Fast and Efficient Malware Detection with Joint Static and Dynamic Features Through Transfer Learning

Mao V. Ngo, Tram Truong-Huu, Dima Rabadi, Jia Yi Loo, Sin G. Teo

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

In malware detection, dynamic analysis extracts the runtime behavior of malware samples in a controlled environment and static analysis extracts features using reverse engineering tools. While the former faces the challenges of anti-virtualization and evasive behavior of malware samples, the latter faces the challenges of code obfuscation. To tackle these drawbacks, prior works proposed to develop detection models by aggregating dynamic and static features, thus leveraging the advantages of both approaches. However, simply concatenating dynamic and static features raises an issue of imbalanced contribution due to the heterogeneous dimensions of feature vectors to the performance of malware detection models. Yet, dynamic analysis is a time-consuming task and requires a secure environment, leading to detection delays and high costs for maintaining the analysis infrastructure. In this paper, we first introduce a method of constructing aggregated features via concatenating latent features learned through deep learning with equally-contributed dimensions. We then develop a knowledge distillation technique to transfer knowledge learned from aggregated features by a teacher model to a student model trained only on static features and use the trained student model for the detection of new malware samples. We carry out extensive experiments with a dataset of 86709 samples including both benign and malware samples. The experimental results show that the teacher model trained on aggregated features constructed by our method outperforms the state-of-the-art models with an improvement of up to 2.38 % in detection accuracy. The distilled student model not only achieves high performance (97.81 % in terms of accuracy) as that of the teacher model but also significantly reduces the detection time (from 70046.6 ms to 194.9 ms) without requiring dynamic analysis.

Original languageEnglish (US)
Title of host publicationApplied Cryptography and Network Security - 21st International Conference, ACNS 2023, Proceedings
EditorsMehdi Tibouchi, XiaoFeng Wang
PublisherSpringer Science and Business Media Deutschland GmbH
Pages503-531
Number of pages29
ISBN (Print)9783031334870
DOIs
StatePublished - 2023
Event21st International Conference on Applied Cryptography and Network Security, ACNS 2023 - Kyoto, Japan
Duration: Jun 19 2023Jun 22 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13905 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Conference on Applied Cryptography and Network Security, ACNS 2023
Country/TerritoryJapan
CityKyoto
Period6/19/236/22/23

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science

Cite this