International Journal of Computer Science & Network Security

국제컴퓨터통신보호논문지학회 (International Journal of Computer Science & Network Security)
권호 표지
DOI QR코드

DOI QR Code

Malware Detection Using Deep Recurrent Neural Networks with no Random Initialization

  • Amir Namavar Jahromi (Shiraz University, Computer Science & Engineering and Information Technology Department) ;
  • Sattar Hashemi (Shiraz University, Computer Science & Engineering and Information Technology Department)
  • 투고 : 2023.08.05
  • 발행 : 2023.08.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Malware detection is an increasingly important operational focus in cyber security, particularly given the fast pace of such threats (e.g., new malware variants introduced every day). There has been great interest in exploring the use of machine learning techniques in automating and enhancing the effectiveness of malware detection and analysis. In this paper, we present a deep recurrent neural network solution as a stacked Long Short-Term Memory (LSTM) with a pre-training as a regularization method to avoid random network initialization. In our proposal, we use global and short dependencies of the inputs. With pre-training, we avoid random initialization and are able to improve the accuracy and robustness of malware threat hunting. The proposed method speeds up the convergence (in comparison to stacked LSTM) by reducing the length of malware OpCode or bytecode sequences. Hence, the complexity of our final method is reduced. This leads to better accuracy, higher Mattews Correlation Coefficients (MCC), and Area Under the Curve (AUC) in comparison to a standard LSTM with similar detection time. Our proposed method can be applied in real-time malware threat hunting, particularly for safety critical systems such as eHealth or Internet of Military of Things where poor convergence of the model could lead to catastrophic consequences. We evaluate the effectiveness of our proposed method on Windows, Ransomware, Internet of Things (IoT), and Android malware datasets using both static and dynamic analysis. For the IoT malware detection, we also present a comparative summary of the performance on an IoT-specific dataset of our proposed method and the standard stacked LSTM method. More specifically, of our proposed method achieves an accuracy of 99.1% in detecting IoT malware samples, with AUC of 0.985, and MCC of 0.95; thus, outperforming standard LSTM based methods in these key metrics.

키워드

참고문헌

  1. Symantec, "Internet security threat report 23 volume," Symantec, Tech. Rep., 2018.
  2. McAfee, "Mcafee mobile threst report," McAfee, Tech. Rep., 2018. [Online]. Available: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2018.pdf 
  3. A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, "Machine learning aided static malware analysis: A survey and tutorial," 2018, pp. 7-45. [Online]. Available: http://link.springer.com/10.1007/978-3-319-73951-9_2 
  4. A. G. Ramirez, C. Lara, L. Betev, D. Bilanovic, U. Kebschull, and f. t. A. Collaboration, "Arhuaco: Deep learning and isolation based security for distributed high-throughput computing," 2018. [Online]. Available: http://arxiv.org/abs/1801.04179 
  5. T. Fawcett, "An introduction to roc analysis," Pattern Recognition Letters, vol. 27, no. 8, pp. 861-874, jun 2006. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S016786550500303X  https://doi.org/10.1016/j.patrec.2005.10.010
  6. J. Fu, J. Xue, Y. Wang, Z. Liu, and C. Shan, "Malware Visualization for Fine-Grained Classification," IEEE Access, vol. 6, pp. 14 510-14 523, 2018. [Online]. Available: https://ieeexplore.ieee.org/document/8290767/  https://doi.org/10.1109/ACCESS.2018.2805301
  7. K. S. Han, J. H. Lim, B. Kang, and E. G. Im, "Malware analysis using visualized images and entropy graphs," International Journal of Information Security, vol. 14, no. 1, pp. 1-14, Feb 2015. [Online]. Available: http://link.springer.com/10.1007/s10207-014-0242-0 
  8. J. Zhang, Z. Qin, H. Yin, L. Ou, S. Xiao, and Y. Hu, "Malware variant detection using opcode image recognition with small training sets," in 2016 25th International Conference on Computer Communication and Networks (ICCCN). IEEE, Aug 2016, pp. 1-9. [Online]. Available: http://ieeexplore.ieee.org/document/7568542/ 
  9. M. Farrokhmanesh and A. Hamzeh, "A novel method for malware detection using audio signal processing techniques," in 2016 Artificial Intelligence and Robotics (IRANOPEN). IEEE, Apr 2016, pp. 85-91. [Online]. Available: http://ieeexplore.ieee.org/document/7529495/ 
  10. H. Hashemi and A. Hamzeh, "Visual malware detection using local malicious pattern," Journal of Computer Virology and Hacking Techniques, pp. 1-14, Jan 2018. [Online]. Available: http://link.springer.com/10.1007/s11416-018-0314-1 
  11. S. Ni, Q. Qian, and R. Zhang, "Malware identification using visualization images and deep learning," Computers & Security, pp. 871- 885, Apr 2018. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0167404818303481 
  12. E. B. Karbab, M. Debbabi, A. Derhab, and D. Mouheb, "Maldozer: Automatic framework for android malware detection using deep learning," Digital Investigation, vol. 24, pp. S48-S59, Mar 2018. [Online]. Available: http://arxiv.org/abs/1712.08996http://linkinghub.elsevier.com/retrieve/pii/S1742287618300392  https://doi.org/10.1016/j.diin.2018.01.007
  13. J. Baldwin and A. Dehghantanha, "Leveraging support vector machine for opcode density based detection of crypto-ransomware," 2018, pp. 107-136. [Online]. Available: http://link.springer.com/10.1007/978-3-319-73951-9_6 
  14. W. Mao, Z. Cai, D. Towsley, Q. Feng, and X. Guan, "Security importance assessment for system objects and malware detection," Computers & Security, vol. 68, pp. 47-68, Jul 2017. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0167404817300354  https://doi.org/10.1016/j.cose.2017.02.009
  15. N. Nissim, Y. Lapidot, A. Cohen, and Y. Elovici, "Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining," Knowledge-Based Systems, vol. 153, pp. 147-175, Aug 2018. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0950705118302041  https://doi.org/10.1016/j.knosys.2018.04.033
  16. B. Alsulami, A. Srinivasan, H. Dong, and S. Mancoridis, "Lightweight behavioral malware detection for windows platforms," in 2017 12th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, Oct 2017, pp. 75-81. [Online]. Available: http://ieeexplore.ieee.org/document/8323959/ 
  17. S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, "Know abnormal, find evil: Frequent pattern mining for ransomware threat hunting and intelligence," IEEE Transactions on Emerging Topics in Computing, pp. 1-1, 2017. [Online]. Available: http://ieeexplore.ieee.org/document/8051108/ 
  18. B. Kang, S. Y. Yerima, K. Mclaughlin, and S. Sezer, "N-opcode analysis for android malware classification and categorization," in 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). IEEE, Jun 2016, pp. 1-7. [Online]. Available: http://ieeexplore.ieee.org/document/7502343/ 
  19. L. Xu, D. Zhang, M. A. Alvarez, J. A. Morales, X. Ma, and J. Cavazos, "Dynamic android malware classification using graph-based representations," in 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud). IEEE, Jun 2016, pp. 220-231. [Online]. Available: http://ieeexplore.ieee.org/document/7545923/ 
  20. H. Yakura, S. Shinozaki, R. Nishimura, Y. Oyama, and J. Sakuma, "Malware analysis of imaged binary samples by convolutional neural network with attention mechanism," in Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy - CODASPY18. New York, New York, USA: ACM Press, 2018, pp. 127-134. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3176258.3176335 
  21. E. K. Kabanga and C. H. Kim, "Malware images classification using convolutional neural network," Journal of Computer and Communications, vol. 06, no. 01, pp. 153-158, 2018. [Online]. Available: http://www.scirp.org/journal/doi.aspx?DOI=10.4236/jcc.2018.61016 
  22. Z. Cui, F. Xue, X. Cai, Y. Cao, G.-g. Wang, and J. Chen, "Detection of malicious code variants based on deep learning," IEEE Transactions on Industrial Informatics, pp. 1-1, 2018. [Online]. Available: http://ieeexplore.ieee.org/document/8330042/ 
  23. X. Meng, Z. Shan, F. Liu, B. Zhao, J. Han, H. Wang, and J. Wang, "Mcsmgs: Malware classification model based on deep learning," in 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). IEEE, Oct 2017, pp. 272-275. [Online]. Available: http://ieeexplore.ieee.org/document/ 8250369/ 
  24. N. McLaughlin, A. Doupe, G. Joon Ahn, J. Martinez del Rincon, B. Kang, S. Yerima, P. Miller, S. Sezer, Y. Safaei, E. Trickel, and Z. Zhao, "Deep android malware detection," in Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy - CODASPY17. ACM Press, 2017, pp. 301-308. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3029806.3029823 
  25. Q. Le, O. Boydell, B. Mac, and M. Scanlon, "Deep learning at the shallow end : Malware classification for non-domain experts," in Digital Investigation. Elsevier, 2018, pp. S118-S126. 
  26. I. Goodfellow, Y. Bengio, and A. Courville, Deep learning. MIT Press, 2016. [Online]. Available: http://www.deeplearningbook.org 
  27. M. Nauman, T. A. Tanveer, S. Khan, and T. A. Syed, "Deep neural architectures for large scale android malware analysis," Cluster Computing, vol. 21, no. 1, pp. 569-588, Mar 2018. [Online]. Available: http://link.springer.com/10.1007/s10586-017-0944-y 
  28. B. Athiwaratkun and J. W. Stokes, "Malware classification with lstm and gru language models and a character-level cnn," in 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, mar 2017, pp. 2482-2486. [Online]. Available: http://ieeexplore.ieee.org/document/7952603/ 
  29. S. Hochreiter and J. Schmidhuber, "Long short-term memory," Neural Computation, vol. 9, no. 8, pp. 1735-1780, Nov 1997. [Online]. Available: http://www.mitpressjournals.org/doi/10.1162/neco.1997.9.8.1735 
  30. J. Schmidhuber, "Deep learning in neural networks: An overwiew," Neural Networks, vol. 61, pp. 85-117, 2015. https://doi.org/10.1016/j.neunet.2014.09.003
  31. S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, Khayami, K.-K. R. Choo, and D. E. Newton, "Drthis: Deep ran- somware threat hunting and intelligence system at the fog layer," Journal of Future Generation Computer Systems, pp. 94-104, 2019. 
  32. S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, "Botshark: A deep learning approach for botnet traffic detection," 2018, pp. 137-153. [Online]. Available: http://link.springer.com/10.1007/978-3-319-73951-9_7 
  33. J. Yan, Y. Qi, and Q. Rao, "Lstm-based hierarchical denoising network for android malware detection," Security and Communication Networks, vol. 2018, pp. 1-18, 2018. [Online]. Available: https://www.hindawi.com/journals/scn/2018/5249190/  https://doi.org/10.1155/2018/5249190
  34. H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, "A deep recurrent neural network based approach for internet of things malware threat hunting," Future Generation Computer Systems, vol. 85, pp. 88-96, Aug 2018. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0167739X1732486X  https://doi.org/10.1016/j.future.2018.03.007
  35. X. Xiao, S. Zhang, F. Mercaldo, G. Hu, and A. K. Sangaiah, "Android malware detection based on system call sequences and lstm," Multimedia Tools and Applications, pp. 1-21, Sep 2017. [Online]. Available: http://link.springer.com/10.1007/s11042-017-5104-0 
  36. K. Xu, Y. Li, R. H. Deng, and K. Chen, "Deeprefiner: Multi-layer android malware detection system applying deep neural networks," in 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, Apr 2018, pp. 473-487. [Online]. Available: https://ieeexplore.ieee.org/document/8406618/ 
  37. R. Vinayakumar, K. Soman, P. Poornachandran, and S. Sachin Kumar, "Detecting android malware using long short-term memory (lstm)," Journal of Intelligent & Fuzzy Systems, vol. 34, no. 3, pp. 1277-1288, mar 2018. [Online]. Available: http://www.medra.org/servlet/aliasResolver?alias=iospress{\&}doi=10.3233/JIFS-169424 Available: http://www.medra.org/servlet/aliasResolver?alias=iospress{\&}doi=10.3233/JIFS-169424 
  38. Z. Yuan, Y. Lu, and Y. Xue, "Droiddetector: android malware characterization and detection using deep learning," Tsinghua Science and Technology, vol. 21, no. 1, pp. 114-123, Feb 2016. [Online]. Available: http://ieeexplore.ieee.org/document/7399288/  https://doi.org/10.1109/TST.2016.7399288
  39. R. O. Duda and P. E. Hart, Pattern Classification and Scene Analysis. New York, New York, USA: John Wiley and Sons, 1973. 
  40. D. Erhan, Y. Bengio, A. Courville, P.-A. Manzagol, P. Vincent, and Bengio, "Why does unsupervised pre-training help deep learning," Journal of Machine Learning Research, vol. 11, pp. 625-660, 2010. [Online]. Available: http://portal.acm.org/citation.cfm?id=1756025 
  41. S. Bandyopadhyay and U. Maulik, "An evolutionary technique based on k-means algorithm for optimal clustering in r," Information Sciences, vol. 2002, no. 146, pp. 221-237.  https://doi.org/10.1016/S0020-0255(02)00208-6
  42. C. Murthy and N. Chowdhury, "In search of optimal clusters using genetic algorithms," Pattern Recognition Letters, vol. 17, no. 8, pp. 825-832, 1996.  https://doi.org/10.1016/0167-8655(96)00043-8
  43. D. Povey and P. Woodland, "Minimum phone error and i-smoothing for improved discriminative training," in IEEE International Conference on Acoustics Speech and Signal Processing. IEEE, may 2002, pp. I-105-I-108. [Online]. Available: http://ieeexplore.ieee.org/document/5743665/ 
  44. L. Bahl, P. Brown, P. de Souza, and R. Mercer, "Maximum mutual information estimation of hidden markov model parameters for speech recognition," in ICASSP86. IEEE International Conference on Acoustics, Speech, and Signal Processing, vol. 11. Institute of Electrical and Electronics Engineers, pp. 49-52. [Online]. Available: http://ieeexplore.ieee.org/document/1169179/ 
  45. M. Henaff, A. Szlam, and Y. Lecun, "Recurrent orthogonal networks and long-memory tasks," in 33rd International Conference on Machine Learning, 2016, pp. 2034-2042. 
  46. "Vxheaven virus collection." [Online]. Available: http://83.133.184.251/virensimulation.org/ 
  47. Microsoft, "Microsoft malware classification challenge," 2015. [Online]. Available: https://www.kaggle.com/c/malware-classification 
  48. D. Arp, M. Spreitzenbarth, H. Gascon, and K. Rieck, "Drebin: Effective and explainable detection of android malware in your pocket," in Network and Disttributed System Security Symposium (NDSS), 2014, pp. 1-15. 
  49. S. Huda, S. Miah, J. Yearwood, S. Alyahya, H. Al-Dossari, and R. Doss, "A malicious threat detection model for cloud assisted internet of things (cot) based industrial control system (ics) networks using deep belief network," Journal of Parallel and Distributed Computing, vol. 120, pp. 23-31, Oct 2018. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0743731518302442  https://doi.org/10.1016/j.jpdc.2018.04.005
  50. A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, "Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning," IEEE Transactions on Sustainable Computing, pp. 1-1, 2018. [Online]. Available: http://ieeexplore.ieee.org/document/8302863/ 
  51. H. Hashemi, A. Azmoodeh, A. Hamzeh, and S. Hashemi, "Graph embedding as a new approach for unknown malware detection," Journal of Computer Virology and Hacking Techniques, vol. 13, no. 3, pp. 153-166, Aug 2017. [Online]. Available: http://link.springer.com/10.1007/s11416-016-0278-y 
  52. P. Werbos, "Backpropagation through time: what it does and how to do it," Proceedings of the IEEE, vol. 78, no. 10, pp. 1550-1560, 1990. [Online]. Available: http://ieeexplore.ieee.org/document/58337/  https://doi.org/10.1109/5.58337
  53. I. M. Byatas, C. Xiao, X. Zhang, F. Wang, A. K. Jain, and J. Zhou, "Patient subtyping via time-aware lstm networks," in Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD 17. ACM Press, 2017, pp. 65-74. [Online]. Available: https://dl.acm.org/citation.cfm?id=3097997 
  54. F. Zhao, J. Feng, J. ZHao, W. Yang, and S. Yan, "Robust LSTM-Autoencoders for Face De-Occlusion in the Wild," IEEE Transactions on Image Processing, vol. 27, no. 2, pp. 778-790, 2018.  https://doi.org/10.1109/TIP.2017.2771408
  55. E. Marchi, F. Vesperini, S. Squartini, and B. Schuller, "Deep Recurrent Neural Network-Based Autoencoders for Acoustic Novelty Detection," Computational Intelligence and Neuroscience, vol. 2017, pp. 1-14, 2017.  https://doi.org/10.1155/2017/4694860
  56. W. Bao, J. Yue, and Y. Rao, "A Deep Learning Framework for Financial Time Series Using Stacked Autoencoders and Long-Short Term Mem- ory," PLoS ONE, vol. 6, no. 12, pp. 1-24, 2017.  https://doi.org/10.1371/journal.pone.0180944
  57. R. HECHT-NIELSEN, "Theory of the backpropagation neural network," in Neural Networks for Perception. Elsevier, 1992, pp. 65-93. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/B9780127412528500108