A Vision Transformer Enhanced with Patch Encoding for Malware Classification

With various benefits through software technology development, malicious attacks to steal confidential and company information have constantly been increasing. Recent deep learning models with images converted from malicious code achieve meaningful results, but they have challenges in classifying the same malware family, like Ramnit, Tracur, and Obfuscator. ACY that have similar structures in the image. Instead of observing the overall global features, there is a need for a method of considering the position of local features and learning the relationships between them. In this paper, we propose a vision transformer enhanced with the additional encoding of multiple patches for location information of local features and relationship information between them. For learning considering position information and all relationships between patches, [CLS] tokens that can summarize all information are utilized. 10-fold cross-validation with the Microsoft challenge dataset shows that the proposed model produces better accuracy than comparable studies. The misclassification analysis confirms that the proposed method can detect the same malware family penetrated by the conventional deep learning model. Additional analysis with the activation map emphasizes which structural and sequential features are extracted to detect different codes belonging to the same malware family.