Abstract
Nowadays, the number of new malware samples discovered every day is in millions, which undermines the effectiveness of the traditional signature-based approach towards malware detection. To address this problem, machine learning methods have become an attractive and almost imperative solution. In most of the previous work, the application of machine learning to this problem is batch learning. Due to its fixed setting during the learning phase, batch learning often results in low detection accuracy when encountered zero-day samples with obfuscated appearance or unseen behavior. Therefore, in this paper, we propose the FTRL-DP online algorithm to address the problem of malware detection under concept drift when the behavior of malware changes over time. The experimental results show that online learning outperforms batch learning in all settings, either with or without retrainings.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G.S., Davis, A., Dean, J., Devin, M., et al.: Tensorflow: large-scale machine learning on heterogeneous distributed systems. arXiv preprint arXiv:1603.04467 (2016)
Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: Are your training datasets yet relevant? In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 51–67. Springer, Cham (2015). doi:10.1007/978-3-319-15618-7_5
Bekerman, D., Shapira, B., Rokach, L., Bar, A.: Unknown malware detection using network traffic classification. In: IEEE Conference on Communications and Network Security (CNS), pp. 134–142 (2015)
Feldman, R.: Techniques and applications for sentiment analysis. Commun. ACM 4, 82–89 (2013)
Gama, J., Žliobaitė, I., Bifet, A., Pechenizkiy, M., Bouchachia, A.: A survey on concept drift adaptation. ACM Comput. Surv. (CSUR) 46(4), 44 (2014)
Guarnieri, C., Schloesser, M., Bremer, J., Tanasi, A.: Cuckoo sandbox-open source automated malware analysis. Black Hat USA (2013)
Iliopoulos, D., Adami, C., Szor, P.: Darwin inside the machines: malware evolution and the consequences for computer security. arXiv:1111.2503 [cs, q-bio] (2011)
Kantchelian, A., Tschantz, M.C., Afroz, S., Miller, B., Shankar, V., Bachwani, R., Joseph, A.D., Tygar, J.D.: Better malware ground truth: Techniques for weighting anti-virus vendor labels. In: Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, pp. 45–56. ACM (2015)
Korkmaz, Y.: Automated detection and classification of malware used in targeted attacks via machine learning. Ph.D. thesis, Bilkent University (2015)
Makandar, A., Patrot, A.: Malware analysis and classification using artificial neural network. In: 2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT 2015), vol. 01, pp. 1–6 (2015)
McMahan, H.B.: A survey of algorithms and analysis for adaptive online learning. arXiv preprint arXiv:1403.3465 (2014)
McMahan, H.B., Holt, G., Sculley, D., Young, M., Ebner, D., Grady, J., Nie, L., Phillips, T., Davydov, E., Golovin, D., et al.: Ad click prediction: a view from the trenches. In: Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1222–1230. ACM (2013)
Mirkovic, J., Benzel, T.: Deterlab testbed for cybersecurity research and education. J. Comput. Sci. Coll. 28(4), 163–163 (2013)
Mohaisen, A., Alrawi, O., Mohaisen, M.: AMAL: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)
Narayanan, A., Yang, L., Chen, L., Jinliang, L.: Adaptive and scalable android malware detection through online learning. In: 2016 International Joint Conference on Neural Networks (IJCNN), pp. 2484–2491. IEEE (2016)
Nari, S., Ghorbani, A.A.: Automated malware classification based on network behavior. In: 2013 International Conference on Computing, Networking and Communications (ICNC), pp. 642–647 (2013)
Norouzi, M., Souri, A., Samad Zamini, M.: A data mining classification approach for behavioral malware detection. J. Comput. Netw. Commun. 2016, 1–9 (2016)
Rafique, M.Z., Chen, P., Huygens, C., Joosen, W.: Evolutionary algorithms for classification of malware families through different network behaviors. In: Proceedings of the 2014 Conference on Genetic and Evolutionary Computation, pp. 1167–1174. ACM (2014)
Saini, A., Gandotra, E., Bansal, D., Sofat, S.: Classification of PE files using static analysis. In: Proceedings of the 7th International Conference on Security of Information and Networks, p. 429. ACM (2014)
Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: 10th International Conference on Malicious and Unwanted Software (MALWARE), pp. 11–20 (2015)
Shalev-Shwartz, S.: Online learning and online convex optimization. Found. Trends Mach. Learn. 4(2), 107–194 (2011)
Valenti, R., Sebe, N., Gevers, T., Cohen, I.: Machine learning techniques for face analysis. In: Cord, M., Cunningham, P. (eds.) Machine Learning Techniques for Multimedia, pp. 159–187. Springer, Heidelberg (2008). doi:10.1007/978-3-540-75171-7_7
You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA), pp. 297–300 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Proof
To remind the optimization objective of FTRL-DP:
Omitting the constant term \(\frac{1}{2}\lambda _p \sum _{s=1}^{t}\gamma ^{t-s}\Vert w_s\Vert _2^2\), we have:
In Eq. 9, \(z_t = g_{1:t}^\top - \lambda _p\sum _{s=1}^{t}\gamma ^{t-s}w_s^\top \) and \(r_t = \frac{1-\gamma ^t}{1-\gamma }\). Each component of w contribute independently to the objective function of 9 hence can be solve separately:
Note that \(w_i\) in 10 refers to the \(i^{\text {th}}\) component of w. Let \(f(w_i) = z_{t,i} w_i + \lambda _1\Vert w_i\Vert _1 + \frac{1}{2}\big (\lambda _2 + \lambda _p r_t\big )\Vert w_i\Vert _2^2\). There are two cases:
-
If \(\Vert z_{t,i}\Vert _1 \le \lambda _1\), we have:
$$f(w_i) \ge -\Vert z_{t,i} w_i\Vert _1 + \lambda _1\Vert w_i\Vert _1 + \frac{1}{2}\big (\lambda _2 + \lambda _p r_t\big )\Vert w_i\Vert _2^2$$$$f(w_i) \ge -\lambda _1\Vert w_i\Vert _1 + \lambda _1\Vert w_i\Vert _1 + \frac{1}{2}\big (\lambda _2 + \lambda _p r_t\big )\Vert w_i\Vert _2^2=\frac{1}{2}\big (\lambda _2 + \lambda _p r_t\big )\Vert w_i\Vert _2^2 \ge 0$$\(f(w_i)\) achieves the minimum at \(w_i = 0\)
-
If \(\Vert z_{t,i}\Vert _1 \ge \lambda _1\), \(z_{t,i}\) and \(w_i\) must have opposite signs at the minimum of \(f(w_i)\) as otherwise \(w_i\) can always have sign flipped to further reduce \(f_i(w_i)\). Therefore, it is equivalent to solving:
$$w_{t+1,i} = \mathop {\mathrm {\arg \!\min }}_{w_i} z_{t,i} w_i - \mathrm {sign}(z_{t,i})\lambda _1\Vert w_i\Vert _1 + \frac{1}{2}\big (\lambda _2 + \lambda _p r_t\big )\Vert w_i\Vert _2^2$$which achieves minimum at zero gradient or \(w_i = -\frac{z_{t,i} - \mathrm {sign}(z_{t,i})\lambda _1}{\lambda _2 + \lambda _p r_t}\) This concludes the proof.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Huynh, N.A., Ng, W.K., Ariyapala, K. (2017). A New Adaptive Learning Algorithm and Its Application to Online Malware Detection. In: Yamamoto, A., Kida, T., Uno, T., Kuboyama, T. (eds) Discovery Science. DS 2017. Lecture Notes in Computer Science(), vol 10558. Springer, Cham. https://doi.org/10.1007/978-3-319-67786-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-67786-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67785-9
Online ISBN: 978-3-319-67786-6
eBook Packages: Computer ScienceComputer Science (R0)