Data Augmentation for Opcode Sequence Based Malware Detection

TL;DR

This paper explores data augmentation techniques for improving Android malware detection using opcode sequences, introducing a novel adaptive method based on the malware detection network’s own embeddings.

Contribution

It presents the first systematic study of augmentation methods for opcode sequence malware classification and proposes a new adaptive augmentation technique using self-embedding language models.

Findings

Adaptive augmentation improves detection accuracy

Self-embedding based augmentation outperforms fixed transformations

Systematic comparison of augmentation methods for malware detection

Abstract

In this paper we study data augmentation for opcode sequence based Android malware detection. Data augmentation has been successfully used in many areas of deep-learning to significantly improve model performance. Typically, data augmentation simulates realistic variations in data to increase the apparent diversity of the training-set. However, for opcode-based malware analysis it is not immediately clear how to apply data augmentation. Hence we first study the use of fixed transformations, then progress to adaptive methods. We propose a novel data augmentation method -- Self-Embedding Language Model Augmentation -- that uses a malware detection network's own opcode embedding layer to measure opcode similarity for adaptive augmentation. To the best of our knowledge this is the first paper to carry out a systematic study of different augmentation methods for opcode sequence based Android malware classification.