Traditional malware detection is performed by pattern matching files against a database of known signatures. There are several limitations to this approach including zero-day attacks and encryption. We envision an alternative strategy whereby machine learning (ML) models are trained to classify malware on dynamically-derived CPU instruction streams. Many ML algorithms have the potential to recognize code fragments not explicitly seen before. Furthermore, the analysis of dynamic instruction streams (vs. static disassembly) potentially defeats encryption, as encrypted malware must decrypt itself before being operational. In this work, we begin to assess the viability of our vision by using convolution neural networks to classify the function of various types of small programs from their stream of CPU instructions. Intriguingly, we find that a model comprised of a few layers of convolutional filters performs on par with a shallow single-layer convolutional network.

Date Published: 9 May 2018
PDF: 8 pages
Proc. SPIE 10652, Disruptive Technologies in Information Sciences, 106520R (9 May 2018); doi: 10.1117/12.2302715

Published in SPIE Proceedings Vol. 10652:
Disruptive Technologies in Information Sciences
Misty Blowers; Russell D. Hall; Venkateswara R. Dasari, Editor(s)