Malware has become a formidable threat as it has grown exponentially in number and sophistication. Thus, it is imperative to have a solution that is easy to implement, reliable, and effective. While recent research has introduced deep learning multi-feature fusion algorithms, they lack a proper explanation. In this work, we investigate the power of fusing Convolutional Neural Network models trained on the different modalities of malware executables. We are proposing a novel multimodal fusion algorithm, leveraging three different visual malware features: Grayscale Image, Entropy Graph, and SimHash Image, with which we conducted exhaustive experiments independently on each feature and combinations of all three of them using fusion operators such as average, maximum, add, and concatenate for effective malware detection and classification. The proposed strategy has a detection rate 1.00 (on a scale of 0-1) in identifying malware in the given dataset. We explained its interpretability with visualization techniques such as t-SNE, SHAP, and Grad-CAM. Experimental results show the model works even for a highly imbalanced dataset. We also assessed the effectiveness of the proposed method on obfuscated malware and achieved state-of-the-art results. Additionally, we performed adversarial attacks on the proposed model using Generative Adversarial Networks (GANs) and employed adversarial retraining as a defense strategy. This strategy enhances model robustness, allowing it to withstand GAN-based attacks with an F1-score of 0.998 for the BIG2015 dataset and 1.0 for the Malhub dataset. The proposed methodology is more reliable as our findings prove that the VGG16 model can detect and classify malware in real time.
Deep learning fusion for effective malware detection: leveraging visual features
Conti M.
In corso di stampa
Abstract
Malware has become a formidable threat as it has grown exponentially in number and sophistication. Thus, it is imperative to have a solution that is easy to implement, reliable, and effective. While recent research has introduced deep learning multi-feature fusion algorithms, they lack a proper explanation. In this work, we investigate the power of fusing Convolutional Neural Network models trained on the different modalities of malware executables. We are proposing a novel multimodal fusion algorithm, leveraging three different visual malware features: Grayscale Image, Entropy Graph, and SimHash Image, with which we conducted exhaustive experiments independently on each feature and combinations of all three of them using fusion operators such as average, maximum, add, and concatenate for effective malware detection and classification. The proposed strategy has a detection rate 1.00 (on a scale of 0-1) in identifying malware in the given dataset. We explained its interpretability with visualization techniques such as t-SNE, SHAP, and Grad-CAM. Experimental results show the model works even for a highly imbalanced dataset. We also assessed the effectiveness of the proposed method on obfuscated malware and achieved state-of-the-art results. Additionally, we performed adversarial attacks on the proposed model using Generative Adversarial Networks (GANs) and employed adversarial retraining as a defense strategy. This strategy enhances model robustness, allowing it to withstand GAN-based attacks with an F1-score of 0.998 for the BIG2015 dataset and 1.0 for the Malhub dataset. The proposed methodology is more reliable as our findings prove that the VGG16 model can detect and classify malware in real time.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
