An improved two-hidden-layer extreme learning machine for malware hunting

Abstract

Detecting unknown malware and their variants remains both an operational challenge and a research challenge. In recent years, there have been attempts to design machine learning techniques to increase the success of existing automated malware detection and analysis. In this paper, we build a modified Two-hidden-layered Extreme Learning Machine (TELM), which uses the dependency of malware sequence elements in addition to having the advantage of avoiding backpropagation when training neural networks. We achieve this goal by using partially connected networks between the input and the first hidden layer. These are then aggregated with a fully connected network in the second layer. Finally, we utilize an ensemble to improve the accuracy and robustness of the system for malware threat hunting. The proposed method speeds up the training and detection steps of malware hunting, in comparison to stacked Long Short Term Memory (LSTM) and Convolutional Neural Network (CNN). Specifically, this is achieved by avoiding the backpropagation method and using a more simple architecture. Hence, the complexity of our final method is reduced, which leads to better accuracy, higher Matthews Correlation Coefficients (MCC), and Area Under the Curve (AUC), in comparison to a standard LSTM with reduced detection time. Our proposed method is especially useful for malware threat hunting in safety-critical systems, such as electronic health or Internet of Battlefield / Military of Things, since the enormous size of the training data makes it impractical to use complex models (e.g., deep neural networks). In addition in safety-critical systems, both training and detection speeds, as well as the detection rate, are equally important. Our research results in a powerful network that can be used for all platforms with a range of malware analysis. The proposed approach is tested on Windows, Ransomware, Internet of Things (IoT) and a mix of different malware samples datasets. For example, our evaluation using an IoT-specific dataset reports an accuracy of 99.65% in detecting IoT malware samples with an AUC of 0.99, and an MCC of 0.992; thus, outperforming standard LSTM based methods for IoT malware detection in all metrics.