Abstract
In this paper, we propose a novel model for a malware classification system based on Application Programming Interface (API) calls and opcodes, to improve classification accuracy. This system uses a novel design of combined Convolutional Neural Network and Long Short-Term Memory. We extract opcode sequences and API Calls from Windows malware samples for classification. We transform these features into N-grams (N = 2, 3, and 10)-gram sequences. Our experiments on a dataset of 9,749,57 samples produce high accuracy of 99.91% using the 8-gram sequences. Our method significantly improves the malware classification performance when using a wide range of recent deep learning architectures, leading to state-of-the-art performance. In particular, we experiment with ConvNeXt-T, ConvNeXt-S, RegNetY-4GF, RegNetY-8GF, RegNetY-12GF, EfficientNetV2, Sequencer2D-L, Swin-T, ViT-G/14, ViT-Ti, ViT-S, VIT-B, VIT-L, and MaxViT-B. Among these architectures, Swin-T and Sequencer2D-L architectures achieved high accuracies of 99.82% and 99.70%, respectively, comparable to our CNN-LSTM architecture although not surpassing it.
Abstract (translated)
在本文中,我们提出了一个基于API调用和opcodes的新型恶意软件分类系统模型,以提高分类准确性。该系统采用了一种新颖的结合卷积神经网络和长短时记忆的架构。我们通过对Windows恶意软件样本的分类,提取opcode序列和API调用。我们将这些特征转换为N-gram(N = 2, 3, 和10)序列。我们对9,749,57个样本的实验结果表明,使用8-gram序列取得了99.91%的高准确率。我们的方法在使用各种最新的深度学习架构时显著提高了恶意软件分类的性能,达到了最先进水平。特别是,我们进行了对ConvNeXt-T、ConvNeXt-S、RegNetY-4GF、RegNetY-8GF、RegNetY-12GF、EfficientNetV2、Sequencer2D-L、Swin-T、ViT-G/14、ViT-Ti、ViT-S、VIT-B、VIT-L和MaxViT-B架构的实验。在这些架构中,Swin-T和Sequencer2D-L架构的准确率分别为99.82%和99.70%, respectively,尽管没有超过我们的CNN-LSTM架构,但与我们的CNN-LSTM架构相当。
URL
https://arxiv.org/abs/2405.02548