BERTDeep-Ware: A Cross-architecture Malware Detection Solution for IoT Systems

Abstract

Malware is widely regarded as one of the most severe security threats to modern technologies. Detecting malware in the Internet of Things (IoT) infrastructures is a critical and complicated task. The complexity of this task increases with the recent growth of malware variants targeting different IoT CPU architectures since the new malware variants often use anti-forensic techniques to avoid detection and investigation. There-fore, we cannot utilize the traditional machine learning (ML) techniques that require domain knowledge and sophisticated feature engineering in detecting the unseen mal ware variants. Re-cent deep learning approaches have performed well on mal ware analysis and detection while using minimum feature engineering requirements. In this paper, we propose BERTDeep- Ware, a real-time cross-architecture malware detection solution tailored for IoT systems. BERTDeep- Ware analyzes the executable file's operation codes (OpCodes) sequence representations using Bidi-rectional Encoder Representations from Transformers (BERT) Embedding, the state-of-the-art natural language processing (NLP) approach. The extracted sentence embedding from BERT is fed into a customized hybrid multi-head CNN-BiLSTM-LocAtt model. This deep learning (DL) model combines the convolutional neural network (CNN), bidirectional long short-term memory (BiLSTM), and the local attention mechanisms (locAtt) to capture contextual features and long-term dependencies between OpCode sequences. We train and evaluate BERTDeep- Ware using the datasets created for three different CPU architectures. The performance evaluation results confirm that the proposed multi-head CNN-BiLSTM-LocAtt model produces more accurate classification results with higher detection rates and lower false positives than a number of baseline ML and DL models.