An Advanced Ensemble Framework for defending against obfuscated Windows, Android, and IoT malware

Abstract

The detection and analysis of malware binaries pose significant challenges due to their obfuscated and packed nature, rendering traditional static analysis techniques ineffective. Extracting static features in a dynamic environment where malware exhibits its actual behavior becomes crucial to detecting malware accurately. This article addresses this challenge by analyzing static features extracted from real-time Windows, Android, and IoT applications within a dynamic environment. To tackle this problem, we propose an Advanced Ensemble Framework (AEF) that combines embedded feature selection and an advanced stacking ensemble technique. The embedded feature selection approach effectively reduces the number of highly correlated features by over 70%, employing a combination of filter and wrapper methods. Furthermore, the advanced stacking ensemble approach combines two-level learners: a base learner with state-of-the-art classifiers adept at handling raw features and meta-learner trains using transfer features and probabilities obtained from the previous base classifiers. A 5-fold cross-training scheme based on cross-validation is introduced to prevent overfitting during the training. It also helps to reduce overfitting by training the model on multiple subsets of the data. The model learns patterns from different parts of the dataset, which can lead to a more generalized model. Pre-processed datasets from the Canadian Institute of Cybersecurity comprising obfuscated Windows malware, Android malware, and IoT malicious attacks are used to evaluate AEF. Additionally, to further assess the efficiency, compatibility, and robustness of AEF, we utilized an additional dataset of obfuscated Windows malware that includes memory dump images. Extensive experiments are conducted to evaluate the proposed defender using publicly available real-time datasets. The results show that AEF effectively counters obfuscation techniques, offering a flexible, practical, and efficient solution for malware detection across various datasets. Furthermore, the prediction time of the proposed approach is $0.042\mathrm{ms}$ for CICMalDroid-2020, $0.16\mathrm{ms}$ for IoMT-2024, $0.055\mathrm{ms}$ for CIC-MalMemory-2022, and $0.15\mathrm{ms}$ for Dumpaware10 malware datasets.