HMLET: Hunt Malware Using Wavelet Transform on Cross-Platform

Abstract

As the importance of cyberspace grows, malicious software (malware) is threatening not only individuals but also countries. In addition, numerous malware is still circulating in cyberspace, and as technology advances, new or advanced malware are emerging. In the real world, files from cross-platforms are distributed via e-mail, network-attached storage (NAS), shared drives, Etc. However, most malware detection models target only single-platform. Therefore, malware detection of cross-platforms has a significant and essential role. We propose <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HMLET</i> , a cross-platform malware detection model. Our proposed <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HMLET</i> uses content-based information that binary files all have in common, rather than file structure-based information that is not common to each platform, to detect malware of various file types in the cross-platform. We create file content-based information features for malware detection using wavelet transform. However, fixing the input data length when performing wavelet transform was necessary because the amount of information extracted according to the input data length was not constant.We fix the input data length through the Joint Probability Distribution (JPD) matrix to solve the input data length problem. After learning in the machine learning model, malware detection performance was evaluated through extracted features. Malware detection performance on the Windows platform showed 97% accuracy on <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HMLET</i> and 99% on the Linux platform. In addition, on theWindows & Linux platform, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HMLET</i> showed 97% accuracy. According to experiment results, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HMLET</i> shows high-performance malware detection in the cross-platform, making it suitable to be used as a malware detection model in the cross-platform.