Detecting Malicious Assembly with Deep Learning

Santacroce, Michael; Koranek, Daniel; Kapp, David; Ralescu, Anca; Jha, Rashmi

doi:10.1109/naecon.2018.8556657

Cited by 6 publications

(6 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent works, including our own, have shown that classifying malware images responds well to convolution [1] . Therefore, instead of using a LSTM, it is possible to use the Convolutional LSTM (from now on, ConvLSTM).…”

Section: Network Architecturementioning

confidence: 84%

“…The author also notes that the test set was limited to a certain size of binaries and that future work should expand to any length of binaries. In our own work, which this paper extends, we presented up to 88% accuracy in classifying malware on the same data from the Microsoft Malware Classification Challenge [1] . The largest issue from that work was the large amount of padding used.…”

Section: Related Workmentioning

confidence: 89%

“…In our previous work we generated our own data using malware obtained from a Windows installation and live malware found online [1] , number 240 total files split evenly between the two classes. There were a few issues with this dataset, namely, the limited size due to difficulty of acquiring samples and the overly-complex tokenization method.…”

Section: Network Inputmentioning

confidence: 99%

“…We previously experienced issues with the size of the input being too large to use at once, and even after purposely omitting files over a certain length, the networks would train in an unreasonably long amount of time. Therefore, we utilized pooling to downsample the input data [1] . While this is the only preprocessing we perform, which adds time to making predictions, we still perform downsampling on the data by randomly discarding 9 of every 10 lines.…”

Section: Network Architecturementioning

confidence: 99%

“…This paper is an extension of the work originally presented in the 2018 IEEE National Aerospace and Electronics Conference (NAE-CON) [1] .…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Detecting Malicious Assembly using Convolutional, Recurrent Neural Networks

Santacroce¹,

Koranek²,

Jha³

2019

Adv. sci. technol. eng. syst. j.

Self Cite

View full text Add to dashboard Cite

We present findings on classifying the class of executable code using convolutional, recurrent neural networks by creating images from only the .text section of executables and dividing them into standard-size windows, using minimal preprocessing. We achieve up to 98.24% testing accuracy on classifying 9 types of malware, and 99.50% testing accuracy on classifying malicious vs. benign code. Then, we find that a recurrent network may not entirely be necessary, opening the door for future neural network architectures.

show abstract

Section: Network Architecturementioning

confidence: 84%

Section: Related Workmentioning

confidence: 89%

Section: Network Inputmentioning

confidence: 99%

Section: Network Architecturementioning

confidence: 99%

“…This paper is an extension of the work originally presented in the 2018 IEEE National Aerospace and Electronics Conference (NAE-CON) [1] .…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Detecting Malicious Assembly using Convolutional, Recurrent Neural Networks

Santacroce¹,

Koranek²,

Jha³

2019

Adv. sci. technol. eng. syst. j.

Self Cite

View full text Add to dashboard Cite

show abstract

Detecting Malware Code as Video With Compressed, Time-Distributed Neural Networks

2020

Self Cite

View full text Add to dashboard Cite

Malware is an ever-present problem in the modern era and while detecting malware with AI has grown as a new field of exploration, current methods are not yet mature enough for widespread adoption in terms of speed and performance. Current methods largely focus on viewing malicious assembly as an image for detection, requiring a large amount of preprocessing and making network architectures inflexible. Preprocessing malware images to one size introduces additional time to predict and makes the task of prediction more difficult. We explore a novel method for transforming executable bytecode into a video rather than an image for classification with deep, time-distributed neural networks, achieving up to 98.74% testing accuracy on 9 classes of malware, and up to 99.36% testing accuracy on a balanced set of malicious vs. benign files. The network could also classify all malware in our dataset for a false positive rate of 13%, and was also found successful in classifying only parts of an input, as well as initial success in a 0-day scenario. The network only uses the executable code and no additional information to make predictions. We then explore methods for pruning and quantizing the network so that it may be more feasible for widespread implementation, including a novel pruning method we call Node-Distance pruning. Our model is found to be competitive to current works while remaining fast, lean and flexible.

show abstract