Detection of Exceptional Malware Variants Using Deep Boosted Feature Spaces and Machine Learning
Abstract
:1. Introduction
- (1)
- Two new CNN-based frameworks—DFS-MC and DBFS-MC—are proposed for effective malware family classification using the MalImg dataset. Deep features are extracted from the customized CNNs and individually provided to the SVM classifier in the proposed DBF-MC framework. Furthermore, TL has been introduced in the customized CNN to reduce malware misclassification.
- (2)
- In the proposed DBFS-MC framework, deep boosted features are obtained by fusing the deep features of customized ResNet-18 and DenseNet-201 to detect exceptional malware classes. In the proposed DBFS-MC framework, residual learning and the concept of blocks in CNN are incorporated, exploiting diverse and discriminative enrich information to learn the effective feature representation of malware classes.
- (3)
- The DBFS-MC framework outperformed the customized CNN models by significantly improving the true prediction of the harder-to-classify malware variants (exceptional malware classes) Autorun.K, Swizzor.gen!I, Wintrim.BX and Yuner.A.
2. Related Work
- (1)
- Most of the reported works have been evaluated in terms of accuracy on the validation dataset. However, precision and recall measures are considered as better performance metrics than accuracy for the imbalance dataset. Moreover, evaluation of these performance metrics on the test dataset is needed for the robustness of the detection model.
- (2)
- Previous techniques largely misclassified malware variants like Autorun.K, Swizzor.gen!I, Wintrim.BX, and Yuner.A that feature minor interclass differences.
3. Methodology
3.1. Data Augmentation
3.2. Classification Schemes
3.2.1. Implementation of Customized CNN
Transfer Learning
3.2.2. The Proposed Deep Feature Space-Based Malware Classification (DFS-MC)
3.2.3. The Proposed DBFS-MC Framework
ResNet-18
DenseNet-201
4. Experimental Setup
4.1. Dataset
4.2. Implementation Details
4.3. Performance Evaluation Metrics
5. Results and Discussion
- DenseNet-201 and ResNet-18 > all other CNNs
- Deep Feature-Based SVM Classification > SoftMax Probabilistic-based Classification
- TL Based Model > Training from Scratch Models
5.1. Performance Analysis of Proposed Frameworks on Exceptional Malware Classes
5.2. Performance of the Proposed DBFS-MC Framework
5.3. Comparative Analysis with the Reported Work
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- AV-Test, “AV-TEST Report”. Available online: https://www.av-test.org/en/statistics/malware/ (accessed on 15 June 2021).
- Sihwail, R.; Omar, K.; Ariffin, K.A.Z. A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 2018, 8, 1662–1671. [Google Scholar] [CrossRef] [Green Version]
- Damodaran, A.; Di Troia, F.; Visaggio, C.A.; Austin, T.; Stamp, M. A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 2015, 13, 1–12. [Google Scholar] [CrossRef]
- Souri, A.; Hosseini, R. A state-of-the-art survey of malware detection approaches using data mining techniques. Human-Cent. Comput. Inf. Sci. 2018, 8, 3. [Google Scholar] [CrossRef]
- Preda, M.D. Code Obfuscation and Malware Detection by Abstract Interpretation. Available online: https://www.di.univr.it/documenti/AllegatiOA/allegatooa_03534.pdf (accessed on 10 November 2020).
- You, I.; Yim, K. Malware Obfuscation Techniques: A Brief Survey. In Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Fukuoka, Japan, 4–6 November 2010; pp. 297–300. [Google Scholar] [CrossRef]
- Bazrafshan, Z.; Hashemi, H.; Fard, S.M.H.; Hamzeh, A. A survey on heuristic malware detection techniques. In Proceedings of the 5th Conference on Information and Knowledge Technology, Shiraz, Iran, 28–30 May 2013; pp. 113–120. [Google Scholar] [CrossRef]
- Asad, M.; Asim, M.; Javed, T.; Beg, M.O.; Mujtaba, H.; Abbas, S. DeepDetect: Detection of Distributed Denial of Service Attacks Using Deep Learning. Comput. J. 2019, 63, 983–994. [Google Scholar] [CrossRef]
- Gandotra, E.; Bansal, D.; Sofat, S. Malware Analysis and Classification: A Survey. J. Inf. Secur. 2014, 5, 56–64. [Google Scholar] [CrossRef] [Green Version]
- Gibert, D.; Mateu, C.; Planes, J. The rise of machine learning for detection and classification of malware: Research developments, trends and challenges. J. Netw. Comput. Appl. 2020, 153, 102526. [Google Scholar] [CrossRef]
- Khan, A.; Sohail, A.; Zahoora, U.; Qureshi, A.S. A survey of the recent architectures of deep convolutional neural networks. Artif. Intell. Rev. 2020, 53, 5455–5516. [Google Scholar] [CrossRef] [Green Version]
- Ucci, D.; Aniello, L.; Baldoni, R. Survey of machine learning techniques for malware analysis. Comput. Secur. 2018, 81, 123–147. [Google Scholar] [CrossRef] [Green Version]
- Rafique, M.F.; Ali, M.; Qureshi, A.S.; Khan, A.; Kim, J.Y.; Mirza, A.M. Malware classification using deep learning based feature extraction and wrapper based feature selection technique. arXiv 2019, arXiv:1910.10958. [Google Scholar]
- Nataraj, L.; Karthikeyan, S.; Jacob, G.; Manjunath, B.S. Malware images. ACM Int. Conf. Proc. Ser. 2011. [Google Scholar] [CrossRef]
- Makandar, A.; Patrot, A. Malware Image Analysis and Classification using Support Vector Machine. Int. J. Adv. Trends Comput. Sci. Eng. 2015, 4, 1–3. [Google Scholar]
- Su, J.; Vasconcellos, V.D.; Prasad, S.; Daniele, S.; Feng, Y.; Sakurai, K. Lightweight Classification of IoT Malware Based on Image Recognition. In Proceedings of the 8th IEEE International Workshop on Network Technologies for Security, Administration, and Protection (NETSAP 2018), Tokyo, Japan, 23–27 July 2018. [Google Scholar] [CrossRef] [Green Version]
- Karbab, E.B.; Debbabi, M.; Derhab, A.; Mouheb, D. MalDozer: Automatic framework for android malware detection using deep learning. Digit. Investig. 2018, 24, S48–S59. [Google Scholar] [CrossRef]
- Chen, L.; Sultana, S.; Sahita, R. HeNet: A Deep Learning Approach on Intel® Processor Trace for Effective Exploit Detection. In Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 24–24 May 2018. [Google Scholar] [CrossRef]
- Ni, S.; Qian, Q.; Zhang, R. Malware identification using visualization images and deep learning. Comput. Secur. 2018, 77, 871–885. [Google Scholar] [CrossRef]
- Kim, J.-Y.; Bu, S.-J.; Cho, S.-B. Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders. Inf. Sci. 2018, 460–461, 83–102. [Google Scholar] [CrossRef]
- Le, Q.; Boydell, O.; Mac Namee, B.; Scanlon, M. Deep learning at the shallow end: Malware classification for non-domain experts. Digit. Investig. 2018, 26, S118–S126. [Google Scholar] [CrossRef]
- Shorten, C.; Khoshgoftaar, T.M. A survey on Image Data Augmentation for Deep Learning. J. Big Data 2019, 6, 60. [Google Scholar] [CrossRef]
- Wang, J.; Perez, L. The Effectiveness of Data Augmentation in Image Classification using Deep Learning. arXiv 2017, arXiv:1712.04621. [Google Scholar]
- Simonyan, K.; Zisserman, A. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv 2014, arXiv:1409.1556. [Google Scholar]
- Szegedy, C.; Liu, W.; Jia, Y.; Sermanet, P.; Reed, S.; Anguelov, D.; Erhan, D.; Vanhoucke, V.; Rabinovich, A. Going deeper with convolutions. In Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, USA, 7–12 June 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 1–9. [Google Scholar] [CrossRef] [Green Version]
- Szegedy, C.; Vanhoucke, V.; Ioffe, S.; Shlens, J.; Wojna, Z. Rethinking the Inception Architecture for Computer Vision. In Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, San Francisco, CA, USA, 18–20 June 1996; pp. 2818–2826. [Google Scholar] [CrossRef] [Green Version]
- Khan, S.H.; Sohail, A.; Khan, A.; Lee, Y.S. Classification and Region Analysis of COVID-19 Infection Using Lung CT Images and Deep Convolutional Neural Networks. September 2020. Available online: http://arxiv.org/abs/2009.08864 (accessed on 20 June 2021).
- Khan, S.H.; Sohail, A.; Khan, A. COVID-19 Detection in Chest X-ray Images using a New Channel Boosted CNN. 2020. Available online: http://arxiv.org/abs/2012.05073 (accessed on 20 July 2021).
- Khan, S.H.; Sohail, A.; Khan, A.; Hassan, M.; Lee, Y.S.; Alam, J.; Basit, A.; Zubair, S. COVID-19 detection in chest X-ray images using deep boosted hybrid learning. Comput. Biol. Med. 2021, 137, 104816. [Google Scholar] [CrossRef]
- Faris, H.; Hassonah, M.A.; Al-Zoubi, A.M.; Mirjalili, S.; Aljarah, I. A multi-verse optimizer approach for feature selection and optimizing SVM parameters based on a robust system architecture. Neural Comput. Appl. 2017, 30, 2355–2369. [Google Scholar] [CrossRef]
- Khan, S.H.; Yousaf, M.H.; Murtaza, F.; Velastin, S. Passenger detection and counting for public transport system. NED Univ. J. Res. 2020, 2, 35–46. [Google Scholar] [CrossRef]
- He, K.; Zhang, X.; Ren, S.; Sun, J. Deep Residual Learning for Image Recognition. In Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA, 27–30 June 2016; pp. 770–778. [Google Scholar] [CrossRef] [Green Version]
- Huang, G.; Liu, Z.; Van Der Maaten, L.; Weinberger, K.Q. Densely Connected Convolutional Networks. In Proceedings of the 30th IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017, Honolulu, HI, USA, 21–26 July 2017; pp. 2261–2269. [Google Scholar] [CrossRef] [Green Version]
- How Can the F1-Score Help with Dealing with Class Imbalance? Available online: https://sebastianraschka.com/faq/docs/computing-the-f1-score.html (accessed on 21 June 2021).
- Cui, Z.; Xue, F.; Cai, X.; Cao, Y.; Wang, G.-G.; Chen, J. Detection of Malicious Code Variants Based on Deep Learning. IEEE Trans. Ind. Inform. 2018, 14, 3187–3196. [Google Scholar] [CrossRef]
- Naeem, H.; Naeem, M.R. Visual Malware Classification Using Local and Global Malicious Pattern. J. Comput. 2020, 30, 73–83. [Google Scholar] [CrossRef]
- Cui, Z.; Du, L.; Wang, P.; Cai, X.; Zhang, W. Malicious code detection based on CNNs and multi-objective algorithm. J. Parallel Distrib. Comput. 2019, 129, 50–58. [Google Scholar] [CrossRef]
- Rezende, E.; Ruppert, G.; Carvalho, T.; Theophilo, A.; Ramos, F.; de Geus, P. Malicious Software Classification Using VGG16 Deep Neural Network’s Bottleneck Features BT—Information Technology—New Generations. 2018, pp. 51–59. Available online: https://w3.lasca.ic.unicamp.br/media/publications/2018-ITNG-edmar.rezende-MaliciousClassifVGG16.DeepNeural.BottleneckFeatures.pdf (accessed on 30 October 2020).
- Lad, S.S.; Adamuthe, A.C. Malware Classification with Improved Convolutional Neural Network Model. Int. J. Comput. Netw. Inf. Secur. 2020, 12, 30–43. [Google Scholar] [CrossRef]
Augmentation | Parameters |
---|---|
Rotate | [0, 360] degrees |
Scale | [0.5, 1] |
Reflection-X | ±1 |
Reflection-Y | ±1 |
Shear | ±0.05 |
Models | Depth (Convolutional + Fully Connected Layers) |
---|---|
DesNet-201 | 203 (201 + 2) |
ResNet-18 | 22 (20 + 2) |
Google Net | 59 (57 + 2) |
Inception-V3 | 96 (94 + 2) |
Xception | 75 (74 + 2) |
ResNet50 | 55 (53 + 2) |
AlexNet | 8 (5 + 3) |
VGG-16 | 16 (13 + 3) |
VGG-19 | 19 (16 + 3) |
Pre-Trained | Trained from Scratch | Deep Boosted | |||
---|---|---|---|---|---|
Feature Layer | Feature Dim. | Feature Layer | Feature Dim. | Feature Layer | Feature Dim. |
Last fc | 64 × 25 | Last fc | 64 × 25 | Last fc | 128 × 25 |
Hyperparameters | Values |
---|---|
Optimization Method | SGD |
Momentum Value | 0.95 |
Weight Decay | 0.0005 |
Learning Rate | 0.0001 |
Epoches | 10 |
Loss Function | cross-entropy |
Batch-size | 16 |
Metric | Symbol | Description |
---|---|---|
Accuracy | Acc | % of total number of correct detections |
Recall | R | Proportion of correctly identified classes and actual negative classes |
Precision | P | Ratio of correctly detected classes close to the actual class |
F1 Score | F1-Score | Harmonic mean of P and R. |
Model | Training Scheme | |||||||
---|---|---|---|---|---|---|---|---|
Training from Scratch | Transfer Learning Based | |||||||
Acc % | Recall | Precision | F1-Score | Acc % | Recall | Precision | F1-Score | |
DenseNet-201 | 96.57 | 0.9054 | 0.9080 | 0.9067 | 98.13 | 0.9411 | 0.9373 | 0.9392 |
Resnet-18 | 96.41 | 0.9203 | 0.9176 | 0.9189 | 98.13 | 0.9416 | 0.9374 | 0.9395 |
GoogleNet | 87.20 | 0.8505 | 0.8772 | 0.8637 | 97.11 | 0.9178 | 0.9199 | 0.9189 |
Inception-V3 | 95.72 | 0.8941 | 0.9025 | 0.8983 | 96.36 | 0.8905 | 0.8905 | 0.8905 |
Xception | 94.48 | 0.9148 | 0.9153 | 0.9150 | 96.01 | 0.8809 | 0.9025 | 0.8916 |
ResNet-50 | 94.86 | 0.8580 | 0.8934 | 0.8753 | 96.71 | 0.8984 | 0.8840 | 0.8911 |
AlexNet | 88.38 | 0.8169 | 0.8643 | 0.8399 | 97.91 | 0.9329 | 0.9299 | 0.9314 |
VGG-16 | 93.41 | 0.8525 | 0.8891 | 0.8705 | 97.13 | 0.9192 | 0.9268 | 0.9230 |
VGG-19 | 94.97 | 0.8629 | 0.8939 | 0.8782 | 97.46 | 0.9259 | 0.9224 | 0.9241 |
Model | Training Scheme | |||||||
---|---|---|---|---|---|---|---|---|
Training from Scratch | Transfer Learning Based | |||||||
Acc % | Recall | Precision | F1-Score | Acc % | Recall | Precision | F1-Score | |
DenseNet | 97.70 | 0.9286 | 0.9286 | 0.9286 | 98.39 | 0.9483 | 0.9452 | 0.9468 |
ResNet18 | 98.07 | 0.9387 | 0.9368 | 0.9377 | 98.37 | 0.9463 | 0.9427 | 0.9445 |
GoogleNet | 97.54 | 0.9284 | 0.9232 | 0.9258 | 97.60 | 0.9270 | 0.9250 | 0.9259 |
Inception | 97.54 | 0.9262 | 0.9268 | 0.9265 | 96.95 | 0.8965 | 0.9860 | 0.9391 |
Xception | 97.21 | 0.9170 | 0.9141 | 0.9156 | 98.31 | 0.9421 | 0.9467 | 0.9444 |
ResNet50 | 97.59 | 0.9289 | 0.9258 | 0.9273 | 97.72 | 0.9301 | 0.9284 | 0.9292 |
AlexNet | 97.59 | 0.9279 | 0.9286 | 0.9282 | 98.15 | 0.9417 | 0.9378 | 0.9397 |
VGG16 | 97.43 | 0.9246 | 0.9221 | 0.9234 | 97.91 | 0.9355 | 0.9304 | 0.9329 |
VGG19 | 97.64 | 0.9281 | 0.9284 | 0.9283 | 98.23 | 0.9436 | 0.9420 | 0.9428 |
Model | Accuracy % | Recall | Precision | F1-Score |
---|---|---|---|---|
Proposed DBFS-MC | 98.61 | 0.9632 | 0.9627 | 0.9630 |
Technique | %Accuracy | F-Score | Precision | Recall |
---|---|---|---|---|
Natraj et al. [14] | 98.08 | - | - | - |
Cui et al. [35] | 94.50 | - | 0.9460 | 0.9450 |
LGMP-2018 (encoder based) [36] | 90.23 | - | - | - |
LGMP-2018 (cluster based) [36] | 89.58 | - | - | - |
NSGA-II [37] | 97.60 | - | - | 0.8840 |
VGG, end-to-end [38] | 90.77 | - | - | - |
VGG, SVM [38] | 92.29 | - | - | - |
S. Lad et al. (CNN + SVM) [39] | 98.03 | - | - | - |
Proposed DBFS-MC | 98.61 | 0.9632 | 0.9627 | 0.9630 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Asam, M.; Hussain, S.J.; Mohatram, M.; Khan, S.H.; Jamal, T.; Zafar, A.; Khan, A.; Ali, M.U.; Zahoora, U. Detection of Exceptional Malware Variants Using Deep Boosted Feature Spaces and Machine Learning. Appl. Sci. 2021, 11, 10464. https://doi.org/10.3390/app112110464
Asam M, Hussain SJ, Mohatram M, Khan SH, Jamal T, Zafar A, Khan A, Ali MU, Zahoora U. Detection of Exceptional Malware Variants Using Deep Boosted Feature Spaces and Machine Learning. Applied Sciences. 2021; 11(21):10464. https://doi.org/10.3390/app112110464
Chicago/Turabian StyleAsam, Muhammad, Shaik Javeed Hussain, Mohammed Mohatram, Saddam Hussain Khan, Tauseef Jamal, Amad Zafar, Asifullah Khan, Muhammad Umair Ali, and Umme Zahoora. 2021. "Detection of Exceptional Malware Variants Using Deep Boosted Feature Spaces and Machine Learning" Applied Sciences 11, no. 21: 10464. https://doi.org/10.3390/app112110464
APA StyleAsam, M., Hussain, S. J., Mohatram, M., Khan, S. H., Jamal, T., Zafar, A., Khan, A., Ali, M. U., & Zahoora, U. (2021). Detection of Exceptional Malware Variants Using Deep Boosted Feature Spaces and Machine Learning. Applied Sciences, 11(21), 10464. https://doi.org/10.3390/app112110464