A malware visualization method based on transition probability matrix suitable for imbalanced family classification

A malware visualization method based on transition probability matrix suitable for imbalanced family classification

연구 분야: Safety

학회: Applied Intelligence

Information technology brings us not only marvelous convenience and productivity, but also potential insecure factor, which may pose threats to our properties, data or even reputation. Malicious software is exactly an accomplice of such attacks. Fundamentally, the key step to deal with malicious software is to accurately identify and classify it. Although traditional static and dynamic analysis approaches could accomplish this task to some extent, they have intrinsic defects in terms of variant feature exaction, vulnerability to code obfuscation and encryption, or excessive resource consumption. Recently, CNN-based malware classification methods, which employ CNN models to classify visualized malware images, provide a promising way to accomplish malware classification tasks. However, most mainstream CNN models require inputs with a fixed size, while various sizes of original malware samples frequently lead to various sizes of malware visualization images. Simply resizing these images causes losses of malware features, resulting in drops of classification accuracy. In this paper, we propose a malware visualization method based on transition probabilities of malware operation codes to generate proper images with a uniform size as inputs for CNN models. As a result, the conventional resizing operations could be avoided. The proposed method is compatible with most mainstream CNN models. Moreover, the proposed method could address problems concerning insufficient or imbalanced datasets, which may challenge the classification abilities of CNN models. Experimental results demonstrate the excellent compatibility and classification performance of the proposed method in terms of accuracy, precision, recall and F1-score. For reproducible research, the source codes and training models of the proposed method are available at https://github.com/xchuxiao23/mal_cls.