Interpretable Detection of Malicious Behavior in Windows Portable Executables Using Multi-Head 2D Transformers

IF 4.4 2区化学 Q2 MATERIALS SCIENCE, MULTIDISCIPLINARY

ACS Applied Polymer Materials Pub Date : 2024-06-01 DOI:10.26599/bdma.2023.9020025

Sohail Khan, Mohammad Nauman

{"title":"Interpretable Detection of Malicious Behavior in Windows Portable Executables Using Multi-Head 2D Transformers","authors":"Sohail Khan, Mohammad Nauman","doi":"10.26599/bdma.2023.9020025","DOIUrl":null,"url":null,"abstract":": Windows malware is becoming an increasingly pressing problem as the amount of malware continues to grow and more sensitive information is stored on systems. One of the major challenges in tackling this problem is the complexity of malware analysis, which requires expertise from human analysts. Recent developments in machine learning have led to the creation of deep models for malware detection. However, these models often lack transparency, making it difﬁcult to understand the reasoning behind the model’s decisions, otherwise known as the black-box problem. To address these limitations, this paper presents a novel model for malware detection, utilizing vision transformers to analyze the opcode sequences of more than 350,000 Windows portable executable malware samples from real-world datasets. The model achieved a high accuracy of 0.9864, not only surpassing previous results but also providing valuable insights into the reasoning behind the classiﬁcation. Our model is able to pinpoint speciﬁc instructions that lead to malicious behavior in malware samples, aiding human experts in their analysis and driving further advancements in the ﬁeld. We report our ﬁndings and show how causality can be established between malicious code and actual classiﬁcation by a deep learning model thus opening up this black-box problem for deeper analysis.","PeriodicalId":7,"journal":{"name":"ACS Applied Polymer Materials","volume":null,"pages":null},"PeriodicalIF":4.4000,"publicationDate":"2024-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACS Applied Polymer Materials","FirstCategoryId":"1093","ListUrlMain":"https://doi.org/10.26599/bdma.2023.9020025","RegionNum":2,"RegionCategory":"化学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"MATERIALS SCIENCE, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

Abstract

: Windows malware is becoming an increasingly pressing problem as the amount of malware continues to grow and more sensitive information is stored on systems. One of the major challenges in tackling this problem is the complexity of malware analysis, which requires expertise from human analysts. Recent developments in machine learning have led to the creation of deep models for malware detection. However, these models often lack transparency, making it difﬁcult to understand the reasoning behind the model’s decisions, otherwise known as the black-box problem. To address these limitations, this paper presents a novel model for malware detection, utilizing vision transformers to analyze the opcode sequences of more than 350,000 Windows portable executable malware samples from real-world datasets. The model achieved a high accuracy of 0.9864, not only surpassing previous results but also providing valuable insights into the reasoning behind the classiﬁcation. Our model is able to pinpoint speciﬁc instructions that lead to malicious behavior in malware samples, aiding human experts in their analysis and driving further advancements in the ﬁeld. We report our ﬁndings and show how causality can be established between malicious code and actual classiﬁcation by a deep learning model thus opening up this black-box problem for deeper analysis.

查看原文本刊更多论文

利用多头二维变换器可解释地检测 Windows 可移植可执行文件中的恶意行为

:随着恶意软件数量的不断增加以及系统中存储的敏感信息越来越多，Windows 恶意软件正成为一个日益紧迫的问题。解决这一问题的主要挑战之一是恶意软件分析的复杂性，这需要人类分析师的专业知识。机器学习的最新发展促使人们创建了用于恶意软件检测的深度模型。然而，这些模型往往缺乏透明度，因此很难理解模型决策背后的推理，也就是所谓的黑箱问题。为了解决这些局限性，本文提出了一种新型恶意软件检测模型，利用视觉转换器分析了来自真实世界数据集的 350,000 多个 Windows 可移植可执行恶意软件样本的操作码序列。该模型的准确率高达 0.9864，不仅超越了之前的结果，还为分类背后的推理提供了宝贵的见解。我们的模型能够精确定位导致恶意软件样本中恶意行为的特定指令，从而帮助人类专家进行分析，并推动该领域的进一步发展。我们报告了我们的发现，并展示了如何通过深度学习模型在恶意代码和实际分类之间建立因果关系，从而为更深入的分析打开这个黑箱问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACS Applied Polymer Materials Multiple-

CiteScore

7.20

自引率

6.00%

发文量

810

期刊介绍： ACS Applied Polymer Materials is an interdisciplinary journal publishing original research covering all aspects of engineering, chemistry, physics, and biology relevant to applications of polymers. The journal is devoted to reports of new and original experimental and theoretical research of an applied nature that integrates fundamental knowledge in the areas of materials, engineering, physics, bioscience, polymer science and chemistry into important polymer applications. The journal is specifically interested in work that addresses relationships among structure, processing, morphology, chemistry, properties, and function as well as work that provide insights into mechanisms critical to the performance of the polymer for applications.