Malware classification using a byte‐granularity feature based on structural entropy

Abstract

AbstractRapidly evolving malware has become a major cybersecurity threat. Several feature‐engineering techniques have been proposed to defend against malware attacks. An entropy is a typical indicator used in identifying malware. Structural entropy is a sequence of entropy values where an entropy of a segment is calculated by the equation of the entropy itself. However, entropy‐based features are likely to be abstract and miss important information. This article proposes a feature engineering technique that involves the concept of structural entropy. This technique allows every segment to be represented as 256 entropy values for every byte value, but not as an entropy value. Our research, fine‐granularity structural entropy (FiG_SE), incorporates global patterns across all segments, local patterns across adjacent segments, and internal patterns within the segments. To extract higher‐level characteristics from our entropy feature, we use a convolutional neural network (CNN) architecture because it is effective for extracting local and global patterns, and especially for shift‐invariant patterns. Our malware classification based on CNN with the proposed feature outperforms the previous classification methods that use byte streams, entropy streams, and structural‐entropy‐based streams as inputs. Moreover, our research combined with CNN is highly resilient to obfuscation techniques and is also well suited to malware detection.