A multi-view feature fusion approach for effective malware classification using Deep Learning

Abstract

The number of malware infected machines from all over the world has been growing day by day. New malware variants appear in the wild to evade the malware detection and classification systems and may infect with ransomware or crypto miners for adversary financial gain. A recent colonial pipeline ransomware attack is an example of these attacks that impacted daily human activities, and the victim had to pay ransom to restore their operations. Windows-based systems are the most adopted systems across different industries for running applications. They are prone to get targeted by installing the malware. In this paper, we propose a Deep Learning (DL)-based Convolutional Neural Network (CNN) model to perform the malware classification on Portable Executable (PE) binary files using the fusion feature set approach. We present an extensive performance evaluation of various DL model architecture and Machine Learning (ML) classifier i.e. Support Vector Machine (SVM), on multi-aspect feature sets covering the static, dynamic, and image features to select the proposed CNN model. We further leverage the CNN-based architecture for effective classification of the malware using different combinations of feature sets and compare the results with the best-performed individual feature set. Our performance evaluation of the proposed model shows that the model classifies the malware or benign files with an accuracy of 97% when using fusion feature sets. The proposed model is robust and generalizable and showed similar performances on completely unseen two malware datasets. In addition, the embedding features of the CNN model are visualized, and various visualization methods are employed to understand the characteristics of the datasets. Further, large-scale learning and stacked classifiers were employed after the penultimate layer to enhance the CNN classification performance.