Obfuscated Malware Detection Using Deep Generative Model based on Global/Local Features

As a large amount of malicious software (malware), including DDoS or Trojan horse pervade in communication networks, several approaches based on global and local features have been attempted to cope with some modifications added in malware variants such as null value insertion, code interchange, and reordering of subroutines. Detectors that use only one type of feature have been studied a lot, but what uses both features is rarely investigated, although good performance might be expected due to their complementary characteristics. In this paper, we propose a hybrid deep generative model that exploits global and local features together to detect the malware variants effectively. While transforming malware into an image to efficiently represent global features with pre-defined latent space, it extracts local features using the binary code sequences. The two features extracted from the data with their respective characteristics are concatenated and entered into the malware detector. By using both features, the proposed model achieves an accuracy of 97.47%, resulting in the state-of-the-art performance. We analyze what parts of the malware code affect the results of detection through a class activation map (CAM) and confirm the usefulness by analyzing the CAM results of the generated malware that virtual malware generation improves detection performance.