I-MAD: Interpretable Malware Detector Using Galaxy Transformer

TL;DR

The paper introduces I-MAD, an interpretable malware detection model using Galaxy Transformer that effectively models assembly code semantics and provides clear explanations, outperforming existing static malware detectors.

Contribution

It proposes a novel Galaxy Transformer network for malware detection that captures assembly code semantics and an interpretable neural network for explanations, achieving superior accuracy.

Findings

Outperforms state-of-the-art static malware detection models

Provides meaningful interpretations of detection results

Achieves high detection accuracy with interpretability

Abstract

Malware currently presents a number of serious threats to computer users. Signature-based malware detection methods are limited in detecting new malware samples that are significantly different from known ones. Therefore, machine learning-based methods have been proposed, but there are two challenges these methods face. The first is to model the full semantics behind the assembly code of malware. The second challenge is to provide interpretable results while keeping excellent detection performance. In this paper, we propose an Interpretable MAlware Detector (I-MAD) that outperforms state-of-the-art static malware detection models regarding accuracy with excellent interpretability. To improve the detection performance, I-MAD incorporates a novel network component called the Galaxy Transformer network that can understand assembly code at the basic block, function, and executable levels. It also incorporates our proposed interpretable feed-forward neural network to provide interpretations for its detection results by quantifying the impact of each feature with respect to the prediction. Experiment results show that our model significantly outperforms existing state-of-the-art static malware detection models and presents meaningful interpretations.