Malware Family Characterization with Recurrent Neural Network and GHSOM Using System Calls

2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom) Pub Date : 2018-12-01 DOI:10.1109/CloudCom2018.2018.00051

Shun-Wen Hsiao, Fang Yu

{"title":"Malware Family Characterization with Recurrent Neural Network and GHSOM Using System Calls","authors":"Shun-Wen Hsiao, Fang Yu","doi":"10.1109/CloudCom2018.2018.00051","DOIUrl":null,"url":null,"abstract":"Nowadays, a massive amount of sensitive data which are accessible and connected through personal computers and cloud services attract hackers to develop malicious software (malware) to steal them. Owing to the success of deep learning on image and language recognition, researchers direct security systems to analyze and identify malware with deep learning approaches. This paper addresses the problem of analyzing and identifying complex and unstructured malware behaviors by proposing a framework of combining unsupervised and supervised learning algorithms with a novel sequence-aware encoding method. Particularly, a hybrid GHSOM (the Growing Hierarchical Self-Organizing Map) algorithm is proposed to cluster and encode similar malware behavior sequences from system call sequences to clustering feature vectors. Then, a Recurrent Neural Network (RNN) is trained to detect malware and predict their corresponding malware families based on the sequence of the behavior vectors. Our experiments show that the accuracy rate can be up to 0.98 in malware detection and 0.719 in malware classification of an 18-category malware dataset.","PeriodicalId":365939,"journal":{"name":"2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CloudCom2018.2018.00051","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Nowadays, a massive amount of sensitive data which are accessible and connected through personal computers and cloud services attract hackers to develop malicious software (malware) to steal them. Owing to the success of deep learning on image and language recognition, researchers direct security systems to analyze and identify malware with deep learning approaches. This paper addresses the problem of analyzing and identifying complex and unstructured malware behaviors by proposing a framework of combining unsupervised and supervised learning algorithms with a novel sequence-aware encoding method. Particularly, a hybrid GHSOM (the Growing Hierarchical Self-Organizing Map) algorithm is proposed to cluster and encode similar malware behavior sequences from system call sequences to clustering feature vectors. Then, a Recurrent Neural Network (RNN) is trained to detect malware and predict their corresponding malware families based on the sequence of the behavior vectors. Our experiments show that the accuracy rate can be up to 0.98 in malware detection and 0.719 in malware classification of an 18-category malware dataset.

查看原文本刊更多论文

使用系统调用的递归神经网络和GHSOM的恶意软件家族表征

如今，大量的敏感数据可以通过个人电脑和云服务访问和连接，吸引了黑客开发恶意软件(malware)来窃取这些数据。由于深度学习在图像和语言识别方面的成功，研究人员指导安全系统使用深度学习方法来分析和识别恶意软件。本文通过提出一种将无监督和有监督学习算法与一种新的序列感知编码方法相结合的框架，解决了分析和识别复杂和非结构化恶意软件行为的问题。特别地，提出了一种混合GHSOM(增长层次自组织映射)算法，将类似的恶意软件行为序列从系统调用序列聚类和编码为聚类特征向量。然后，训练递归神经网络(RNN)检测恶意软件，并根据行为向量的序列预测相应的恶意软件家族。我们的实验表明，在18类恶意软件数据集上，恶意软件检测的准确率高达0.98，恶意软件分类的准确率高达0.719。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)

自引率

0.00%

发文量