Artificial Intelligence Technology for Malware Family Detection

• Main Authors: Wen-Han Kuo, 郭文翰
• Other Authors: Jiann-Liang Chen
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/3q8ee3

碩士 === 國立臺灣科技大學 === 電機工程系 === 107 === The rapid development of Internet of Things (IoT) devices and communication technologies have greatly expanded the application of the internet. In response to people’s pursuit of high quality of life, the number of IoT devices and related services have increased annually. However, the importance of information security has been overlooked by majority of people, promoting hackers and those with ulterior motives to use malware to attack security holes in Internet applications. With the number of attack incidents increasing, detection system of malware has become imperative. This study proposed an integrative system framework that combines machine learning, deep learning, data balancing, and feature evaluation mechanism to detect malware, and a family-based approach was used to present classification results. The proposed framework can serve as a reference for antivirus companies and related service providers to develop adequate strategies for defending against malware attacks. This study acquired data from the CTU-13 open dataset, which was compiled through capturing the traffic from the network of a university. The dataset includes normal, malware, and background traffic. In order to reduce the noise in the dataset and improve the overall model efficiency, this study performed data analysis using feature evaluation methods including ANOVA, Chi-Square and AutoEncoder. Features that reduce the model accuracy were removed to reduce the model computation time and improve model stability. Because imbalanced data existed among various classes of malware and benign software in the original dataset, a data balancing mechanism was introduced to resolve this problem. The SMOTEENN algorithm was used to generate data for minority classes, thereby alleviating model deviations and enhancing the overall model credibility. This study also considered that malware receives updates and grows in number over time. Therefore, the neural networks architecture adopted in this study employ an activation function mechanism to detect malware. When an unknown malware program be found that does not belong to any family derived from the previous neural networks architecture, this mechanism incorporates the program in the model training for the subsequent model update. Analysis on the efficiency of the proposed framework revealed that the detection models with XGBoost and Back Propagation reached an accuracy rate of 99.98% and 98.88%, respectively.