Evolutionary Triplet Network of Learning Disentangled Malware Space for Malware Classification

Abstract

With the advent of sophisticated deep learning models, various methods for classifying malware from structural features of source codes have been devised. Nevertheless, recent advanced detection-avoidance techniques actively imitate structural features of benign programs and share vulnerable subroutines, making it difficult to distinguish malicious attacks. Therefore, a method to distinguish and classify similar malicious attacks is urgent and significant. In this paper, we propose a method based on a triplet network of learning the disentangled malware space from assembly-level features beyond the structural characteristics of malware. The method comprises two major components, which are 1) triplet loss-trained network to disentangle deep representation between malware being close in the latent vector space, and 2) genetic optimization of assembly-level features to resolve collisions between thousands of assembly-level features. Experiments with the assembly and binary code dataset released from Microsoft show that the proposed method outperforms existing methods based on structural features, achieving the highest performance in 10-fold cross-validation. Moreover, we demonstrate the superiority of disentangled representation for malware classification by visualizing the latent space and ROC curves.