An Enhanced Stacked LSTM Method With No Random Initialization for Malware Threat Hunting in Safety and Time-Critical Systems

Malware detection is an increasingly important operational focus in cyber security, particularly, given the fast pace of such threats (e.g., new malware variants introduced every day). In recent years, there has been increased interest in exploring the use of machine learning techniques in automating and enhancing the effectiveness of malware detection and analysis. In this paper, we present a deep recurrent neural network solution as a stacked long short-term memory (LSTM) with a pre-training as a regularization method to avoid random network initialization. In our proposed approach, we use global and short dependencies of the inputs. With pre-training, we avoid random initialization and are able to improve the accuracy and robustness of malware threat hunting. The proposed method speeds up the convergence, in comparison to the stacked LSTM, by reducing the length of malware OpCode or bytecode sequences. Hence, the complexity of our final method is reduced. This leads to better accuracy, higher Mattews Correlation Coefficients (MCC), and Area Under the Curve (AUC) in comparison to a standard LSTM with similar detection time. Our proposed method can be applied in real-time malware threat hunting, particularly, for safety critical systems, such as electronic health or Internet of Battlefield / Military of Things, where poor convergence of the model could lead to catastrophic consequences. We evaluate the effectiveness of our proposed method on Windows, Ransomware, Internet of Things (IoT), and Android malware datasets using both static and dynamic analysis. For the IoT malware detection, we also present a comparative summary of the performance on an IoT-specific dataset of our proposed method and the standard stacked LSTM method. More specifically, our proposed method achieves an accuracy of 99.1% in detecting IoT malware samples, with AUC of 0.985 and MCC of 0.95; thus, outperforming standard LSTM-based methods in these key metrics.

[1]  Ali Hamzeh,et al.  Visual malware detection using local malicious pattern , 2018, Journal of Computer Virology and Hacking Techniques.

[2]  Robert Hecht-Nielsen,et al.  Theory of the backpropagation neural network , 1989, International 1989 Joint Conference on Neural Networks.

[3]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[4]  C. Lara,et al.  Arhuaco: Deep Learning and Isolation Based Security for Distributed High-Throughput Computing , 2018, ArXiv.

[5]  Sakir Sezer,et al.  N-opcode analysis for android malware classification and categorization , 2016, 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security).

[6]  Korea,et al.  Malware Images Classification Using Convolutional Neural Network , 2018 .

[7]  Ali Dehghantanha,et al.  A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting , 2018, Future Gener. Comput. Syst..

[8]  K. P. Soman,et al.  Detecting Android malware using Long Short-term Memory (LSTM) , 2018, J. Intell. Fuzzy Syst..

[9]  Avinash Srinivasan,et al.  Lightweight behavioral malware detection for windows platforms , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[10]  Jürgen Schmidhuber,et al.  Deep learning in neural networks: An overview , 2014, Neural Networks.

[11]  Ali Dehghantanha,et al.  Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning , 2019, IEEE Transactions on Sustainable Computing.

[12]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[13]  Ali Dehghantanha,et al.  DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer , 2019, Future Gener. Comput. Syst..

[14]  Arun Kumar Sangaiah,et al.  Android malware detection based on system call sequences and LSTM , 2019, Multimedia Tools and Applications.

[15]  Jack W. Stokes,et al.  Malware classification with LSTM and GRU language models and a character-level CNN , 2017, 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[16]  Amin Azmoodeh,et al.  Graph embedding as a new approach for unknown malware detection , 2017, Journal of Computer Virology and Hacking Techniques.

[17]  Brian Mac Namee,et al.  Deep learning at the shallow end: Malware classification for non-domain experts , 2018, Digit. Investig..

[18]  Ali Dehghantanha,et al.  Machine Learning Aided Static Malware Analysis: A Survey and Tutorial , 2018, ArXiv.

[19]  Yulei Rao,et al.  A deep learning framework for financial time series using stacked autoencoders and long-short term memory , 2017, PloS one.

[20]  Yong Qi,et al.  LSTM-Based Hierarchical Denoising Network for Android Malware Detection , 2018, Secur. Commun. Networks.

[21]  C. A. Murthy,et al.  In search of optimal clusters using genetic algorithms , 1996, Pattern Recognit. Lett..

[22]  Ali Dehghantanha,et al.  Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware , 2018, ArXiv.

[23]  Yoshua Bengio,et al.  Why Does Unsupervised Pre-training Help Deep Learning? , 2010, AISTATS.

[24]  Eul Gyu Im,et al.  Malware analysis using visualized images and entropy graphs , 2014, International Journal of Information Security.

[25]  Richard O. Duda,et al.  Pattern classification and scene analysis , 1974, A Wiley-Interscience publication.

[26]  Ali Dehghantanha,et al.  Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence , 2018, IEEE Transactions on Emerging Topics in Computing.

[27]  Fei Wang,et al.  Patient Subtyping via Time-Aware LSTM Networks , 2017, KDD.

[28]  Jing Wang,et al.  MCSMGS: Malware Classification Model Based on Deep Learning , 2017, 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC).

[29]  Jingfeng Xue,et al.  Malware Visualization for Fine-Grained Classification , 2018, IEEE Access.

[30]  Shuicheng Yan,et al.  Robust LSTM-Autoencoders for Face De-Occlusion in the Wild , 2016, IEEE Transactions on Image Processing.

[31]  Hiromu Yakura,et al.  Malware Analysis of Imaged Binary Samples by Convolutional Neural Network with Attention Mechanism , 2018, CODASPY.

[32]  Xudong Ma,et al.  Dynamic Android Malware Classification Using Graph-Based Representations , 2016, 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud).

[33]  Abdelouahid Derhab,et al.  MalDozer: Automatic framework for android malware detection using deep learning , 2018, Digit. Investig..

[34]  John Yearwood,et al.  A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network , 2018, J. Parallel Distributed Comput..

[35]  Yuval Elovici,et al.  Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining , 2018, Knowl. Based Syst..

[36]  Lalit R. Bahl,et al.  Maximum mutual information estimation of hidden Markov model parameters for speech recognition , 1986, ICASSP '86. IEEE International Conference on Acoustics, Speech, and Signal Processing.

[37]  Donald F. Towsley,et al.  Security importance assessment for system objects and malware detection , 2017, Comput. Secur..

[38]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[39]  Erik Marchi,et al.  Deep Recurrent Neural Network-Based Autoencoders for Acoustic Novelty Detection , 2017, Comput. Intell. Neurosci..

[40]  Zhenlong Yuan,et al.  DroidDetector: Android Malware Characterization and Detection Using Deep Learning , 2016 .

[41]  Zheng Qin,et al.  Malware Variant Detection Using Opcode Image Recognition with Small Training Sets , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[42]  Mansour Ahmadi,et al.  Microsoft Malware Classification Challenge , 2018, ArXiv.

[43]  Daniel Povey,et al.  Minimum Phone Error and I-smoothing for improved discriminative training , 2002, 2002 IEEE International Conference on Acoustics, Speech, and Signal Processing.

[44]  Rui Zhang,et al.  Malware identification using visualization images and deep learning , 2018, Comput. Secur..

[45]  Ali Hamzeh,et al.  A novel method for malware detection using audio signal processing techniques , 2016, 2016 Artificial Intelligence and Robotics (IRANOPEN).

[46]  Paul J. Werbos,et al.  Backpropagation Through Time: What It Does and How to Do It , 1990, Proc. IEEE.

[47]  Jinjun Chen,et al.  Detection of Malicious Code Variants Based on Deep Learning , 2018, IEEE Transactions on Industrial Informatics.

[48]  Robert H. Deng,et al.  DeepRefiner: Multi-layer Android Malware Detection System Applying Deep Neural Networks , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[49]  Ali Dehghantanha,et al.  BoTShark: A Deep Learning Approach for Botnet Traffic Detection , 2018 .

[50]  Adam Doupé,et al.  Deep Android Malware Detection , 2017, CODASPY.

[51]  Ujjwal Maulik,et al.  An evolutionary technique based on K-Means algorithm for optimal clustering in RN , 2002, Inf. Sci..

[52]  Mohammad Nauman,et al.  Deep neural architectures for large scale android malware analysis , 2017, Cluster Computing.