Fast Classification of Obfuscated Malware with an Artificial Neural Network

Sammanfattning: Malware has posed a problem ever since the first variant was created in the 1980s. As malware detection techniques have advanced, malware developers have in turn found better ways to hide and obfuscate malware. Machine learning (ML) has seen great expansion into many fields over the last years, this includes the field of cybersecurity. Using ML techniques to identify malware is common today. The benefits include the possibility to identify malware even though obfuscated or even previously unknown. Several studies have shown detection rates in the 99% range. However, detection speed is also a priority, as anti-malware systems must be able to quickly identify threats. In this paper, a comparison of the accuracy and the runtimes of two ML methods is conducted. Specifically, a Multi-Layer Perceptron (MLP), which is a deep learner, and an Ensemble Learner composed of traditional ML methods are compared. The data evaluated is a recently published data set of features extracted from volatile memory in systems infected by malware utilizing obfuscation techniques. The findings show that in binary malware classification the MLP can reduce classification times by 94.3% compared to the ensemble learner with only a 0.02 percentage point penalty to accuracy. In multiclass classification, the classification times can be reduced by 99.8% with an accuracy penalty of 3.2 percentage points. Due to the significant time consumption gains, the results suggest that the MLP poses a good choice for this task in a real-world scenario.