An Enhanced Stacked LSTM Method With No Random Initialization for Malware Threat Hunting in Safety and Time-Critical Systems

Malware detection is an increasingly important operational focus in cyber security, particularly, given the fast pace of such threats (e.g., new malware variants introduced every day). In recent years, there has been increased interest in exploring the use of machine learning techniques in automatin...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on emerging topics in computational intelligence 2020-10, Vol.4 (5), p.630-640
Main Authors: Jahromi, Amir Namavar, Hashemi, Sattar, Dehghantanha, Ali, Parizi, Reza M., Choo, Kim-Kwang Raymond
Format: Article
Language:English
Subjects:
Accuracy
Battlefields
Convergence
Correlation coefficients
cyber threat hunting
Cybersecurity
Datasets
Deep learning
Hidden Markov models
Hunting
Internet of Things
Machine learning
Machine learning algorithms
Malware
Military technology
Ransomware
Recurrent neural networks
Regularization
Regularization methods
Safety critical
stacked LSTM
Training
unsupervised layer-wise pre-training
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malware detection is an increasingly important operational focus in cyber security, particularly, given the fast pace of such threats (e.g., new malware variants introduced every day). In recent years, there has been increased interest in exploring the use of machine learning techniques in automating and enhancing the effectiveness of malware detection and analysis. In this paper, we present a deep recurrent neural network solution as a stacked long short-term memory (LSTM) with a pre-training as a regularization method to avoid random network initialization. In our proposed approach, we use global and short dependencies of the inputs. With pre-training, we avoid random initialization and are able to improve the accuracy and robustness of malware threat hunting. The proposed method speeds up the convergence, in comparison to the stacked LSTM, by reducing the length of malware OpCode or bytecode sequences. Hence, the complexity of our final method is reduced. This leads to better accuracy , higher Mattews Correlation Coefficients (MCC) , and Area Under the Curve (AUC) in comparison to a standard LSTM with similar detection time. Our proposed method can be applied in real-time malware threat hunting, particularly, for safety critical systems, such as electronic health or Internet of Battlefield / Military of Things, where poor convergence of the model could lead to catastrophic consequences. We evaluate the effectiveness of our proposed method on Windows, Ransomware, Internet of Things (IoT), and Android malware datasets using both static and dynamic analysis. For the IoT malware detection, we also present a comparative summary of the performance on an IoT-specific dataset of our proposed method and the standard stacked LSTM method. More specifically, our proposed method achieves an accuracy of 99.1% in detecting IoT malware samples, with AUC of 0.985 and MCC of 0.95; thus, outperforming standard LSTM-based methods in these key metrics.
ISSN:2471-285X
2471-285X
DOI:10.1109/TETCI.2019.2910243