Learning the PE Header, Malware Detection with Minimal Domain Knowledge

Raff, Edward; Sylvester, Jared; Nicholas, Charles

doi:10.1145/3128572.3140442

Cited by 123 publications

(121 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For features, one study combines DNN's with random projections [9] and another with two dimensional binary PE program features [24]. Research has also been done on a variety of file types, such as Android and PE files [5], [16], [22], [29]. While the specifics can vary greatly, all machine learning approaches to malware detection share the same central vulnerability to AEs.…”

Section: A Malware Detection Using Neural Networkmentioning

confidence: 99%

See 1 more Smart Citation

Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Al-Dujaili¹,

Huang²,

Hemberg³

et al. 2018

2018 IEEE Security and Privacy Workshops (SPW)

137

112

View full text Add to dashboard Cite

Malware is constantly adapting in order to avoid detection. Model based malware detectors, such as SVM and neural networks, are vulnerable to so-called adversarial examples which are modest changes to detectable malware that allows the resulting malware to evade detection. Continuous-valued methods that are robust to adversarial examples of images have been developed using saddle-point optimization formulations. We are inspired by them to develop similar methods for the discrete, e.g. binary, domain which characterizes the features of malware. A specific extra challenge of malware is that the adversarial examples must be generated in a way that preserves their malicious functionality. We introduce methods capable of generating functionally preserved adversarial malware examples in the binary domain. Using the saddle-point formulation, we incorporate the adversarial examples into the training of models that are robust to them. We evaluate the effectiveness of the methods and others in the literature on a set of Portable Execution (PE) files. Comparison prompts our introduction of an online measure computed during training to assess general expectation of robustness.

show abstract

Section: A Malware Detection Using Neural Networkmentioning

confidence: 99%

“…Security researchers have generated malware AEs using an array of machine learning approaches such as reinforcement learning, genetic algorithms and supervised learning including neural networks, decision trees and SVM [5], [10], [12]- [14], [22], [24], [27], [28]. These approaches, with the exception of [12], [13], are black box.…”

Section: Adversarial Malwarementioning

confidence: 99%

Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Al-Dujaili¹,

Huang²,

Hemberg³

et al. 2018

2018 IEEE Security and Privacy Workshops (SPW)

137

112

View full text Add to dashboard Cite

show abstract

“…Raff et al [49] addressed the problem of detecting malicious Portable Executable (PE) files using a DL model containing an embedding layer. Their classifier uses the PE header only, whose raw bytes are used as input to a DL model, containing a W2V-style embedding layer.…”

Section: Related Workmentioning

confidence: 99%

Detecting Malicious PowerShell Commands using Deep Neural Networks

Hendler

Kels

Rubin

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

PowerShell is a command line shell, supporting a scripting language, that is widely used in organizations for configuration management and task automation. Unfortunately, PowerShell is also increasingly used by cybercriminals for launching cyber attacks against organizations, mainly because it is pre-installed on Windows machines, exposes strong functionality that may be leveraged by attackers, and its code can be deeply obfuscated in many ways. This makes the problem of detecting malicious PowerShell scripts both urgent and challenging.To the best of our knowledge, our work is the first to address this important problem. We do so by presenting several novel deep learning based detectors of malicious PowerShell scripts. Our best model obtains a true positive rate of nearly 90% while maintaining a low false positive rate of less than 0.1%, indicating that it can be of practical value.Our models employ pre-trained contextual embeddings of words from the PowerShell "language". A contextual word embedding is able to project semantically similar words to proximate vectors in the embedding space. A known problem in the cybersecurity domain is that labeled data is relatively scarce in comparison with unlabeled data, making it difficult to devise effective supervised detection of malicious activity of many types. This is also the case with PowerShell scripts. Our work shows that this problem can be largely mitigated by learning a pre-trained contextual embedding based on unlabeled data.We trained our models' embedding layer using a scripts dataset that was enriched by a large corpus of unlabeled Power-Shell scripts collected from public repositories. As established by our performance analysis, the use of unlabeled data for the embedding significantly improved the performance of our detectors. We estimate that the usage of pre-trained contextual embeddings based on unlabeled data for improved classication accuracy will find additional applications in the cybersecurity domain.

show abstract

“…In recent years, the need for techniques that generalize to previously unseen malware samples has led to detection approaches that utilize machine learning techniques [25,26,38]. Malware analysis can be broadly divided into two categories: code (static) analysis and behavioral (dynamic) analysis.…”

Section: Introductionmentioning

confidence: 99%

Neurlux

Jindal

Salls

Aghakhani

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Malware detection plays a vital role in computer security. Modern machine learning approaches have been centered around domain knowledge for extracting malicious features. However, many potential features can be used, and it is time consuming and difficult to manually identify the best features, especially given the diverse nature of malware.In this paper, we propose Neurlux, a neural network for malware detection. Neurlux does not rely on any feature engineering, rather it learns automatically from dynamic analysis reports that detail behavioral information. Our model borrows ideas from the field of document classification, using word sequences present in the reports to predict if a report is from a malicious binary or not. We investigate the learned features of our model and show which components of the reports it tends to give the highest importance. Then, we evaluate our approach on two different datasets and report formats, showing that Neurlux improves on the state of the art and can effectively learn from the dynamic analysis reports. Furthermore, we show that our approach is portable to other malware analysis environments and generalizes to different datasets. CCS CONCEPTS• Security and privacy → Software and application security; • Computing methodologies → Neural networks.

show abstract

Learning the PE Header, Malware Detection with Minimal Domain Knowledge

Cited by 123 publications

References 49 publications

Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Detecting Malicious PowerShell Commands using Deep Neural Networks

Neurlux

Contact Info

Product

Resources

About