Litcius/Paper detail

Detecting new obfuscated malware variants: A lightweight and interpretable machine learning approach

Oladipo A. Madamidola, Felix Ngobigha, Adnane Ez‐zizi

2024Intelligent Systems with Applications15 citationsDOIOpen Access PDF

Abstract

• We develop a malware detection system trained on a single malware subtype, yet capable of generalising to successfully detect a broad range of other malware subtypes without prior exposure. • Our system excels not only in adaptability but also incorporate three other critical features: high accuracy, minimal computational overhead and enhanced model interpretability. • Our research not only advance the state-of-the-art in malware detection—having trained a highly accurate system using significantly less data compared to other related works—but also highlight the critical need to establish a comprehensive framework for developing malware detection systems, with more focus on adaptability. Machine learning has been successfully applied in developing malware detection systems, with a primary focus on accuracy, and increasing attention to reducing computational overhead and improving model interpretability. However, an important question remains underexplored: How well can machine learning-based models detect entirely new forms of malware not present in the training data? In this study, we present a machine learning-based system for detecting obfuscated malware that is not only highly accurate, lightweight and interpretable, but also capable of successfully adapting to new types of malware attacks. Our system is capable of detecting 15 malware subtypes despite being exclusively trained on one malware subtype, namely the Transponder from the Spyware family. This system was built after training 15 distinct random forest-based models, each on a different malware subtype from the CIC-MalMem-2022 dataset. These models were evaluated against the entire range of malware subtypes, including all unseen malware subtypes. To maintain the system's streamlined nature, training was confined to the top five most important features, which also enhanced interpretability. The Transponder-focused model exhibited high accuracy, exceeding 99.8%, with an average processing speed of 5.7 µs per file. We also illustrate how the Shapley additive explanations technique can facilitate the interpretation of the model predictions. Our research contributes to advancing malware detection methodologies, pioneering the feasibility of detecting obfuscated malware by exclusively training a model on a single or a few carefully selected malware subtype and applying it to detect unseen subtypes.

Topics & Concepts

MalwareComputer scienceArtificial intelligenceMachine learningComputer securityAdvanced Malware Detection TechniquesCybercrime and Law Enforcement StudiesDigital and Cyber Forensics