Detecting new obfuscated malware variants: A lightweight and interpretable machine learning approach

TL;DR

This paper introduces a lightweight, interpretable machine learning system that can detect new obfuscated malware variants, trained on a single malware subtype but capable of identifying multiple unseen subtypes with high accuracy.

Contribution

The study demonstrates that training on one malware subtype with feature selection enables detection of diverse unseen malware subtypes, advancing adaptable malware detection methods.

Findings

Achieved over 99.8% accuracy in detecting 15 malware subtypes.

System processes files in approximately 5.7 microseconds.

Feature selection improved interpretability and maintained high performance.

Abstract

Machine learning has been successfully applied in developing malware detection systems, with a primary focus on accuracy, and increasing attention to reducing computational overhead and improving model interpretability. However, an important question remains underexplored: How well can machine learning-based models detect entirely new forms of malware not present in the training data? In this study, we present a machine learning-based system for detecting obfuscated malware that is not only highly accurate, lightweight and interpretable, but also capable of successfully adapting to new types of malware attacks. Our system is capable of detecting 15 malware subtypes despite being exclusively trained on one malware subtype, namely the Transponder from the Spyware family. This system was built after training 15 distinct random forest-based models, each on a different malware subtype from the CIC-MalMem-2022 dataset. These models were evaluated against the entire range of malware subtypes, including all unseen malware subtypes. To maintain the system's streamlined nature, training was confined to the top five most important features, which also enhanced interpretability. The Transponder-focused model exhibited high accuracy, exceeding 99.8%, with an average processing speed of 5.7 microseconds per file. We also illustrate how the Shapley additive explanations technique can facilitate the interpretation of the model predictions. Our research contributes to advancing malware detection methodologies, pioneering the feasibility of detecting obfuscated malware by exclusively training a model on a single or a few carefully selected malware subtypes and applying it to detect unseen subtypes.