Malware Classification by Deep Learning Using Characteristics of Hash Functions

Takahiro Baba; Kensuke Baba; Toshihiro Yamauchi

doi:10.1007/978-3-030-99587-4_40

Malware Classification by Deep Learning Using Characteristics of Hash Functions

Takahiro Baba, Kensuke Baba, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

As the Internet develops, the number of Internet of Things (IoT) devices increases. Simultaneously, the risk of IoT devices being infected with malware also increases. Thus, malware detection has become an important issue. Dynamic analysis logs are effective at detecting malware, but it takes time to collect a large amount of data because the malware must be executed at least once before the logs can be collected. Moreover, dynamic analysis logs are affected by external factors such as the execution environment. A malware detection method that uses a static property analysis log could solve these problems. In this study, deep learning (DL) was used as a machine learning method because DL is effective for large-scale data and can automatically extract features. Research has been conducted on malware detection using static properties of portable executable (PE) files, establishing that such detection is possible. However, research on malware detection using hash functions such as Fuzzy hash and peHash is lacking. Therefore, we investigated the characteristics of hash values in malware classification. Moreover, when the surface analysis log is viewed in chronological order, that the data are considered have concept drift characteristics. Therefore, we compared malware detection performance using data with the concept drift property. We found that the hash function could be used to prevent performance degradation even with concept drift data. In an experiment combining PE surface information and hash values, concept drift showed the highest performance for certain data.

Original language	English
Title of host publication	Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022
Editors	Leonard Barolli, Farookh Hussain, Tomoya Enokido
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	480-491
Number of pages	12
ISBN (Print)	9783030995867
DOIs	https://doi.org/10.1007/978-3-030-99587-4_40
Publication status	Published - 2022
Event	36th International Conference on Advanced Information Networking and Applications, AINA 2022 - Sydney, Australia Duration: Apr 13 2022 → Apr 15 2022

Publication series

Name	Lecture Notes in Networks and Systems
Volume	450 LNNS
ISSN (Print)	2367-3370
ISSN (Electronic)	2367-3389

Conference

Conference	36th International Conference on Advanced Information Networking and Applications, AINA 2022
Country/Territory	Australia
City	Sydney
Period	4/13/22 → 4/15/22

Keywords

Deep learning
Fuzzy hash
Malware detection
PE file
peHash

ASJC Scopus subject areas

Control and Systems Engineering
Signal Processing
Computer Networks and Communications

Access to Document

10.1007/978-3-030-99587-4_40

Cite this

Baba, T., Baba, K., & Yamauchi, T. (2022). Malware Classification by Deep Learning Using Characteristics of Hash Functions. In L. Barolli, F. Hussain, & T. Enokido (Eds.), Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022 (pp. 480-491). (Lecture Notes in Networks and Systems; Vol. 450 LNNS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-99587-4_40

Malware Classification by Deep Learning Using Characteristics of Hash Functions. / Baba, Takahiro ; Baba, Kensuke ; Yamauchi, Toshihiro.

Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022. ed. / Leonard Barolli; Farookh Hussain; Tomoya Enokido. Springer Science and Business Media Deutschland GmbH, 2022. p. 480-491 (Lecture Notes in Networks and Systems; Vol. 450 LNNS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Baba, T , Baba, K & Yamauchi, T 2022, Malware Classification by Deep Learning Using Characteristics of Hash Functions. in L Barolli, F Hussain & T Enokido (eds), Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022. Lecture Notes in Networks and Systems, vol. 450 LNNS, Springer Science and Business Media Deutschland GmbH, pp. 480-491, 36th International Conference on Advanced Information Networking and Applications, AINA 2022, Sydney, Australia, 4/13/22. https://doi.org/10.1007/978-3-030-99587-4_40

Baba T , Baba K , Yamauchi T. Malware Classification by Deep Learning Using Characteristics of Hash Functions. In Barolli L, Hussain F, Enokido T, editors, Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022. Springer Science and Business Media Deutschland GmbH. 2022. p. 480-491. (Lecture Notes in Networks and Systems). https://doi.org/10.1007/978-3-030-99587-4_40

Baba, Takahiro ; Baba, Kensuke ; Yamauchi, Toshihiro. / Malware Classification by Deep Learning Using Characteristics of Hash Functions. Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022. editor / Leonard Barolli ; Farookh Hussain ; Tomoya Enokido. Springer Science and Business Media Deutschland GmbH, 2022. pp. 480-491 (Lecture Notes in Networks and Systems).

@inproceedings{08e5d1780f0c4cb49ec09611ccb15b3b,

title = "Malware Classification by Deep Learning Using Characteristics of Hash Functions",

abstract = "As the Internet develops, the number of Internet of Things (IoT) devices increases. Simultaneously, the risk of IoT devices being infected with malware also increases. Thus, malware detection has become an important issue. Dynamic analysis logs are effective at detecting malware, but it takes time to collect a large amount of data because the malware must be executed at least once before the logs can be collected. Moreover, dynamic analysis logs are affected by external factors such as the execution environment. A malware detection method that uses a static property analysis log could solve these problems. In this study, deep learning (DL) was used as a machine learning method because DL is effective for large-scale data and can automatically extract features. Research has been conducted on malware detection using static properties of portable executable (PE) files, establishing that such detection is possible. However, research on malware detection using hash functions such as Fuzzy hash and peHash is lacking. Therefore, we investigated the characteristics of hash values in malware classification. Moreover, when the surface analysis log is viewed in chronological order, that the data are considered have concept drift characteristics. Therefore, we compared malware detection performance using data with the concept drift property. We found that the hash function could be used to prevent performance degradation even with concept drift data. In an experiment combining PE surface information and hash values, concept drift showed the highest performance for certain data.",

keywords = "Deep learning, Fuzzy hash, Malware detection, PE file, peHash",

author = "Takahiro Baba and Kensuke Baba and Toshihiro Yamauchi",

note = "Funding Information: Acknowledgments. A part of this research is supported by JST, PRESTO Grant Number JPMJPR1938 and JSPS Grants-in-Aid for Scientific Research JP19H05579. Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 36th International Conference on Advanced Information Networking and Applications, AINA 2022 ; Conference date: 13-04-2022 Through 15-04-2022",

year = "2022",

doi = "10.1007/978-3-030-99587-4_40",

language = "English",

isbn = "9783030995867",

series = "Lecture Notes in Networks and Systems",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "480--491",

editor = "Leonard Barolli and Farookh Hussain and Tomoya Enokido",

booktitle = "Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022",

address = "Germany",

}

TY - GEN

T1 - Malware Classification by Deep Learning Using Characteristics of Hash Functions

AU - Baba, Takahiro

AU - Baba, Kensuke

AU - Yamauchi, Toshihiro

N1 - Funding Information: Acknowledgments. A part of this research is supported by JST, PRESTO Grant Number JPMJPR1938 and JSPS Grants-in-Aid for Scientific Research JP19H05579. Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

PY - 2022

Y1 - 2022

N2 - As the Internet develops, the number of Internet of Things (IoT) devices increases. Simultaneously, the risk of IoT devices being infected with malware also increases. Thus, malware detection has become an important issue. Dynamic analysis logs are effective at detecting malware, but it takes time to collect a large amount of data because the malware must be executed at least once before the logs can be collected. Moreover, dynamic analysis logs are affected by external factors such as the execution environment. A malware detection method that uses a static property analysis log could solve these problems. In this study, deep learning (DL) was used as a machine learning method because DL is effective for large-scale data and can automatically extract features. Research has been conducted on malware detection using static properties of portable executable (PE) files, establishing that such detection is possible. However, research on malware detection using hash functions such as Fuzzy hash and peHash is lacking. Therefore, we investigated the characteristics of hash values in malware classification. Moreover, when the surface analysis log is viewed in chronological order, that the data are considered have concept drift characteristics. Therefore, we compared malware detection performance using data with the concept drift property. We found that the hash function could be used to prevent performance degradation even with concept drift data. In an experiment combining PE surface information and hash values, concept drift showed the highest performance for certain data.

AB - As the Internet develops, the number of Internet of Things (IoT) devices increases. Simultaneously, the risk of IoT devices being infected with malware also increases. Thus, malware detection has become an important issue. Dynamic analysis logs are effective at detecting malware, but it takes time to collect a large amount of data because the malware must be executed at least once before the logs can be collected. Moreover, dynamic analysis logs are affected by external factors such as the execution environment. A malware detection method that uses a static property analysis log could solve these problems. In this study, deep learning (DL) was used as a machine learning method because DL is effective for large-scale data and can automatically extract features. Research has been conducted on malware detection using static properties of portable executable (PE) files, establishing that such detection is possible. However, research on malware detection using hash functions such as Fuzzy hash and peHash is lacking. Therefore, we investigated the characteristics of hash values in malware classification. Moreover, when the surface analysis log is viewed in chronological order, that the data are considered have concept drift characteristics. Therefore, we compared malware detection performance using data with the concept drift property. We found that the hash function could be used to prevent performance degradation even with concept drift data. In an experiment combining PE surface information and hash values, concept drift showed the highest performance for certain data.

KW - Deep learning

KW - Fuzzy hash

KW - Malware detection

KW - PE file

KW - peHash

UR - http://www.scopus.com/inward/record.url?scp=85128704778&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85128704778&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-99587-4_40

DO - 10.1007/978-3-030-99587-4_40

M3 - Conference contribution

AN - SCOPUS:85128704778

SN - 9783030995867

T3 - Lecture Notes in Networks and Systems

SP - 480

EP - 491

BT - Advanced Information Networking and Applications - Proceedings of the 36th International Conference on Advanced Information Networking and Applications AINA-2022

A2 - Barolli, Leonard

A2 - Hussain, Farookh

A2 - Enokido, Tomoya

PB - Springer Science and Business Media Deutschland GmbH

T2 - 36th International Conference on Advanced Information Networking and Applications, AINA 2022

Y2 - 13 April 2022 through 15 April 2022

ER -

Malware Classification by Deep Learning Using Characteristics of Hash Functions

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this