Neural malware analysis with attention mechanism

Objectives: In order to confront diverse types of malware that evolve from moment to moment, it is important to instantly acquire deep knowledge related to the characteristics of malware samples. This paper proposes a method by which to extract important byte sequences of a given malware sample that characterize the functionality of the sample, which reduces the workload of human analysts who investigate the functionality of the sample. Design & methods: By applying a convolutional neural network (CNN) with an attention mechanism to an image converted from binary data, the proposed method enables calculation of an attention map, which is expected to specify regions having higher importance for classification. This distinction of regions enables the extraction of characteristic byte sequences peculiar to the malware family from the binary data and can provide useful information for human analysts without a priori knowledge. Results: The results of an evaluation experiment using a malware dataset reveal that the sequences extracted by the proposed method provide useful information for manual analysis. For example, in the case of BackdoorWin32.Agobot. It, the region with the highest importance in the attention map points at a function to receive commands from a remote server via IRC. This result characterizes the behavior of its family, Worm:Win32/Gaobot, which executes commands sent via IRC to construct a botnet. Conclusions: By taking advantage of a CNN with the attention mechanism, the proposed method is shown to provide important regions in the binaries selectively for manual analysis of malware samples. (C) 2019 Elsevier Ltd. All rights reserved.