Robust Neural Malware Detection Models for Emulation Sequence Learning

Agrawal, Richa; Stokes, Jack W.; Marinescu, Mady; Selvaraj, Karthik

doi:10.1109/milcom.2018.8599785

Cited by 12 publications

(6 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The baseline file classifier and event classifier employed in this work use the LSTM-based recurrent neural network architectures proposed by (Athiwaratkun and Stokes 2017). Recurrent models which proposed combining a CNN and an LSTM were proposed by (Kolosnjaji et al 2016) and (Agrawal et al 2018).…”

Section: Related Workmentioning

confidence: 99%

Actor Critic Deep Reinforcement Learning for Neural Malware Control

Wang

Stokes

Marinescu

2020

AAAI

Self Cite

View full text Add to dashboard Cite

In addition to using signatures, antimalware products also detect malicious attacks by evaluating unknown files in an emulated environment, i.e. sandbox, prior to execution on a computer's native operating system. During emulation, a file cannot be scanned indefinitely, and antimalware engines often set the number of instructions to be executed based on a set of heuristics. These heuristics only make the decision of when to halt emulation using partial information leading to the execution of the file for either too many or too few instructions. Also this method is vulnerable if the attackers learn this set of heuristics. Recent research uses a deep reinforcement learning (DRL) model employing a Deep Q-Network (DQN) to learn when to halt the emulation of a file. In this paper, we propose a new DRL-based system which instead employs a modified actor critic (AC) framework for the emulation halting task. This AC model dynamically predicts the best time to halt the file's execution based on a sequence of system API calls. Compared to the earlier models, the new model is capable of handling adversarial attacks by simulating their behaviors using the critic model. The new AC model demonstrates much better performance than both the DQN model and antimalware engine's heuristics. In terms of execution speed (evaluated by the halting decision), the new model halts the execution of unknown files by up to 2.5% earlier than the DQN model and 93.6% earlier than the heuristics. For the task of detecting malicious files, the proposed AC model increases the true positive rate by 9.9% from 69.5% to 76.4% at a false positive rate of 1% compared to the DQN model, and by 83.4% from 41.2% to 76.4% at a false positive rate of 1% compared to a recently proposed LSTM model.

show abstract

Section: Related Workmentioning

confidence: 99%

Actor Critic Deep Reinforcement Learning for Neural Malware Control

Wang

Stokes

Marinescu

2020

AAAI

Self Cite

View full text Add to dashboard Cite

show abstract

“…An anti malware engine generates a very long API call sequences which is a problem for detecting malware. The problem is solved in [294] using neural malware detection models. In this paper, experiments were conducted using different end to end models.…”

Section: ) Deep Neural Network (Dnn)mentioning

confidence: 99%

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

Ravi¹,

Alazab²,

Sriram³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…On the other hand, the dynamic approach executes the binary in a controlled environment to collect features like API call traces, network-related information, memory and register usage, etc. [13,14,15]. While static analysis could be undermined by obfuscation, dynamic analysis is proven to be resilient against heavily packed malware but could be time consuming.…”

Section: Introductionmentioning

confidence: 99%

Malware Detection Using Ensemble N-gram Opcode Sequences

Yeboah¹,

Amuquandoh

Musah³

2021

Int. J. Interact. Mob. Technol.

View full text Add to dashboard Cite

Conventional approaches to tackling malware attacks have proven to be futile at detecting never-before-seen (zero-day) malware. Research however has shown that zero-day malicious files are mostly semantic-preserving variants of already existing malware, which are generated via obfuscation methods. In this paper we propose and evaluate a machine learning based malware detection model using ensemble approach. We employ a strategy of ensemble where multiple feature sets generated from different n-gram sizes of opcode sequences are trained using a single classifier. Model predictions on the trained multi feature sets are weighted and combined on average to make a final verdict on whether a binary file is malicious or benign. To obtain optimal weight combination for the ensemble feature sets, we applied a grid search on a set of pre-defined weights in the range 0 to 1. With a balanced dataset of 2000 samples, an ensemble of n-gram opcode sequences of n sizes 1 and 2 with respective weight pair 0.3 and 0.7 yielded the best detection accuracy of 98.1% using random forest (RF) classifier. Ensemble n-gram sizes 2 and 3 obtained 99.7% as best precision using weight 0.5 for both models.

show abstract

Robust Neural Malware Detection Models for Emulation Sequence Learning

Cited by 12 publications

References 20 publications

Actor Critic Deep Reinforcement Learning for Neural Malware Control

Actor Critic Deep Reinforcement Learning for Neural Malware Control

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

Malware Detection Using Ensemble N-gram Opcode Sequences

Contact Info

Product

Resources

About