Professional Documents
Culture Documents
using
Deep Learning
Mohd Shahril
# whoami
● My research
○ Part of my bachelor degree’s final year project
● How Deep Learning works?
● How to leverage this Deep Learning tool for malware classification task
# 0x0: What is Deep Learning?
# 0x0: What is Deep Learning?
# 0x0: What is Deep Learning?
# 0x0: What is Deep Learning?
To be less dependent
on expert
Digitalogy
# 0x0: What is Deep Learning?
To be less dependent
on expert
Digitalogy
# 0x0: What is Deep Learning?
To be less dependent
on expert
Digitalogy
# 0x0: What is Deep Learning?
Output Layer
Input Layer
Hidden Layer
Weight
# 0x0: What is Deep Learning? Each lines of
these have
real-number value
Artificial Neural Network
Output Layer
Input Layer
Hidden Layer
Weight
# 0x0: What is Deep Learning? Each lines of
these have
real-number value
Artificial Neural Network
Output Layer
Neuron
Input Layer
Each neuron
represent non-linear
function of the sum
Hidden Layer of its input
# 0x0: What is Deep Learning?
● When people said deep learning, they basically refer to deep neural network.
● So, what is deep neural network?
# 0x0: What is Deep Learning?
Add this moar
plz?
(normal)
Neural Network
# 0x0: What is Deep Learning?
Add this moar
plz?
(normal) (deep)
Neural Network Neural Network
# 0x0: What is Deep Learning?
● Scopes:
○ Problem: Given new suspected malware executable, how to predict on which
malware family it belongs to.
○ Focus on these malware families:
■ Cerber, Cryptowall, GandCarb, Petya, Sality, Wannacrypt
○ Focus on Windows malware executable
# 0x1: Training DL to Classify Malware
[1, 0, 1, 1] [0, 0, 1, 0]
# 0x1: Training DL to Classify Malware
Malwares
Behaviors 1-gram
extraction
● Problem: 10,000 fixed-size data still large for Deep Learning training
● Curse of dimensionality
● Idea: Do dimension reduction to the binary data
○ Transform 10,000 binary data into 20 real number
High-Dimension Low-Dimensions
○ Used Deep Autoencoders
■ Special DL architecture for doing non-linear dimensionality reduction
# 0x1: Training DL to Classify Malware
Deep Autoencoders
Decoder Layer
… … … … … … … … …
Fixed-size Deep
binary string Autoencoders 20 real numbers
# 0x1: Training DL to Classify Malware
# 0x1: Training DL to Classify Malware
● Now, come the fun part, train Deep Neural Network to classify malware
● Before training the network, the dataset has to be split
○ 70% goes to training set (4200 samples)
○ 30% goes to validation set (1800 samples)
● The reason for the split is to observe how well the network will predict for
unseen data
# 0x1: Training DL to Classify Malware
Output
Input … … … … … … Class probability
20 real numbers
of malware
[6]
[20] [15]
[60] [40]
[200]
}
Example
Cerber 0.00
Cerber Cryptowall 0.97
Cryptowall
Network will GandCrab 0.02
GandCrab output
probability of Petya 0.003
Petya
malware family
Sality 0.007
Sality
Output Layer
Total = 1.0
1 2 3
Transformed
Bit-String Bit-String
Deep Autoencoders
Training / Evaluate
DL
Training
Set (70%)
Validate for
Split Dataset Accuracy
Validation
Set (30%)
Deep Neural
Network
# 0x1: Training DL to Classify Malware
Demo
# 0x3: Problems
● This method also has one major flaw, which it can’t be used for runtime
malware detection
○ As its reliance on Sandbox is delaying the prediction process
○ Malicious payload has likely already been delivered by the time it is detected
● See paper “Early-stage malware prediction using recurrent neural networks”
○ Only capture first 5-seconds of runtime behaviors
○ Claimed to achieve 94% of accuracy
# 0x3: Problems
Happy Hacking! 😃
https://github.com/shahril96/Malware-Classification-using-Deep-Learning