TY - GEN
T1 - Fast and Efficient Malware Detection with Joint Static and Dynamic Features Through Transfer Learning
AU - Ngo, Mao V.
AU - Truong-Huu, Tram
AU - Rabadi, Dima
AU - Loo, Jia Yi
AU - Teo, Sin G.
N1 - Publisher Copyright:
© 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2023
Y1 - 2023
N2 - In malware detection, dynamic analysis extracts the runtime behavior of malware samples in a controlled environment and static analysis extracts features using reverse engineering tools. While the former faces the challenges of anti-virtualization and evasive behavior of malware samples, the latter faces the challenges of code obfuscation. To tackle these drawbacks, prior works proposed to develop detection models by aggregating dynamic and static features, thus leveraging the advantages of both approaches. However, simply concatenating dynamic and static features raises an issue of imbalanced contribution due to the heterogeneous dimensions of feature vectors to the performance of malware detection models. Yet, dynamic analysis is a time-consuming task and requires a secure environment, leading to detection delays and high costs for maintaining the analysis infrastructure. In this paper, we first introduce a method of constructing aggregated features via concatenating latent features learned through deep learning with equally-contributed dimensions. We then develop a knowledge distillation technique to transfer knowledge learned from aggregated features by a teacher model to a student model trained only on static features and use the trained student model for the detection of new malware samples. We carry out extensive experiments with a dataset of 86709 samples including both benign and malware samples. The experimental results show that the teacher model trained on aggregated features constructed by our method outperforms the state-of-the-art models with an improvement of up to 2.38 % in detection accuracy. The distilled student model not only achieves high performance (97.81 % in terms of accuracy) as that of the teacher model but also significantly reduces the detection time (from 70046.6 ms to 194.9 ms) without requiring dynamic analysis.
AB - In malware detection, dynamic analysis extracts the runtime behavior of malware samples in a controlled environment and static analysis extracts features using reverse engineering tools. While the former faces the challenges of anti-virtualization and evasive behavior of malware samples, the latter faces the challenges of code obfuscation. To tackle these drawbacks, prior works proposed to develop detection models by aggregating dynamic and static features, thus leveraging the advantages of both approaches. However, simply concatenating dynamic and static features raises an issue of imbalanced contribution due to the heterogeneous dimensions of feature vectors to the performance of malware detection models. Yet, dynamic analysis is a time-consuming task and requires a secure environment, leading to detection delays and high costs for maintaining the analysis infrastructure. In this paper, we first introduce a method of constructing aggregated features via concatenating latent features learned through deep learning with equally-contributed dimensions. We then develop a knowledge distillation technique to transfer knowledge learned from aggregated features by a teacher model to a student model trained only on static features and use the trained student model for the detection of new malware samples. We carry out extensive experiments with a dataset of 86709 samples including both benign and malware samples. The experimental results show that the teacher model trained on aggregated features constructed by our method outperforms the state-of-the-art models with an improvement of up to 2.38 % in detection accuracy. The distilled student model not only achieves high performance (97.81 % in terms of accuracy) as that of the teacher model but also significantly reduces the detection time (from 70046.6 ms to 194.9 ms) without requiring dynamic analysis.
UR - http://www.scopus.com/inward/record.url?scp=85163307084&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85163307084&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-33488-7_19
DO - 10.1007/978-3-031-33488-7_19
M3 - Conference contribution
AN - SCOPUS:85163307084
SN - 9783031334870
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 503
EP - 531
BT - Applied Cryptography and Network Security - 21st International Conference, ACNS 2023, Proceedings
A2 - Tibouchi, Mehdi
A2 - Wang, XiaoFeng
PB - Springer Science and Business Media Deutschland GmbH
T2 - 21st International Conference on Applied Cryptography and Network Security, ACNS 2023
Y2 - 19 June 2023 through 22 June 2023
ER -