Multimodal Techniques for Malware Classification

TL;DR

This paper explores multimodal machine learning techniques for malware classification using features from different sections of Windows PE files, demonstrating improved accuracy over baseline models.

Contribution

It introduces a multimodal approach combining features from PE headers and sections, showing that separate models on different parts enhance malware classification performance.

Findings

Multimodal models outperform baseline models.

Training on separate PE file parts improves accuracy.

Combining features from multiple sections yields better results.

Abstract

The threat of malware is a serious concern for computer networks and systems, highlighting the need for accurate classification techniques. In this research, we experiment with multimodal machine learning approaches for malware classification, based on the structured nature of the Windows Portable Executable (PE) file format. Specifically, we train Support Vector Machine (SVM), Long Short-Term Memory (LSTM), and Convolutional Neural Network (CNN) models on features extracted from PE headers, we train these same models on features extracted from the other sections of PE files, and train each model on features extracted from the entire PE file. We then train SVM models on each of the nine header-sections combinations of these baseline models, using the output layer probabilities of the component models as feature vectors. We compare the baseline cases to these multimodal combinations. In our experiments, we find that the best of the multimodal models outperforms the best of the baseline cases, indicating that it can be advantageous to train separate models on distinct parts of Windows PE files.