• Corpus ID: 141512537

To believe or not to believe: Validating explanation fidelity for dynamic malware analysis

@inproceedings{Chen2019ToBO,
  title={To believe or not to believe: Validating explanation fidelity for dynamic malware analysis},
  author={Li Chen and Carter Yagemann and Evan Downing},
  booktitle={CVPR Workshops},
  year={2019}
}
Converting malware into images followed by vision-based deep learning algorithms has shown superior threat detection efficacy compared with classical machine learning algorithms. [] Key Method For both case studies, we first train deep learning models via transfer learning on malware images, demonstrate high classification effectiveness, apply an explanation method on the images, and correlate the results back to the samples to validate whether the algorithmic insights are consistent with security domain…
1 Citations

Figures from this paper

References

SHOWING 1-10 OF 20 REFERENCES
Deep Transfer Learning for Static Malware Classification
TLDR
The proposed method outperforms other classical machine learning methods measured in accuracy, false positive rate, true positive rate and $F_1$ score (in binary classification).
HeNet: A Deep Learning Approach on Intel® Processor Trace for Effective Exploit Detection
TLDR
This paper presents HeNet, a hierarchical ensemble neural network applied to classify hardware-generated control flow traces for malware detection, and achieves 100% accuracy and 0% false positive on test set, and higher classification accuracy compared to classical machine learning algorithms.
HeNet: A Deep Learning Approach on Intel$^\circledR$ Processor Trace for Effective Exploit Detection
TLDR
HeNet, a hierarchical ensemble neural network, applied to classify hardware-generated control flow traces for malware detection and achieves 100% accuracy and 0% false positive on test set, and higher classification accuracy compared to classical machine learning algorithms.
AVclass: A Tool for Massive Malware Labeling
TLDR
AVclass is described, an automatic labeling tool that given the AV labels for a, potentially massive, number of samples outputs the most likely family names for each sample, and implements novel automatic techniques to address 3 key challenges: normalization, removal of generic tokens, and alias detection.
LEMNA: Explaining Deep Learning based Security Applications
TLDR
LEMNA is proposed, a high-fidelity explanation method dedicated for security applications that approximate a local area of the complex deep learning decision boundary using a simple interpretable model and has a much higher fidelity level compared to existing methods.
Malware images: visualization and automatic classification
TLDR
Preliminary experimental results are quite promising with 98% classification accuracy on a malware database of 9,458 samples with 25 different malware families and the technique exhibits interesting resilience to popular obfuscation techniques such as section encryption.
Imbalanced Malware Images Classification: a CNN based Approach
TLDR
A simple yet effective weighted softmax loss which can be employed as the final layer of deep CNNs and aims at alleviating the impact of data imbalance in an end-to-end learning fashion.
Ether: malware analysis via hardware virtualization extensions
TLDR
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
BareCloud: Bare-metal Analysis-based Evasive Malware Detection
TLDR
BareCloud is presented, an automated evasive malware detection system based on bare-metal dynamic malware analysis, which introduces a novel approach of hierarchical similarity-based malware behavior comparison to analyze the behavior of a sample in the various analysis systems.
The power of procrastination: detection and mitigation of execution-stalling malicious code
TLDR
This paper presents the first approach to detect and mitigate malicious stalling code, and to ensure forward progress within the amount of time allocated for the analysis of a sample, and is able to detect additional malicious behavior in real-world malware samples.
...
...