A Comprehensive Study On Learning-based PE Malware Family Classification Methods

Driven by the high profit,Portable Executable(PE)malware has been consistently evolving in terms of both volume and sophistication.Under such a background,PE malware family classification task has gained great attention and a large number of approaches have been proposed.Among them,with the rapid development of machine learning techniques,especially deep learning techniques,and the exciting results they achieved on malware analysis,learning-based algorithms have also gained popularity in the PE malware family classification task.Three mainstream approaches that use learning-based algorithms,as categorized by the input format the methods take,are image-based,binary-based and disassembly-based approaches.Although a large number of approaches are published,there are no consistent comparisons on those approaches,especially from the practical industry adoption perspective.Moreover,there is no comparison in the scenario of concept drift,which is a fact for the malware classification task due to the fast evolving nature of malware.This work conducts a systematic and thorough empirical study on three categories of learning-based PE malware classification approaches(a total of 9 methods)on 4 different datasets and consistent experiment settings.Based on the quantitative experiment results and an interview with our industry partners,this work finds that(1)there is no individual class of methods that significantly outperforms the others on different datasets;(2)All classes of methods show performance degradation on concept drift(by an average F1-score of 32.23%);(3)the long prediction time,vulnerability to conceptual drift and high memory consumption hinder existing approaches from being adopted for industry usage.This work further explores the solution of concept drift,a common problem existing in adopted methods.Specifically,this work proposes a solution to map malware sample to a low-dimensional vector representation using triplet loss and convolutional neural network,and then use the representation for MAD-based distance measurement.This method can effectively detect drift samples belonging to a new category(the average F1-Score is 98.98%),and can also sort the detected samples according to the drift degree,which is helpful to manual investigations in real life.