Fast and Efficient Malware Detection with Joint Static and Dynamic Features Through Transfer Learning

TL;DR

This paper proposes a novel deep learning approach that combines static and dynamic malware features through latent space aggregation and knowledge distillation, achieving high detection accuracy with reduced analysis time.

Contribution

It introduces a method to create balanced aggregated features via latent space concatenation and employs knowledge distillation to train a static-only model that retains high accuracy.

Findings

Teacher model outperforms state-of-the-art by 2.38% accuracy.

Student model achieves 97.81% accuracy using only static features.

Detection time is reduced from over 70 seconds to under 0.2 seconds.

Abstract

In malware detection, dynamic analysis extracts the runtime behavior of malware samples in a controlled environment and static analysis extracts features using reverse engineering tools. While the former faces the challenges of anti-virtualization and evasive behavior of malware samples, the latter faces the challenges of code obfuscation. To tackle these drawbacks, prior works proposed to develop detection models by aggregating dynamic and static features, thus leveraging the advantages of both approaches. However, simply concatenating dynamic and static features raises an issue of imbalanced contribution due to the heterogeneous dimensions of feature vectors to the performance of malware detection models. Yet, dynamic analysis is a time-consuming task and requires a secure environment, leading to detection delays and high costs for maintaining the analysis infrastructure. In this paper, we first introduce a method of constructing aggregated features via concatenating latent features learned through deep learning with equally-contributed dimensions. We then develop a knowledge distillation technique to transfer knowledge learned from aggregated features by a teacher model to a student model trained only on static features and use the trained student model for the detection of new malware samples. We carry out extensive experiments with a dataset of 86709 samples including both benign and malware samples. The experimental results show that the teacher model trained on aggregated features constructed by our method outperforms the state-of-the-art models with an improvement of up to 2.38% in detection accuracy. The distilled student model not only achieves high performance (97.81% in terms of accuracy) as that of the teacher model but also significantly reduces the detection time (from 70046.6 ms to 194.9 ms) without requiring dynamic analysis.