different malware families were transformed into 2D images and then forwarded to the FT CNN models to detect and classify the malware families. The detection and classification performance was examined on a benchmark Malimg imbalanced dataset using different, comprehensive evaluation metrics. The evaluation results prove the FT CNN models’ significance in detecting malware types with high accuracy that reached 99.97% which also outperforms the performance of related machine learning (ML) and deep learning (DL)-based malware multi-classification approaches tested on the same malware dataset.

Mazhar Javed Awan,Osama Ahmed Masood,Mazin Abed Mohammed,Awais Yasin,Azlan Mohd Zain,Robertas Damaševičius,Karrar Hameed Abdulkareem

DOI: https://doi.org/10.3390/electronics10192444

IF: 2.9

2021-10-08

Electronics

Abstract:In recent years the amount of malware spreading through the internet and infecting computers and other communication devices has tremendously increased. To date, countless techniques and methodologies have been proposed to detect and neutralize these malicious agents. However, as new and automated malware generation techniques emerge, a lot of malware continues to be produced, which can bypass some state-of-the-art malware detection methods. Therefore, there is a need for the classification and detection of these adversarial agents that can compromise the security of people, organizations, and countless other forms of digital assets. In this paper, we propose a spatial attention and convolutional neural network (SACNN) based on deep learning framework for image-based classification of 25 well-known malware families with and without class balancing. Performance was evaluated on the Malimg benchmark dataset using precision, recall, specificity, precision, and F1 score on which our proposed model with class balancing reached 97.42%, 97.95%, 97.33%, 97.11%, and 97.32%. We also conducted experiments on SACNN with class balancing on benign class, also produced above 97%. The results indicate that our proposed model can be used for image-based malware detection with high performance, despite being simpler as compared to other available solutions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sicheng Han,Heeheon Yun,Yongsu Park

DOI: https://doi.org/10.3390/electronics13173393

IF: 2.9

2024-08-27

Electronics

Abstract:With the increasing use of sophisticated obfuscation techniques, malware detection remains a critical challenge in cybersecurity. This paper introduces a novel deep learning approach to classify malware obfuscated by virtual machine (VM) code. We specifically explore the application of depth-wise convolutional neural networks (CNNs) combined with a spatial attention mechanism to tackle VM-protected cybersecurity datasets. To address the scarcity of obfuscated malware samples, the dataset was generated using VMProtect to ensure the models were trained on real examples of modern obfuscated malware. The effectiveness of our approach is demonstrated through extensive experiments on both regular malware and obfuscated malware, where our model achieved accuracies of nearly 100% and 93.55% in classifying the regular malware and the obfuscated malware, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Bassam Al-Masri,Nader Bakir,Ali El-Zaart,Khouloud Samrouth

DOI: https://doi.org/10.3390/electronics13183607

IF: 2.9

2024-09-11

Electronics

Abstract:Malware attacks have a cascading effect, causing financial harm, compromising privacy, operations and interrupting. By preventing these attacks, individuals and organizations can safeguard the valuable assets of their operations, and gain more trust. In this paper, we propose a dual convolutional neural network (DCNN) based architecture for malware classification. It consists first of converting malware binary files into 2D grayscale images and then training a customized dual CNN for malware multi-classification. This paper proposes an efficient approach for malware classification using dual CNNs. The model leverages the complementary strengths of a custom structure extraction branch and a pre-trained ResNet-50 model for malware image classification. By combining features extracted from both branches, the model achieved superior performance compared to a single-branch approach.

engineering, electrical & electronic,computer science, information systems,physics, applied

Marwan Omar

DOI: https://doi.org/10.48550/arXiv.2301.11161

2023-01-26

Abstract:Cyber-crimes have become a multi-billion-dollar industry in the recent years. Most cybercrimes/attacks involve deploying some type of malware. Malware that viciously targets every industry, every sector, every enterprise and even individuals has shown its capabilities to take entire business organizations offline and cause significant financial damage in billions of dollars annually. Malware authors are constantly evolving in their attack strategies and sophistication and are developing malware that is difficult to detect and can lay dormant in the background for quite some time in order to evade security controls. Given the above argument, Traditional approaches to malware detection are no longer effective. As a result, deep learning models have become an emerging trend to detect and classify malware. This paper proposes a new convolutional deep learning neural network to accurately and effectively detect malware with high precision. This paper is different than most other papers in the literature in that it uses an expert data science approach by developing a convolutional neural network from scratch to establish a baseline of the performance model first, explores and implements an improvement model from the baseline model, and finally it evaluates the performance of the final model. The baseline model initially achieves 98% accurate rate but after increasing the depth of the CNN model, its accuracy reaches 99.183 which outperforms most of the CNN models in the literature. Finally, to further solidify the effectiveness of this CNN model, we use the improved model to make predictions on new malware samples within our dataset.

Cryptography and Security,Machine Learning

Jeyaprakash Hemalatha,Subbiah Geetha,Seifedine Kadry,Robertas Damaševičius,S. Roseline

DOI: https://doi.org/10.3390/e23030344

IF: 2.738

2021-03-15

Entropy

Abstract:Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.

physics, multidisciplinary

Ke He,Dong Seong Kim

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00022

2019-01-01

Abstract:Driven by economic benefits, the number of malware attacks is increasing significantly on a daily basis. Malware Detection Systems (MDS) is the first line of defense against malicious attacks, thus it is important for malware detection systems to accurately and efficiently detect malware. Traditional MDS typically utilizes traditional machine learning algorithms that require feature selection and extraction, which are time-consuming and error-prone. Conventional deep learning based approaches typically use Recurrent Neural Network (RNN) which can be vulnerable to redundant API injection. Thus, we investigate the effectiveness of Convolutional Neural Networks (CNN) against redundant API injection. We designed a malware detection system that transforms malware files into image representations and classifies the image representation with CNN. The CNN is implemented with spatial pyramid pooling layers (SPP) to deal with varying size input. We evaluate the effectiveness of SPP and image color space (greyscale/RGB) by measuring the performance of our system on both unaltered data and adversarial data with redundant API injected. Results show that naive SPP implementation is impractical due to memory constraints and greyscale imaging is effective against redundant API injection.