Jianbin Mai,Chunjie Cao,Qian Wu

DOI: https://doi.org/10.1007/978-3-030-73671-2_7

2021-01-01

Abstract:Being able to detect malware variants is an important problem due to the rapid development and the security threats of new malware variations. Machine learning methods are currently one of the most popular malware variant detection methods, however, most of these methods only use single type of features (e.g. opcode) and shallow learning algorithms (e.g. SVM), which also makes these methods have demonstrated poor detection accuracy and low detection speeds. In this paper, we propose a method that combines multiple features of malware with deep learning methods to optimize the detection of malware variants. To implement the proposed method, we use Deep Convolutional Neural Network (DCNN) and Information Gain (IG) to extract effective features from the grayscale map and disassembly file mapped from the malware, respectively. Then we construct a fusion feature space by combining the different types of extracted features and use it to train a Multilayer Perceptron (MLP) to obtain results. The experimental results demonstrated that our method achieved good accuracy as compared with other common malware detection methods.

CHEN Zhongyuan,ZHANG Jianbiao

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024002

2024-01-01

Abstract:With the rapid development of network technology, the number and variety of malware have been increasing, posing a significant challenge in the field of network security.However, existing single-feature malware detection methods have proven inadequate in representing sample information effectively.Moreover, multi-feature detection approaches also face limitations in feature fusion, resulting in an inability to learn and comprehend the complex relationships within and between features.These limitations ultimately lead to subpar detection results.To address these issues, a malware detection method called MFAGM was proposed, which focused on multimodal feature fusion.By processing the .asm and .bytes files of the dataset, three key features belonging to two types (opcode statistics sequences, API sequences, and grey-scale image features) were successfully extracted.This comprehensive characterization of sample information from multiple perspectives aimed to improve detection accuracy.In order to enhance the fusion of these multimodal features, a feature fusion module called SA-JGmu was designed.This module utilized the self-attention mechanism to capture internal dependencies between features.It also leveraged the gating mechanism to enhance interactivity among different features.Additionally, weight-jumping links were introduced to further optimize the representational capabilities of the model.Experimental results on the Microsoft malware classification challenge dataset demonstrate that MFAGM achieves higher accuracy and F1 scores compared to other methods in the task of malware detection.

Shuo Wang,Jian Wang,Yafei Song,Song Li

DOI: https://doi.org/10.1155/2021/1070586

IF: 3.12

2021-12-14

Computational Intelligence and Neuroscience

Abstract:The increasing volume and types of malwares bring a great threat to network security. The malware binary detection with deep convolutional neural networks (CNNs) has been proved to be an effective method. However, the existing malware classification methods based on CNNs are unsatisfactory to this day because of their poor extraction ability, insufficient accuracy of malware classification, and high cost of detection time. To solve these problems, a novel approach, namely, multiscale feature fusion convolutional neural networks (MFFCs), was proposed to achieve an effective classification of malware based on malware visualization utilizing deep learning, which can defend against malware variants and confusing malwares. The approach firstly converts malware code binaries into grayscale images, and then, these images will be normalized in size by utilizing the MFFC model to identify malware families. Comparative experiments were carried out to verify the performance of the proposed method. The results indicate that the MFFC stands out among the recent advanced methods with an accuracy of 98.72% and an average cost of 5.34 milliseconds on the Malimg dataset. Our method can effectively identify malware and detect variants of malware families, which has excellent feature extraction capability and higher accuracy with lower detection time.

mathematical & computational biology,neurosciences

Yao Liu,Xiaoyu Bai,Qiao Liu,Tian Lan,Le Zhou,Tinghao Zhou

DOI: https://doi.org/10.1007/978-981-99-9331-4_43

2024-01-01

Abstract:With the proliferation of malware, malware detection techniques have become more critical to protect the security and privacy of users. While existing malware detection techniques have achieved superior accuracy and detection rates, most of these techniques require a large number of labeled samples for training. In general, assembling a large amount of reliable data is still expensive, time-consuming, and even impossible. These malware detection techniques do not achieve good results on a small number of labeled samples and do not have the capability to detect new or variant malware. Therefore, it is necessary to investigate solutions for detecting malware in the few-shot scenario. This paper proposes a hierarchical feature fusion malware detection framework based on multi-task meta-learning, namely Meta-HFMD. The proposed framework first adopts a hierarchical feature fusion approach to learn hierarchical spatial traffic features from packet-level and flow-level. Then, it constructs an efficient multi-task malware detection model based on model-agnostic meta-learning (MAML), which can detect malware with tiny labeled samples. Experimental results demonstrate that Meta-HFMD achieves satisfactory results in the few-shot malware detection task, both in single-platform and cross-platform environments, and its performance metrics outperform other baseline models.

Moustafa Saleh,Tao Li,Shouhuai Xu

DOI: https://doi.org/10.1007/s11416-017-0304-8

2017-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Malware detection is still an open problem. There are numerous attacks that take place every day where malware is used to steal private information, disrupt services, or sabotage industrial systems. In this paper, we combine three kinds of contextual information, namely static, dynamic, and instruction-based, for malware detection. This leads to the definition of more than thirty thousand features, which is a large features set that covers a wide range of a sample characteristics. Through experiments with one million files, we show that this features set leads to machine learning based models that can detect both malware seen roughly at the time when the models are built, and malware first seen even months after the models were built (i.e., the detection models remain effective months ahead of time). This may be due to the comprehensiveness of the features set.

Jahez Abraham Johny,Vinod P.,Asmitha K. A.,G. Radhamani,Rafidha Rehiman K. A.,Mauro Conti

2024-05-23

Abstract:Malware has become a formidable threat as it has been growing exponentially in number and sophistication, thus, it is imperative to have a solution that is easy to implement, reliable, and effective. While recent research has introduced deep learning multi-feature fusion algorithms, they lack a proper explanation. In this work, we investigate the power of fusing Convolutional Neural Network models trained on different modalities of a malware executable. We are proposing a novel multimodal fusion algorithm, leveraging three different visual malware features: Grayscale Image, Entropy Graph, and SimHash Image, with which we conducted exhaustive experiments independently on each feature and combinations of all three of them using fusion operators such as average, maximum, add, and concatenate for effective malware detection and classification. The proposed strategy has a detection rate of 1.00 (on a scale of 0-1) in identifying malware in the given dataset. We explained its interpretability with visualization techniques such as t-SNE and Grad-CAM. Experimental results show the model works even for a highly imbalanced dataset. We also assessed the effectiveness of the proposed method on obfuscated malware and achieved state-of-the-art results. The proposed methodology is more reliable as our findings prove VGG16 model can detect and classify malware in a matter of seconds in real-time.

Cryptography and Security

Xing Yang,Denghui Yang,Yizhou Li

DOI: https://doi.org/10.3390/electronics12030713

IF: 2.9

2023-01-01

Electronics

Abstract:With the widespread use of computers, the amount of malware has increased exponentially. Since dynamic detection is costly in both time and resources, most existing malware detection methods are based on static features. However, existing static methods mainly rely on single feature types of malware, while few pay attention to multi-feature fusion. This paper presents a novel multi-feature extraction and fusion method to effectively detect malware variants by combining binary and opcode features. We propose a stacked convolutional network to capture the temporal and discontinuity information in the function call of the binary file from malware. Additionally, we adopt the triangular attention algorithm to extract code-level features from assembly code. Additionally, these two extracted features are aligned and fused by the cross-attention, which could provide a stable feature representation. We evaluate our method on two different datasets. It achieves an accuracy of 0.9954 on the Kaggle Malware Classification dataset and an accuracy of 0.9544 on a large real-world dataset. To optimize our detection model, we conduct in-depth discussions on different feature extractors and multi-feature fusion strategies. Moreover, a visualized attention module in our model is provided to explain its superiority in the opcode feature extraction. An experimental analysis is performed against five baseline deep learning models and five state-of-the-art malware detection models, which reveals that our strategy outperforms competing approaches in all evaluation circumstances.

Gaoning Shen,Zhixiang Chen,Hui Wang,Heng Chen,Shuqi Wang

DOI: https://doi.org/10.1016/j.cose.2022.102761

2022-08-01

Abstract:Malicious code has become an important factor threatening network security. Single feature-based malicious code detection methods have achieved good detection results, but when faced with some similar malicious code families, the detection effect is often poor. To address this concern, we propose a feature fusion-based malicious code detection with dual attention mechanism and Bi-directional Long Short-Term Memory (BiLSTM). The dual attention mechanism module gives different focuses on the channel and space of feature maps to extract local texture features of malicious code grayscale images. At the same time, the BiLSTM module extracts global texture structure features of malicious code grayscale images, and fuse local texture features with global texture features, which can not only reflect the detailed characteristics of malicious code, but also retain the overall structural characteristics. Finally, we use the focal loss function to reduce the impact of data imbalance. The experimental results show that our feature fusion approach has a better detection effect compared with the single feature approach, especially in the detection of similar malicious code families.

computer science, information systems

Binghui Zou,Chunjie Cao,Longjuan Wang,Yinan Cheng,Jingzhang Sun

2024-04-25

Abstract:Malware can greatly compromise the integrity and trustworthiness of information and is in a constant state of evolution. Existing feature fusion-based detection methods generally overlook the correlation between features. And mere concatenation of features will reduce the model's characterization ability, lead to low detection accuracy. Moreover, these methods are susceptible to concept drift and significant degradation of the model. To address those challenges, we introduce a feature graph-based malware detection method, MFGraph, to characterize applications by learning feature-to-feature relationships to achieve improved detection accuracy while mitigating the impact of concept drift. In MFGraph, we construct a feature graph using static features extracted from binary PE files, then apply a deep graph convolutional network to learn the representation of the feature graph. Finally, we employ the representation vectors obtained from the output of a three-layer perceptron to differentiate between benign and malicious software. We evaluated our method on the EMBER dataset, and the experimental results demonstrate that it achieves an AUC score of 0.98756 on the malware detection task, outperforming other baseline models. Furthermore, the AUC score of MFGraph decreases by only 5.884% in one year, indicating that it is the least affected by concept drift.

Cryptography and Security

Lixia Zhang,Tianxu Liu,Kaihui Shen,Cheng Chen

2024-10-12

Abstract:With the rapid advancement of Internet technology, the threat of malware to computer systems and network security has intensified. Malware affects individual privacy and security and poses risks to critical infrastructures of enterprises and nations. The increasing quantity and complexity of malware, along with its concealment and diversity, challenge traditional detection techniques. Static detection methods struggle against variants and packed malware, while dynamic methods face high costs and risks that limit their application. Consequently, there is an urgent need for novel and efficient malware detection techniques to improve accuracy and robustness. This study first employs the minhash algorithm to convert binary files of malware into grayscale images, followed by the extraction of global and local texture features using GIST and LBP algorithms. Additionally, the study utilizes IDA Pro to decompile and extract opcode sequences, applying N-gram and tf-idf algorithms for feature vectorization. The fusion of these features enables the model to comprehensively capture the behavioral characteristics of malware. In terms of model construction, a CNN-BiLSTM fusion model is designed to simultaneously process image features and opcode sequences, enhancing classification performance. Experimental validation on multiple public datasets demonstrates that the proposed method significantly outperforms traditional detection techniques in terms of accuracy, recall, and F1 score, particularly in detecting variants and obfuscated malware with greater stability. The research presented in this paper offers new insights into the development of malware detection technologies, validating the effectiveness of feature and model fusion, and holds promising application prospects.

Cryptography and Security,Artificial Intelligence

Guoqing Xiao,Jingning Li,Yuedan Chen,Kenli Li

DOI: https://doi.org/10.1016/j.jpdc.2020.03.012

IF: 4.542

2020-01-01

Journal of Parallel and Distributed Computing

Abstract:Identifying the family of malware can determine their malicious intent and attack patterns, which helps to efficiently analyze large numbers of malware variants. Methods based on traditional machine learning often require a lot of time and resources in feature engineering. Virtually all existing static analysis methods based on malware visualization are derived from grayscale images, while a single low-order feature representation may be detrimental to discovering hidden features in a malware family. Based on these problems, this paper proposes an effective malware classification framework (MalFCS) based on malware visualization and automated feature extraction. MalFCS includes mainly three modules: malware visualization, feature extraction, and classification. First, we visualize malware binaries as entropy graphs based on structural entropy. Second, we present a feature extractor based on deep convolutional neural networks to extract patterns shared by a family from entropy graphs automatically. Finally, we propose an SVM classifier to classify malware based on the extracted features. We evaluate the proposed MalFCS over two widely studied benchmark datasets, i.e., Malimg and Microsoft. Experimental results show that compared with the state-of-the-art methods, MalFCS can obtain excellent classification performance with accuracy of 0.997 and 1, respectively, achieving the state-of-the-art performance.

Ya-Shu Liu,Yu-Kun Lai,Zhi-Hai Wang,Han-Bing Yan

DOI: https://doi.org/10.1109/access.2019.2892500

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the development of the Internet, malware has become one of the most significant threats. Recognizing specific types of malware is an important step toward effective removal. Malware visualization is an important branch of malware static analysis techniques, where a piece of malware is turned into an image for visualization and classification. Despite great success, it is still difficult to extract effective texture feature representations for challenging datasets. The existing methods use global image features which are sensitive to relative code locations. In this paper, we present a new learning framework to obtain more discriminative and robust feature descriptors. The proposed method works with the existing local descriptors such as local binary patterns and dense scale-invariant feature transform, by grouping them into blocks and by using a new bag-of-visual-words model to obtain robust features, which are more flexible than global features and more robust than local features. We evaluate the proposed method on three malware databases. The experimental results demonstrate that the obtained descriptors lead to the state-of-the-art classification performance.

Yusheng Dai,Hui Li,Yekui Qian,Ruipeng Yang,Min Zheng

DOI: https://doi.org/10.1109/access.2019.2934012

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the increasing variants of malware, it is of great significance to detect malware and ensure system security effectively. The existing malware dynamic detection methods are vulnerable to evasion attacks. For this situation, we propose a malware dynamic detection method based on mufti-feature ensemble learning. Firstly, the method adopts the combination of software features such as API call sequence with high detection precision and low-level hardware features such as resistance to evasion the memory dump grayscale and hardware performance counters. Secondly, we improve each feature based on the original research. We select a more advanced classifier model to improve the detection precision of a single feature. Finally, an ensemble learning algorithm composed of multiple classification algorithms detects malware, the multi-features can describe malware behavior from multi-dimensions to improve detection performance. We use a large number of malware sample dataset to experiment, and the results show that our detection method can obtain good detection precision rate, and is better than other recently proposed dynamic detection methods in anti-evasion performance.

Shanqing Guo,Qixia Yuan,Fengbo Lin,Fengyu Wang,Tao Ban

DOI: https://doi.org/10.1007/978-3-642-17534-3_32

2010-01-01

Abstract:One of the major problems concerning information assurance is malicious code. In order to detect them, many existing run-time intrusion or malware detection techniques utilize information available in Application Programming Interface (API) call sequences to discriminate between benign and malicious processes. Although some great progresses have been made, the new research results of ensemble learning make it possible to design better malware detection algorithm. This paper present a novel approach of detecting malwares using API call sequences. Basing on the fact that the API call sequences of a software show local property when doing network, file IO and other operations, we first divide the API call sequences of a malware into seven subsequences, and then use each subsequence to build a classification model. After these building models are used to classify software, their outputs are combined by using BKS and the final fusion results will be used to label whether a software is malicious or not. Experiments show that our algorithm can detect known malware effectively.

Mohan Gao,Peng Wu,Li Pan

DOI: https://doi.org/10.1007/978-3-031-15777-6_27

2022-01-01

Abstract:Malware is a software capable of causing damage to computer systems. Conventional malware detection methods either require feature engineering to extract specific features or require a large amount of labeled data to train an end-to-end deep learning model. Both feature engineering and labelling are laborious. In this paper, we propose a semi-supervised contrastive learning malware detection method based on API call sequences with limited label information, called SCLMD. Specifically, a heterogeneous graph is constructed from API behavior to express the rich relationships among labeled and unlabeled software. After extracting the structural and sequential features of software by two encoders, we adopt the cross-view contrastive learning to obtain the shared and consistent feature of software. A hybrid positive selection strategy is designed to select positive pairs for contrastive learning by the guidance of the limited label information. Experimental results on two real world datasets show that the SCLMD outperforms the baseline methods, especially when the supervised information is limited.

Jingling Zhao,Suoxing Zhang,Bohan Liu,Baojiang Cui

DOI: https://doi.org/10.1109/icccn.2018.8487459

2018-01-01

Abstract:As millions of new malware samples emerge every day, traditional malware detection techniques are no longer adequate. Static analysis methods, such as file signature, fail to detect unknown programs. Dynamic analysis methods have low efficiency and high false positive rate. We need a detection technique that can adapt to the rapidly changing malware ecosystem. The paper presented a new malware detection method using machine learning based on the combination of dynamic and static features. The characteristic of this experiment involved in many fields of knowledge, including binary program instrumentation, static analysis, assembly instruction analysis, machine learning, etc. Finally, we achieved a good result over a substantial number of malwares.

Li Jian,Wang Zheng,Wang Tao,Tang Jinghao,Yang Yuguang,Zhou Yihua

DOI: https://doi.org/10.1049/cje.2018.09.008

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:In order to improve the detection efficiency of Android malicious application, an Android malware detection system based on feature fusion is proposed on three levels. Feature fusion especially emphasizes on ten categories, which combines static and dynamic features and includes 377 features for classification. In order to improve the accuracy of malware detection, attribute subset selection and principle component analysis are used to reduce the dimensionality of fusion features. Random forest is used for classification. In the experiment, the dataset includes 43,822 benign applications and 8,454 malicious applications. The method can achieve 99.4% detection accuracy and 0.6% false positive rate. The experimental results show that the detection method can improve the malware detection efficiency in Android platform.

Hong Cui,Bo Yu,Ying Fang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.04.037

2017-01-01

Abstract:High-dimensional feature fusion and deep feature synthesis of malware features is new tendency and difficult problem of malware classification research.This paper presented a high-dimensional feature fusion method for malware classification.Firstly,it extracted features from both binary files and disassembly files using static analysis.Secondly,it analyzed and processed the high-dimensional feature vectors based on the SimHash method with the idea of locality-sensitive features.Finally,it trained and learned the fused feature vectors based on the classical machine learning method.Experimental results and analysis show that the proposed method is suitable for malware classification with high-dimensional features while only a small number of samples are available,and it can also improve the time performance of sample classification.

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Junmiao Liang,Zhenhu Ning,Yihua Zhou,Dongzhi Cao

DOI: https://doi.org/10.1109/iccia52886.2021.00031

2021-01-01

Abstract:With the development of the Internet, security issues in the network have attracted more and more attention. Variants of malicious code are constantly increasing, and their attacks will have a serious impact on the network environment, so effective detection of malicious code has important research significance. However, the current malicious code detection methods still have some problems, such as code detection, cumbersome feature extraction, and misclassification between similar families. To this end, the paper proposes a fine-grained detection method for malicious code. First visualized the binary files of malicious code and converted them into grayscale images. Then, use the improved convolutional neural network to extract the multi-resolution features of grayscale images, and use the interactive fusion method to fuse these features. Finally, input the fused features into the fully connected layer to complete the fine-grained classification of malicious code. Experiments prove that our method is indeed effective for fine-grained classification of malicious code.