Detecting Malicious Assembly using Convolutional, Recurrent Neural Networks

Santacroce, Michael; Koranek, Daniel; Jha, Rashmi

doi:10.25046/aj040506

Cited by 2 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our models that achieved these success, however, contained a large number of parameters, so they required a large amount of memory and time to train. These are results that we have observed in a previous work [17]. For the model to be practical it must be fast and lean.…”

Section: Network Architecturesupporting

confidence: 82%

“…This work was a proof-of-concept that only the .text section was necessary for classification and we expand that work to achieve better performance here. We then continued on this work with recurrent neural network models, finding that they were more successful but also that there was strong evidence that the recurrent nature of the networks was not necessary for the success of the model [17].…”

Section: Figure 1 Example Executable Code As An Imagementioning

confidence: 99%

See 1 more Smart Citation

Detecting Malware Code as Video With Compressed, Time-Distributed Neural Networks

2020

Self Cite

View full text Add to dashboard Cite

Malware is an ever-present problem in the modern era and while detecting malware with AI has grown as a new field of exploration, current methods are not yet mature enough for widespread adoption in terms of speed and performance. Current methods largely focus on viewing malicious assembly as an image for detection, requiring a large amount of preprocessing and making network architectures inflexible. Preprocessing malware images to one size introduces additional time to predict and makes the task of prediction more difficult. We explore a novel method for transforming executable bytecode into a video rather than an image for classification with deep, time-distributed neural networks, achieving up to 98.74% testing accuracy on 9 classes of malware, and up to 99.36% testing accuracy on a balanced set of malicious vs. benign files. The network could also classify all malware in our dataset for a false positive rate of 13%, and was also found successful in classifying only parts of an input, as well as initial success in a 0-day scenario. The network only uses the executable code and no additional information to make predictions. We then explore methods for pruning and quantizing the network so that it may be more feasible for widespread implementation, including a novel pruning method we call Node-Distance pruning. Our model is found to be competitive to current works while remaining fast, lean and flexible.

show abstract

Section: Network Architecturesupporting

confidence: 82%

Section: Figure 1 Example Executable Code As An Imagementioning

confidence: 99%