A Comparison of Word2Vec, HMM2Vec, and PCA2Vec for Malware Classification

TL;DR

This paper compares different word embedding techniques—HMM2Vec, PCA2Vec, and Word2Vec—for malware classification, demonstrating that embedding-based features improve classification accuracy over raw opcode sequences.

Contribution

It introduces HMM2Vec and PCA2Vec as novel embedding methods for malware analysis and compares their effectiveness with Word2Vec.

Findings

Embedding-based features outperform raw opcode sequence analysis.

Word2Vec achieves the highest classification accuracy among the methods.

Embedding techniques serve as effective feature engineering tools in malware classification.

Abstract

Word embeddings are often used in natural language processing as a means to quantify relationships between words. More generally, these same word embedding techniques can be used to quantify relationships between features. In this paper, we first consider multiple different word embedding techniques within the context of malware classification. We use hidden Markov models to obtain embedding vectors in an approach that we refer to as HMM2Vec, and we generate vector embeddings based on principal component analysis. We also consider the popular neural network based word embedding technique known as Word2Vec. In each case, we derive feature embeddings based on opcode sequences for malware samples from a variety of different families. We show that we can obtain better classification accuracy based on these feature embeddings, as compared to HMM experiments that directly use the opcode sequences, and serve to establish a baseline. These results show that word embeddings can be a useful feature engineering step in the field of malware analysis.