Automated Profiling-Based Zero-Day Malware Detection

(Motivation) The impact of malware attacks has been getting more significant, targeting critical infrastructures as well as commodity computing devices. A body of studies has been carried out for detecting malware with its devastating impacts, but they are often limited to known malware attacks due to the nature of the signature-based and supervised machine learning approaches. (Semi-supervised approach) Semi-supervised learning would be an option, but our preliminary studies suggest two limitations: (i) one class (OC) classifiers can be limited with low detection rates, and (ii) the profiling-based approach (using an autoencoder) often needs an “ideal” threshold setting. (Proposed method) We tackle these challenges by incorporating the concepts of autoencoding and OC classification, to benefit from strong abstractions by autoencoder but to remove the necessity of the complex threshold selection using an OC classifier. (Evaluation) Our experimental results with a recent malware dataset (Meraz’18) show comparable performance to the supervised learning methods, yielding up to 96% accuracy. The proposed method also shows resilience to adversarial attacks, yielding better performance for identifying evading samples than supervised learning methods.