SpecView: Malware Spectrum Visualization Framework With Singular Spectrum Transformation

Abstract

With the rapid development of automation tools including polymorphic and metamorphic engines, generic packers, and genetic programming, many variants of malware have emerged, which pose a significant threat to the Internet security. To effectively detect malware variants, researchers have developed visualization-based approaches that can visualize malware adaptations for in-depth malware analysis. However, most existing visualization approaches rely on the binary image of a malware sample, which fail to provide an effective texture feature representation and thus often result in low efficiency in coping with challenging malware samples. In this paper, we propose SpecView , a malware spectrum visualization framework with singular spectrum transformation. SpecView converts malware binary code into one-dimensional time series spectrum data, and leverages the singular spectrum transformation method to obtain the structural changes preserved in the time series spectrum data. Then, we utilize the particle swarm optimization algorithm to optimize the singular spectrum transformation performance in SpecView. We apply SpecView in the task of malware classification. Extensive experimental results show that SpecView is effective and efficient in malware classification on the Malimg, Malheur, Drebin, and PRAGuard Malgenome Class Encryption datasets, with classification accuracy exceeding 99%, and it can effectively identify malware variants that use evasive techniques such as packer and encryption obfuscation. The proposed method outperforms the state-of-the-art methods on all datasets and the classification accuracy reaches 100% for 5 malware families packed by the UPX packer on the Malimg dataset, as well as 9 malware families that use Class Encryption obfuscation techniques on the PRAGuard Malgenome Class Encryption datasets.