# Activation Analysis of a Byte-Based Deep Neural Network for Malware   Classification

**Authors:** Scott E. Coull, Christopher Gardner

arXiv: 1903.04717 · 2019-08-02

## TL;DR

This study investigates what deep neural networks learn about malware from raw binary data by analyzing activations at multiple levels, linking them to human-understandable features and examining factors affecting model performance.

## Contribution

It introduces a method to interpret byte-based neural network features in malware classification and explores how training data and regularization influence learned representations.

## Key findings

- Identified meaningful features learned by the model linked to traditional features
- Analyzed the impact of data volume and regularization on feature quality
- Discovered that better generalization does not always improve classifier performance

## Abstract

Feature engineering is one of the most costly aspects of developing effective machine learning models, and that cost is even greater in specialized problem domains, like malware classification, where expert skills are necessary to identify useful features. Recent work, however, has shown that deep learning models can be used to automatically learn feature representations directly from the raw, unstructured bytes of the binaries themselves. In this paper, we explore what these models are learning about malware. To do so, we examine the learned features at multiple levels of resolution, from individual byte embeddings to end-to-end analysis of the model. At each step, we connect these byte-oriented activations to their original semantics through parsing and disassembly of the binary to arrive at human-understandable features. Through our results, we identify several interesting features learned by the model and their connection to manually-derived features typically used by traditional machine learning models. Additionally, we explore the impact of training data volume and regularization on the quality of the learned features and the efficacy of the classifiers, revealing the somewhat paradoxical insight that better generalization does not necessarily result in better performance for byte-based malware classifiers.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.04717/full.md

## Figures

17 figures with captions in the complete paper: https://tomesphere.com/paper/1903.04717/full.md

## References

23 references — full list in the complete paper: https://tomesphere.com/paper/1903.04717/full.md

---
Source: https://tomesphere.com/paper/1903.04717