Quo Vadis: Hybrid Machine Learning Meta-Model based on Contextual and Behavioral Malware Representations

TL;DR

This paper introduces a hybrid machine learning framework combining contextual and behavioral analysis of Windows malware, leveraging kernel emulation and a large dataset to improve detection accuracy over existing methods.

Contribution

It presents a novel hybrid meta-model that integrates multiple deep learning models analyzing behavioral and contextual features, with a large emulation-based dataset and publicly released resources.

Findings

Improved malware detection rates over state-of-the-art models.

Meta-model detects malicious activity even with low individual model confidence.

Large-scale dataset enhances behavioral malware analysis capabilities.

Abstract

We propose a hybrid machine learning architecture that simultaneously employs multiple deep learning models analyzing contextual and behavioral characteristics of Windows portable executable, producing a final prediction based on a decision from the meta-model. The detection heuristic in contemporary machine learning Windows malware classifiers is typically based on the static properties of the sample since dynamic analysis through virtualization is challenging for vast quantities of samples. To surpass this limitation, we employ a Windows kernel emulation that allows the acquisition of behavioral patterns across large corpora with minimal temporal and computational costs. We partner with a security vendor for a collection of more than 100k int-the-wild samples that resemble the contemporary threat landscape, containing raw PE files and filepaths of applications at the moment of execution. The acquired dataset is at least ten folds larger than reported in related works on behavioral malware analysis. Files in the training dataset are labeled by a professional threat intelligence team, utilizing manual and automated reverse engineering tools. We estimate the hybrid classifier's operational utility by collecting an out-of-sample test set three months later from the acquisition of the training set. We report an improved detection rate, above the capabilities of the current state-of-the-art model, especially under low false-positive requirements. Additionally, we uncover a meta-model's ability to identify malicious activity in validation and test sets even if none of the individual models express enough confidence to mark the sample as malevolent. We conclude that the meta-model can learn patterns typical to malicious samples from representation combinations produced by different analysis techniques. We publicly release pre-trained models and anonymized dataset of emulation reports.