Zipf-Gramming: Scaling Byte N-Grams Up to Production Sized Malware Corpora

TL;DR

This paper introduces Zipf-Gramming, a fast and scalable method for extracting top-k byte n-grams from large malware datasets, significantly improving malware detection accuracy and efficiency.

Contribution

We develop a novel Zipfian distribution-based top-k n-gram extraction algorithm that scales to terabyte-sized datasets, enabling more effective malware detection models.

Findings

Up to 35x faster top-k n-gram extraction

30% improvement in malware detection AUC

Scalable approach for large-scale malware corpora

Abstract

A classifier using byte n-grams as features is the only approach we have found fast enough to meet requirements in size (sub 2 MB), speed (multiple GB/s), and latency (sub 10 ms) for deployment in numerous malware detection scenarios. However, we've consistently found that 6-8 grams achieve the best accuracy on our production deployments but have been unable to deploy regularly updated models due to the high cost of finding the top-k most frequent n-grams over terabytes of executable programs. Because the Zipfian distribution well models the distribution of n-grams, we exploit its properties to develop a new top-k n-gram extractor that is up to $35\times$ faster than the previous best alternative. Using our new Zipf-Gramming algorithm, we are able to scale up our production training set and obtain up to 30\% improvement in AUC at detecting new malware. We show theoretically and empirically that our approach will select the top-k items with little error and the interplay between theory and engineering required to achieve these results.