Echelon: Two-Tier Malware Detection for Raw Executables to Reduce False Alarms

TL;DR

Echelon introduces a two-tier malware detection framework that leverages raw byte data and neural network activations to reduce false alarms while maintaining high detection rates.

Contribution

The paper proposes a novel two-tier learning approach that locks false positive rates and enhances true positive rates without hand-crafted features.

Findings

Echelon effectively reduces false positive rates in malware detection.

The framework improves true positive rates while maintaining low false alarms.

Experimental results show compatibility with existing CNN-based models like Malconv.

Abstract

Existing malware detection approaches suffer from a simplistic trade-off between false positive rate (FPR) and true positive rate (TPR) due to a single tier classification approach, where the two measures adversely affect one another. The practical implication for malware detection is that FPR must be kept at an acceptably low level while TPR remains high. To this end, we propose a two-tiered learning, called ``Echelon", from raw byte data with no need for hand-crafted features. The first tier locks FPR at a specified target level, whereas the second tier improves TPR while maintaining the locked FPR. The core of Echelon lies at extracting activation information of the hidden layers of first tier model for constructing a stronger second tier model. Echelon is a framework in that it allows any existing CNN based model to be adapted in both tiers. We present experimental results of evaluating Echelon by adapting the state-of-the-art malware detection model ``Malconv" in the first and second tiers.