Malytics: A Malware Detection Scheme

TL;DR

Malytics is a novel malware detection scheme that uses static features and neural networks to accurately identify malware, including zero-day threats, across Android and Windows platforms with high precision and efficiency.

Contribution

It introduces a platform-independent malware detection method combining tf-simhashing with neural networks, achieving high accuracy and robustness against zero-day malware.

Findings

F1-score of 97.21% on Android and 99.45% on Windows.

Outperforms existing learning-based and state-of-the-art models.

Efficient and suitable for deployment on resource-constrained devices.

Abstract

An important problem of cyber-security is malware analysis. Besides good precision and recognition rate, a malware detection scheme needs to be able to generalize well for novel malware families (a.k.a zero-day attacks). It is important that the system does not require excessive computation particularly for deployment on the mobile devices. In this paper, we propose a novel scheme to detect malware which we call Malytics. It is not dependent on any particular tool or operating system. It extracts static features of any given binary file to distinguish malware from benign. Malytics consists of three stages: feature extraction, similarity measurement and classification. The three phases are implemented by a neural network with two hidden layers and an output layer. We show feature extraction, which is performed by tf -simhashing, is equivalent to the first layer of a particular neural network. We evaluate Malytics performance on both Android and Windows platforms. Malytics outperforms a wide range of learning-based techniques and also individual state-of-the-art models on both platforms. We also show Malytics is resilient and robust in addressing zero-day malware samples. The F1-score of Malytics is 97.21% and 99.45% on Android dex file and Windows PE files respectively, in the applied datasets. The speed and efficiency of Malytics are also evaluated.