Hidden Markov Models with Random Restarts vs Boosting for Malware Detection

TL;DR

This paper compares the effectiveness of random restarts and boosting techniques for training hidden Markov models in malware detection, finding that random restarts perform surprisingly well except in very limited data scenarios.

Contribution

It provides a comparative analysis of boosted HMMs and randomly restarted HMMs for malware detection, highlighting the circumstances where boosting offers significant advantages.

Findings

Random restarts perform well compared to boosting.

Boosting offers benefits mainly in cold start scenarios.

Boosting incurs higher computational costs.

Abstract

Effective and efficient malware detection is at the forefront of research into building secure digital systems. As with many other fields, malware detection research has seen a dramatic increase in the application of machine learning algorithms. One machine learning technique that has been used widely in the field of pattern matching in general-and malware detection in particular-is hidden Markov models (HMMs). HMM training is based on a hill climb, and hence we can often improve a model by training multiple times with different initial values. In this research, we compare boosted HMMs (using AdaBoost) to HMMs trained with multiple random restarts, in the context of malware detection. These techniques are applied to a variety of challenging malware datasets. We find that random restarts perform surprisingly well in comparison to boosting. Only in the most difficult "cold start" cases (where training data is severely limited) does boosting appear to offer sufficient improvement to justify its higher computational cost in the scoring phase.