Relation-aware based Siamese Denoising Autoencoder for Malware Few-shot Classification

TL;DR

This paper introduces a relation-aware Siamese autoencoder that leverages semantic embeddings and entropy images to improve few-shot malware classification, especially for unseen zero-day exploits.

Contribution

It proposes a novel Siamese neural network with relation-aware embeddings and entropy image inputs to enhance detection of new, obfuscated malware samples in few-shot scenarios.

Findings

High accuracy in predicting unseen malware

Effective in handling obfuscation techniques

Superior to existing autoencoder approaches

Abstract

When malware employs an unseen zero-day exploit, traditional security measures such as vulnerability scanners and antivirus software can fail to detect them. This is because these tools rely on known patches and signatures, which do not exist for new zero-day attacks. Furthermore, existing machine learning methods, which are trained on specific and occasionally outdated malware samples, may struggle to adapt to features in new malware. To address this issue, there is a need for a more robust machine learning model that can identify relationships between malware samples without being trained on a particular malware feature set. This is particularly crucial in the field of cybersecurity, where the number of malware samples is limited and obfuscation techniques are widely used. Current approaches using stacked autoencoders aim to remove the noise introduced by obfuscation techniques through reconstruction of the input. However, this approach ignores the semantic relationships between features across different malware samples. To overcome this limitation, we propose a novel Siamese Neural Network (SNN) that uses relation-aware embeddings to calculate more accurate similarity probabilities based on semantic details of different malware samples. In addition, by using entropy images as inputs, our model can extract better structural information and subtle differences in malware signatures, even in the presence of obfuscation techniques. Evaluations on two large malware sample sets using the N-shot and N-way methods show that our proposed model is highly effective in predicting previously unseen malware, even in the presence of obfuscation techniques.