An Efficient Detection of Malware by Naive Bayes Classifier Using GPGPU1footnote 11footnote 1Reference: Springer, Advances in Computer Communication and Computational Sciences, Vol. 924, pp. 255-262, 2019

An Efficient Detection of Malware by Naive Bayes Classifier Using GPGPU111Reference: Springer, Advances in Computer Communication and Computational Sciences, Vol. 924, pp. 255-262, 2019

Sanjay K. Sahay and Mayank Chaudhari
BITS, Pilani, Dept. of CS & IS, Goa Campus, Goa, India
Email: {ssahay, h20160014}@goa.bits-pilani.ac.in
Abstract

Due to continuous increase in the number of malware (according to AV-Test institute total malware are already known, and every day they register malware) and files in the computational devices, it is very important to design a system which not only effectively but can also efficiently detect the new or previously unseen malware to prevent/minimize the damages. Therefore, this paper presents a novel group-wise approach for the efficient detection of malware by parallelizing the classification using the power of GPGPU and shown that by using the Naive Bayes classifier the detection speed-up can be boosted up to 200x. The investigation also shows that the classification time increases significantly with the number of features.  
Keywords: Malware Detection, GPGPU, Machine Learning, Computer Security.

1 Introduction

The ubiquity of the Internet has engendered the prevalence of information sharing among networked users and organizations, and in todays information era, most of the computing devices are connected to the Internet, which has rendered possible countless invasions of privacy/security worldwide from the malware (malicious software). In 1970 the first virus was created [2], and since then malware are not only continuously evolving with high complexity to evade the available detection techniques, but also the new variants of malware are increasing exponentially, as a consequence, malware defense is becoming a difficult task to protect the computational devices from it. The use of malware for espionage, sophisticated cyber attacks, and other crimes motivated to develop an advanced method to combat the threats/attacks from it [9] [3] [18][21]. However, due to the exponential increase in the number of malware (according to AV-Test institute total malware are already known, and every day they register malware [11])), anti-malware industries not only facing major challenges to check the potential malicious content but to detect the malware efficiently. The reason behind these high volumes of malware is basically in the advancement of second-generation malware which can create millions of its variants by using different obfuscation techniques [20]. The malware attack/threat are not only limited to individual boundaries, but they are highly skilled state-funded hackers writing customized malicious payloads to disrupt political, industrial working and military espionage [5] [24] [17]. The most high-profile, subversive incident was a series of intrusions against the Democratic Party in the US presidential election [5].

In 2017 McAfee has more than 780 million malware samples in their database, and in the 3rd quarter of 2017 there was a 10% increase in the number of the new malware, in addition in the same quarter they have observed a 60% increase in new mobile malware in the Android devices which are mainly due to increase in Android screen locking ransomware [14]. The Symantec 2017 Internet Security Threat report indicates that there were 357 million new malware variants [5]. The recent Internet Security Threat Report from Symantec shows an increase of 88% in overall malware variants [6]. Hence, if adequate advancement in anti-malware technique is not achieved, consequences at this scale at which new malware are being developed can create fatal effects, and the results will be more severe then past. In this recently, various machine learning techniques have been proposed by authors [1] [4] [23] [25], which can enhance the capabilities of traditional malware detection system viz. signature matching technique, but with the use of a complex machine learning the detection time increases. Therefore, understanding the exponential increase in the number of malware released every year and files in the computational device, it is very important to design a system which not only effectively but can also efficiently detect the new or previously unseen malware to prevent/minimize the damages. Hence in this paper, we present a novel efficient group-wise static malware analysis approach for the efficient detection of malware by parallelizing the classification using the power of general-purpose graphics processing unit (GPGPU) and shown that by using the Naive Bayes classifier the detection speed-up can be boosted up to 200x. Accordingly, section 2 briefly discusses the related work done in this field. Section 3 describes the data preprocessing and how features are selected for the classification. Section 4 contains the experimental and the result analysis of our approach. Finally, we summarize our conclusion in Section 5.

2 Related Work

With the evolution of complex second-generation malware which can generate millions of its variant, the detection techniques have also been made significant progress from the early day traditional signature matching to deep learning techniques to improve the detection accuracy [8]. In this recently Ashu et al. showed that group-wise classification of Windows malware in the range of 5 KB, the detection accuracy can be achieved up to 97.95% [21]. Similarly, they have also shown that on an average 97.15% detection of Android malware can be achieved by permission-based group-wise detection system [22]. However, understanding the exponential growth of malware and the number of file in our system it is equally important to focus on the design of an efficient malware detection system. In this Ciprian Pungila and Viorel Negru in 2012 has proposed an efficient memory compression model for virus signature matching using GPGPU [15]. They were able to achieve 22 less memory utilization and 38 times higher bandwidth compared to their single-core implementation. In 2014, Che-Lun Hung et al., proposed a GPU based botnet detection technique [10]. They implemented the network traffic reduction on GPU and were able to achieve eight times performance over CPU based traffic reduction. For Android devices, Manel Abdellatif et al. in 2015 has designed and implemented a host-based parallel anti-malware based on mobile GPU [13]. Their implementation was three times faster than the serial implementation on CPU. In 2016, to accelerate the statistical detection of zero-day malware Igor Korkin et al. has proposed a technique using CUDA-enabled GPU Hardware [12]. In their work, they used GPU mainly for achieving speedup in memory forensic task. Recently, Radu Velea et al. has proposed a CPU/GPU based hybrid approach to accelerate pattern matching of the malware [26]. In their work they found that the hybrid approach takes half of the time compared to the CPU implementation only and consumes 25% less power.

3 Data Preprocessing and Feature Selection

For the experimental analysis, we downloaded 11,355 malware from the malicia-project dataset (one of author possess the dataset [23])) and collected 2967 benign programs (also verified from virustotal.com) from different windows operating systems. It has been observed that 97.18% malware in the Malicia dataset is below 500 KB [21]. Therefore, we took both the samples (i.e., malware and benign programs) which are below 500 KB, and left with 11,305 malware and 2360 benign executables for the analysis. Also, the investigation by Ashu et al. shows that the variation in the size of the malware generated by malware kits viz. NGVCK, PS-MPC, and G2 do not vary by more than 5 KB range. Therefore, for efficient and effective classification we partitioned the datasets in 100 group each of 5 KB size.

We selected the opcodes of the executable as a feature for the classification of malware because the difference in the opcode occurrence between the malware and benign executable differ in large [19][21]. Therefore the prominent features i.e., opcodes from the data set which can differentiate the malware from benign programs are obtained as given by the Ashu et al. [23][21] i.e., by normalizing the opcodes occurrence difference between the malware and benign executables for all the formed groups independently, and finally top k-features (opcodes) are selected from each group separately for the efficient and effective detection of the malware.

4 Our Approach and Experimental Analysis

A schematic of the experimental analysis of our approach is shown in the fig. 1. For the purpose, we randomly split the dataset (containing only opcode occurrence of every executable) for the training and testing of the malicious and benign dataset

Figure 1: A schematic of our approach for the efficient detection of malware.

separately (a conservative side as per the suggested norms to ensure optimal performance [7]) in the ratio of 2:1 and used Naive Bayes classifier (as the paper focusses on the efficient detection of malware, not on the accuracy, therefore for simplicity we selected the Naive Bayes classifier) which assume strong class independence between different attributes under consideration, i.e., if the given set of (opcodes in our case), A = , then the Naive Bayes model computes posterior probability for target class C (malware/benign) and can be represented as [23]

where, is the posterior probability of an executable sample of belonging to class C. Hence one can calculate the posterior probabilities for the test executable, and if the malware class probability is higher then it is classified as malware otherwise it is labeled as benign.

The experiment has been conducted in Intel i7-7700HQ quad-core processor with a base frequency of 2.8 GHz, 8 GB RAM, Pascal architecture (GP107) based Nvidia 1050Ti GPU with 768 CUDA cores distributed across 6 SMP and 4GB GPU DRAM operating on a base speed of 1291 MHz.

To improve the detection efficiency, we trained the model for all the groups independently with top k-features obtained from each group, except the group which has less than six files either in malware or benign. We find that 5, 8, 61, 65, 97, 98 and 100th group have less then six files in either category (benign or malware). For the actual implementation if any group have less than the minimum set number of file, than that group file can be classified/tested with the next group trained model.

First we investigated the classification time taken by the CPU by selecting the top 20, 40, 80, 100, 160 and 200 features (figs. 2 and 3) from each group and the

Figure 2: Time taken by the CPU to classify the files in the multiple of 768 files by varying the number features.
Figure 3: Time taken by the GPU to classify the files in the mulitple of 768 files by varying the number features.

number of file in multiple of 768 (i.e., number of cores in the GPU), and the results obtained are shown in fig. 2. Next, we find the time taken by GPU after distributing our trained model among all the 768 cores such that trained model of the particular group, the corresponding test file, and top k-features shall be in same core so that parallelization of the tasks in GPU can be optimally used. Then we observed the time taken by the GPU by giving the file in the multiple of 768 for the testing/classification and the results obtained are shown in fig. 3.

The analysis shows that the classification/testing time is also dependent on the number of features, and with the increase in the number of files in the multiple of number cores of GPU, the CPU proportionally take more time than GPU (figs. 2 and 3). Therefore, experimented with various sets of features and found that the detection accuracy improves by increasing the number of features till top 200 features, after that there is no significant change in accuracy, and remains around 87%. Therefore, we investigated the speed-up with top 200 features (speed-up can be written as, Sp = Tc/Tp, where Tc is the time taken to execute the sequential program and Tp is the time taken to execute the program in parallel, i.e., in GPU with P number of cores [16]) and almost all the dataset (as our focus is on the efficiency not on the effectiveness of the classification) for the improvement in the performance due the parallelization of the task using GPU that can be achieved from the given system, and the obtained result is shown in fig. 4. We observed that the parallel implementation for the classification of malware using GPU by Naive Bayes algorithm is able to achieve speed-up up to 200 (not taking in account of the overhead involved in the processes).

Figure 4: Classification speed-up due to parallelization of the task using the GPU.

5 Conclusion

We present a novel group-wise approach (to the best of our knowledge, this is the first paper that group-wise classifies the malware using the power of GPGPU) for the efficient detection of new or previously unseen malware by parallelizing the classification using the power of GPGPU and shown that by using the Naive Bayes classifier the classification speed-up can be boosted up to 200x (not taking in account of the overhead involved in the processes). However, one has to study the performance using the classical Random Forest classifier and Deep Learning methods for the efficient and high accuracy classification. Also, the trade-off between the efficiency and accuracy has to be investigated in-depth, i.e., optimal features selection (as classification time significantly increases with the number of features) to train the model after appropriately grouping the input data for the detection of malware, and in this direction work is in progress.

References

  • [1] Kevin Allix, Tegawendé F. Bissyandé, Quentin Jérome, Jacques Klein, Radu State, and Yves Le Traon. Large-scale machine learning-based malware detection: Confronting the ”10-fold cross validation” scheme with reality. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY ’14, pages 163–166, New York, NY, USA, 2014. ACM.
  • [2] Daniel Bilar. Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensic, 1(2):156–168, January 2007.
  • [3] Brian M. Bowen, Pratap V. Prabhu, Vasileios P. Kemerlis, Stylianos Sidiroglou, Salvatore J. Stolfo, and Angelos D. Keromytis. Methods, systems, and media for detecting covert malware, May 2018.
  • [4] Julio Canto, Marc Dacier, Engin Kirda, and Corrado Leita. Large scale malware collection : lessons learned. In SRDS 2008, 27th International Symposium on Reliable Distributed Systems, October 6-8, 2008, Napoli, Italy, Napoli, ITALY, 10 2008.
  • [5] Symantec Corporation. Internet Security Threat Report. Technical report, April 2017 (Date last accessed 31-May-2018).
  • [6] Symantec Corporation. Internet Security Threat Report. Technical report, April 2018 (Date last accessed 31-May-2018).
  • [7] Isabelle Guyon. A scaling law for the validation-set training-set size ratio. In AT & T Bell Laboratories, 1997.
  • [8] Alex Huang, Abdullah Al-Dujaili, Erik Hemberg, and Una-May O’Reilly. Adversarial deep learning for robust detection of binary encoded malware. CoRR, abs/1801.02950, 2018.
  • [9] Shamsul Huda, Rafiqul Islam, Jemal Abawajy, John Yearwood, Mohammad Mehedi Hassan, and Giancarlo Fortino. A hybrid-multi filter-wrapper framework to identify run-time behaviour for fast malware detection. Future Generation Computer Systems, 83:193–207, jun 2018.
  • [10] Che-Lun Hung and Hsiao-Hsi Wang. Parallel botnet detection system by using gpu. 2014 IEEE/ACIS 13th International Conference on Computer and Information Science (ICIS), pages 65–70, 2014.
  • [11] AV-Test institute. Malware statistics 2018. https://www.av-test.org/en/statistics/malware/, 2018. [Online; accessed 10-June-2018].
  • [12] Igor Korkin and Iwan Nesterow. Acceleration of statistical detection of zero-day malware in the memory dump using cuda-enabled GPU hardware. CoRR, abs/1606.04662, 2016.
  • [13] Chamseddine Talhi Manel Abdellatif, Abdelawahab Hamou-Lhadj, and Michel Dagenais. On the use of mobile gpu for accelerating malware detection using trace analysis. In 2015 IEEE 34th Symposium on Reliable Distributed Systems Workshop (SRDSW), pages 38–, Montreal, QC, Canada, 2016.
  • [14] McAfee. McAfee Labs Threats Report. Technical report, December 2017.
  • [15] Ciprian Pungila and Viorel Negru. A highly-efficient memory-compression approach for gpu-accelerated virus signature matching. International Conference on Information Security (ISC 2012), pages 354–369, 2012.
  • [16] Michael J. Quinn. Parallel computing: Theory and practice. pages 80–83, 2002.
  • [17] Tim Conway Robert M. Lee, Michael J. Assante. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical report, E-ISAC group SANS, 2016.
  • [18] Royi Ronen, Marian Radu, Corina Feuerstein, Elad Yom-Tov, and Mansour Ahmadi. Microsoft malware classification challenge. CoRR, abs/1802.10135, 2018.
  • [19] Sanjay K. Sahay and Ashu Sharma. Grouping the executables to detect malwares with high accuracy. Procedia Comput. Sci., 78(C):667–674, March 2016.
  • [20] Ashu Sharma and S. K. Sahay. Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey. International Journal of Computer Applications, 90(2):7–11, March 2014.
  • [21] Ashu Sharma and S. K. Sahay. An effective approach for classification of advanced malware with high accuracy. International Journal of Security and Its Applications, 10(4):249–266, 2016.
  • [22] Ashu Sharma and S. K. Sahay. Group-wise classification approach to improve android malicious apps detection accuracy. International Journal of Network Security, 2018, in press.
  • [23] Ashu Sharma, S. K. Sahay, and Abhishek Kumar. Improving the detection accuracy of unknown malware by partitioning the executables in groups. In Advances in Intelligent System and Computing; Proceedings 9th ICACCT, 2015, page 421. Springer, 2016.
  • [24] R. Stone. A call to cyber arms. Science, 339(6123):1026–1027, 2013.
  • [25] Daniele Ucci, Leonardo Aniello, and Roberto Baldoni. Survey on the usage of machine learning techniques for malware analysis. CoRR, abs/1710.08189, 2017.
  • [26] Radu Velea and Stefan Dragan. Cpu/gpu hybrid detection for malware signatures. 2017 International Conference on Computer and Applications (ICCA), pages 85–89, 2017.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
370697
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description