Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling.

Young-Seob Jeong,Ah Reum Kang,SangMin Lee,Jiyoung Woo

doi:10.3390/s20185265

Young-Seob Jeong, Ah Reum Kang + Show 2 more

Open Access

https://doi.org/10.3390/s20185265

Copy DOI

Abstract

Malware detection of non-executables has recently been drawing much attention because ordinary users are vulnerable to such malware. Hangul Word Processor (HWP) is software for editing non-executable text files and is widely used in South Korea. New malware for HWP files continues to appear because of the circumstances between South Korea and North Korea. There have been various studies to solve this problem, but most of them are limited because they require a large amount of effort to define features based on expert knowledge. In this study, we designed a convolutional neural network to detect malware within HWP files. Our proposed model takes a raw byte stream as input and predicts whether it contains malicious actions or not. To incorporate highly variable lengths of HWP byte streams, we propose a new padding method and a spatial pyramid average pooling layer. We experimentally demonstrate that our model is not only effective, but also efficient.

Highlights

Malware describes malicious software designed for attacking machines in various ways
The convolutional neural network (CNN) model has two newly proposed parts: (1) we propose a new method of padding, namely, stretch padding, and (2) spatial pyramid average pooling (SPAP), which is a variant of spatial pyramid pooling (SPP) [8]
This implies that the average pooling plays a crucial role in the SPAP layer, which is consistent with [29]; that is, averaging the embedding vectors helps to find deeper semantic information among the embedding vectors

Summary

Introduction

Malware describes malicious software designed for attacking machines in various ways. It may slow down or shut down machines, and often steals or encrypts important files for ransom. Malware can be divided into two categories: malware of executables (e.g., EXE files) and malware of non-executables (e.g., Portable Document Format (PDF) files). Ordinary users are more vulnerable to non-executables because they open infected documents without much worry. Many options have been proposed for the detection of the malware within non-executables, it is still necessary to develop more advanced detection models because new malware for non-executables keeps appearing. Hangul Word Processor (HWP) is text editing software provided by Hancom Inc., South Korea

Methods

Results

Discussion

Conclusion