Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments

Abstract

This paper presents TrustSign, a novel, trusted automatic malware signature generation method based on high-level deep features transferred from a VGG-19 neural network model pretrained on the ImageNet dataset. While traditional automatic malware signature generation techniques rely on static or dynamic analysis of the malware’s executable, our method overcomes the limitations associated with these techniques by producing signatures based on the presence of the malicious process in the volatile memory. By leveraging the cloud’s virtualization technology, TrustSign analyzes the malicious process in a trusted manner, since the malware is unaware and cannot interfere with the inspection procedure. Additionally, by removing the dependency on the malware’s executable, our method is fully capable of signing fileless malware as well. TrustSign’s signature generation process does not require feature engineering or any additional model training, and it is done in a completely unsupervised manner, eliminating the need for a human expert. Because of this, our method has the advantage of dramatically reducing signature generation and distribution time. In fact, in this paper we rethink the typical use of deep convolutional neural networks and use the VGG-19 model as a topological feature extractor for a vastly different task from the one it was trained for. The results of our experimental evaluation demonstrate TrustSign’s ability to generate signatures impervious to the process state over time. By using the signatures generated by TrustSign as input for various supervised classifiers, we achieved up to 99.5% classification accuracy.