Deep learning-aided runtime opcode-based Windows malware detection

Thousands of new malware codes are developed every day. Signature-based methods, which are employed by common malware detectors, are susceptible to code obfuscation and novel malware. In this paper, we present an alternative method for malware detection, which makes use of assembly opcode sequences obtained during runtime. First, for sequential opcode data, we utilize natural language processing and deep learning techniques to facilitate the extraction of deeper behavioral features. Due to these features, this method can be impervious to code obfuscation and effective against novel malware. Finally, these features are fed to various machine learning algorithms for classification. The experiments on a more class balanced dataset of 26869 samples demonstrated that MCC (Matthew's correlation coefficient) score as high as 0.95 is achievable with this approach. The MCC score results for the experiments conducted on imbalanced and artificially balanced datasets are 0.81 and 0.83, respectively.

Automated summary

This paper presents an alternative method for malware detection using assembly opcode sequences obtained during runtime, extracting deeper behavioral features through natural language processing and deep learning techniques. This method proves effective against novel malware and code obfuscation, achieving high MCC scores of 0.95 on more balanced datasets.