Malware Detection on Byte Streams of Hangul Word Processor Files

Jeong, Young-Seob; Woo, Jiyoung; Kang, Ah Reum

doi:10.3390/app9235178

Cited by 3 publications

(12 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their CNN model achieved an F1 score of 98.48–98.65%, which was superior to other machine learning models. In [ 3 ], a CNN model was proposed for malware detection of HWP files, wherein the input length is assumed to be 600 bytes. This was the first study of malware detection for HWP files using only byte streams, and achieved an F1 score of 93.33–93.45%.…”

Section: Related Workmentioning

confidence: 99%

“…The previous studies that applied a CNN model to byte streams were successful in some sense, but may not be useful when the byte streams are very long. For example, we may have to run the model proposed in [ 3 ] numerous times (about hundreds times) to make a decision for a single file. Indeed, we found that the mean stream length of PDF files of [ 6 ] is about 600, whereas the mean stream length of HWP files used in [ 3 ] is about 350,000–710,000 with a standard deviation of 2,000,000–4,000,000.…”

Section: Related Workmentioning

confidence: 99%

“…For example, we may have to run the model proposed in [ 3 ] numerous times (about hundreds times) to make a decision for a single file. Indeed, we found that the mean stream length of PDF files of [ 6 ] is about 600, whereas the mean stream length of HWP files used in [ 3 ] is about 350,000–710,000 with a standard deviation of 2,000,000–4,000,000. This implies that we may need to run the model of [ 3 ] about 580–1180 times for each byte stream, as it is assumed that the input length is 600 bytes.…”

Section: Related Workmentioning

confidence: 99%

“…The malicious HWP files contain byte streams of executable code, shell code, or script code. The byte streams with malicious actions convey different patterns compared to benign byte streams, so it is possible to detect malware by analyzing the byte stream patterns as described in [ 3 ].…”

Section: Introductionmentioning

confidence: 99%

“…Some studies used deep learning models to extract meaningful features from byte streams to accurately detects malicious actions. These studies have a common limitation in that their models are not efficient [ 3 , 5 , 6 , 7 ]. That is, the models are often too complex, so they take a long time to analyze numerous suspicious files.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling

Jeong

Woo

Lee

et al. 2020

Sensors

Self Cite

View full text Add to dashboard Cite

Malware detection of non-executables has recently been drawing much attention because ordinary users are vulnerable to such malware. Hangul Word Processor (HWP) is software for editing non-executable text files and is widely used in South Korea. New malware for HWP files continues to appear because of the circumstances between South Korea and North Korea. There have been various studies to solve this problem, but most of them are limited because they require a large amount of effort to define features based on expert knowledge. In this study, we designed a convolutional neural network to detect malware within HWP files. Our proposed model takes a raw byte stream as input and predicts whether it contains malicious actions or not. To incorporate highly variable lengths of HWP byte streams, we propose a new padding method and a spatial pyramid average pooling layer. We experimentally demonstrate that our model is not only effective, but also efficient.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling

Jeong

Woo

Lee

et al. 2020

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

Malware Detection Using Byte Streams of Different File Formats

et al. 2022

View full text Add to dashboard Cite

Rapidrift: Elementary Techniques to Improve Machine Learning-Based Malware Detection

Manikandaraja,

Aaby,

Pitropakis

2023

Computers

View full text Add to dashboard Cite

Artificial intelligence and machine learning have become a necessary part of modern living along with the increased adoption of new computational devices. Because machine learning and artificial intelligence can detect malware better than traditional signature detection, the development of new and novel malware aiming to bypass detection has caused a challenge where models may experience concept drift. However, as new malware samples appear, the detection performance drops. Our work aims to discuss the performance degradation of machine learning-based malware detectors with time, also called concept drift. To achieve this goal, we develop a Python-based framework, namely Rapidrift, capable of analysing the concept drift at a more granular level. We also created two new malware datasets, TRITIUM and INFRENO, from different sources and threat profiles to conduct a deeper analysis of the concept drift problem. To test the effectiveness of Rapidrift, various fundamental methods that could reduce the effects of concept drift were experimentally explored.

show abstract

Malware Detection on Byte Streams of Hangul Word Processor Files

Cited by 3 publications

References 20 publications

Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling

Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling

Malware Detection Using Byte Streams of Different File Formats

Rapidrift: Elementary Techniques to Improve Machine Learning-Based Malware Detection

Contact Info

Product

Resources

About