Image-based malware classification using section distribution information

Xiao, Mao; Guo, Chun; Shen, Guowei; Cui, Yunhe; Chao-hui, Jiang

doi:10.1016/j.cose.2021.102420

Cited by 33 publications

(28 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…100 MB correspond to a sequence of 100,000,000 bytes. To deal with these sequences of extreme length, various approaches [14,10,11,13,12,21,22,23,24] proposed to compress the information in the malware's binary content. For instance, Gibert et al [10] presented an approach to classify malware represented as a stream of entropy values.…”

Section: Related Workmentioning

confidence: 99%

“…In their work, the binary content is divided into chunks of code of fixed size and afterwards, the information at each chunk is compressed by calculating its entropy value. On the other hand, executables could be represented as grayscale images [11,12,23,24]. To represent a malware sample as a grayscale image, every byte has to be interpreted as one pixel in an image, where values are in the [0,255] (0:black, 255:white).…”

Section: Related Workmentioning

confidence: 99%

“…For this reason, the results presented in Table 10 are those published in their original publications, without modifications. [44] Grayscale images 0.9900 --Vinayakumar et al [45] Grayscale images 0.9630 --Lo et al [46] Grayscale images --0.0361 Qiao et al [47] Grayscale images 0.9876 --Sudhakar and Kumar [24] Grayscale images 0.9853 --Xiao et al [23] Grayscale images 0.9894 --Çayır et al [48]** Grayscale images 0.9926 --Lin and Yeh [49] Grayscale images 0.9632 --Yuan et al [50] Markov images 0.9926 0.0518 -Kim et al [51] RGB images 0.9574 --Jiang et al [21] RGB images 0.9973 -0.0220 Zhang et al [52] RGB images 0.9934 --Gibert et al [10] Structural entropy 0.9828 -0.1244 Xiao et al [53] Structural entropy 0.9972 -0.0314 Yan et al [54] Control flow graph 0.9925 0.0543 -Hu et al [55] Opcode 4-grams 0.9930 -0.0546 Gibert et al [8] Opcode sequence 0.9917 -0.0244 Gibert et al [56] Opcode sequence 0.9913 -0.0419 McLaughlin et al [57] Opcode sequence 0.9903 -0.0515 Yousefi-Azar et al [14] Byte sequence 0.9309 --Drew et al [58] Byte sequence 0.9741 -0.0479 Raff et al [19] Byte sequence 0.9641 -0.3071 Krčál et al [20] Byte sequence 0.9756 -0.1602 Kim and Cho [59] Byte sequence 0.9747 --Le et al [60] Compressed byte sequence 0.9820 -0.0774 Gibert et al [13] Compressed byte sequence 0.9861 -0.1063 Messay-Kebede et al [61] Opcode statistics and byte sequence 0.9907 --Gibert et al [62] Opcode and byte sequences 0.9924 --Gibert et al [63] API calls, Opcode and byte sequences 0.9975 --Gao et al [ As it can be observed, our multimodal approach achieves the highest accuracy and lowest logarithmic loss in the training set using K-fold cross validation, and the lowest logarithmic loss in the test set, outperforming any machine learning approach presented in the literature so far. This has been possibl...…”

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

See 2 more Smart Citations

Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification

Gibert¹,

Mateu²,

Planes³

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine learning has become an appealing signature-less approach to detect and classify malware because of its ability to generalize to never-before-seen samples and to handle large volumes of data. While traditional feature-based approaches rely on the manual design of hand-crafted features based on experts' knowledge of the domain, deep learning approaches replace the manual feature engineering process by an underlying system, typically consisting of a neural network with multiple layers, that perform both feature learning and classification altogether. However, the combination of both approaches could substantially enhance detection systems. In this paper we present an hybrid approach to address the task of malware classification by fusing multiple types of features defined by experts and features learned through deep learning from raw data. In particular, our approach relies on deep learning to extract N-gram like features from the assembly language instructions and the bytes of malware, and texture patterns and shapelet-based features from malware's grayscale image representation and structural entropy, respectively. These deep features are later passed as input to a gradient boosting model that combines the deep features and the hand-crafted features using an early-fusion mechanism. The suitability of our approach has been evaluated on the Microsoft Malware Classification Challenge benchmark and results show that the proposed solution achieves state-of-the-art performance and outperforms gradient boosting and deep learning methods in the literature.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

See 1 more Smart Citation

Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification

Gibert¹,

Mateu²,

Planes³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Grayscale images are straightforward to generate from executable files-we simply interpret the bytes as pixels in an image. This is the most popular approach in the research literature for generating malware images; see, for example [24,33,52]. Only the byte sequence of the executable file is needed, and the processing is fast, even if resizing is employed.…”

Section: Grayscale Imagesmentioning

confidence: 99%

Generative Adversarial Networks and Image-Based Malware Classification

Nguyen¹,

Troia²,

Ishigaki³

et al. 2022

Preprint

View full text Add to dashboard Cite

For efficient malware removal, determination of malware threat levels, and damage estimation, malware family classification plays a critical role. In this paper, we extract features from malware executable files and represent them as images using various approaches. We then focus on Generative Adversarial Networks (GAN) for multiclass classification and compare our GAN results to other popular machine learning techniques, including Support Vector Machine (SVM), XGBoost, and Restricted Boltzmann Machines (RBM). We find that the AC-GAN discriminator is generally competitive with other machine learning techniques. We also evaluate the utility of the GAN generative model for adversarial attacks on image-based malware detection. While AC-GAN generated images are visually impressive, we find that they are easily distinguished from real malware images using any of several learning techniques. This result indicates that our GAN generated images would be of little value in adversarial attacks.

show abstract

“…On one hand, some subjectively setting machine codes are not discarded in original malware gray image, which destroys the similarity between the same family. On the other hand, due to the file alignment mechanism or other reasons, the section distribution boundary of gray image is not consistent with the actual section distribution boundary [6]. Gray image only has binary original data, it is difficult to identify the section distribution information, and the section distribution information is an important part of malware.…”

Section: Introductionmentioning

confidence: 99%

PH-CNN for PE Malware Detection Using Enhanced Image

2022

Preprint

View full text Add to dashboard Cite

In the current malware family classification, gray images converted frombinary PE files are subject to code shelling, obfuscation, and other variant techniques, which undermine the similarity of malware images between same family. To solve this problem and improve detection efficiency, a method by enhancing the gray image and using PH-CNN as the detection model is proposed. First, the original image is enhanced by discarding the subjectively set machine code (DSMD) and adding section distribution information (ASDI), and then the enhanced imageis detected by PH-CNN model. Among them, the PH-CNN model consists of Perceptual Hashing detection module and CNN detection module. Malware images are first detected by Perceptual Hashing module to quickly divide the samples of specific malware families and uncertain malware families, and then, the samples of uncertain malware families are detected by the CNN detection module. The experimental results on Microsoft Malware Classification Challenge dataset show that compared with the original gray image, the detection accuracy using enhanced image is higher, reaching 98.68%. Meanwhile, compared with using only CNN module, the proposed detection model has higher detection efficiency and the detection speed is improved by 79%.

show abstract

Image-based malware classification using section distribution information

Cited by 33 publications

References 15 publications

Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification

Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification

Generative Adversarial Networks and Image-Based Malware Classification

PH-CNN for PE Malware Detection Using Enhanced Image

Contact Info

Product

Resources

About