This is a self case study prepared by handling a 350GB dataset. Everything is performed in Google Cloud Platform using port forwarding to achieve a test log loss of 0.00793.
The term malware is a contraction of malicious software. Put simply, malware is any piece of software that was written with the intent of doing harm to data, devices or to people. Source: https://www.avg.com/en/signal/what-is-malware
In the past few years, the malware industry has grown very rapidly that, the syndicates invest heavily in technologies to evade traditional protection, forcing the anti-malware groups/communities to build more robust softwares to detect and terminate these attacks. The major part of protecting a computer system from a malware attack is to identify whether a given piece of file/software is a malware.
Microsoft has been very active in building anti-malware products over the years and it runs it’s anti-malware utilities over 150 million computers around the world. This generates tens of millions of daily data points to be analyzed as potential malware. In order to be effective in analyzing and classifying such large amounts of data, we need to be able to group them into groups and identify their respective families.
This dataset provided by Microsoft contains about 9 classes of malware. ,
Source: https://www.kaggle.com/c/malware-classification
Minimize multi-class error. Multi-class probability estimates. Malware detection should not take hours and block the user's computer. It should fininsh in a few seconds or a minute.
Source : https://www.kaggle.com/c/malware-classification/data For every malware, we have two files .asm file (read more: https://www.reviversoft.com/file-extensions/asm) .bytes file (the raw data contains the hexadecimal representation of the file's binary content, without the PE header) Total train dataset consist of 200GB data out of which 50Gb of data is .bytes files and 150GB of data is .asm files: Lots of Data for a single-box/computer. There are total 10,868 .bytes files and 10,868 asm files total 21,736 files There are 9 types of malwares (9 classes) in our give data Types of Malware: Ramnit Lollipop Kelihos_ver3 Vundo Simda Tracur Kelihos_ver1 Obfuscator.ACY Gatak
.asm file
.text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .text:00401000 56 push esi .text:00401001 8D 44 24 08 lea eax, [esp+8] .text:00401005 50 push eax .text:00401006 8B F1 mov esi, ecx .text:00401008 E8 1C 1B 00 00 call ??0exception@std@@QAE@ABQBD@Z ; std::exception::exception(char const * const &) .text:0040100D C7 06 08 BB 42 00 mov dword ptr [esi], offset off_42BB08 .text:00401013 8B C6 mov eax, esi .text:00401015 5E pop esi .text:00401016 C2 04 00 retn 4 .text:00401016 ; --------------------------------------------------------------------------- .text:00401019 CC CC CC CC CC CC CC align 10h .text:00401020 C7 01 08 BB 42 00 mov dword ptr [ecx], offset off_42BB08 .text:00401026 E9 26 1C 00 00 jmp sub_402C51 .text:00401026 ; --------------------------------------------------------------------------- .text:0040102B CC CC CC CC CC align 10h .text:00401030 56 push esi .text:00401031 8B F1 mov esi, ecx .text:00401033 C7 06 08 BB 42 00 mov dword ptr [esi], offset off_42BB08 .text:00401039 E8 13 1C 00 00 call sub_402C51 .text:0040103E F6 44 24 08 01 test byte ptr [esp+8], 1 .text:00401043 74 09 jz short loc_40104E .text:00401045 56 push esi .text:00401046 E8 6C 1E 00 00 call ??3@YAXPAX@Z ; operator delete(void *) .text:0040104B 83 C4 04 add esp, 4 .text:0040104E .text:0040104E loc_40104E: ; CODE XREF: .text:00401043�j .text:0040104E 8B C6 mov eax, esi .text:00401050 5E pop esi .text:00401051 C2 04 00 retn 4 .text:00401051 ; ---------------------------------------------------------------------------
.bytes file
00401000 00 00 80 40 40 28 00 1C 02 42 00 C4 00 20 04 20 00401010 00 00 20 09 2A 02 00 00 00 00 8E 10 41 0A 21 01 00401020 40 00 02 01 00 90 21 00 32 40 00 1C 01 40 C8 18 00401030 40 82 02 63 20 00 00 09 10 01 02 21 00 82 00 04 00401040 82 20 08 83 00 08 00 00 00 00 02 00 60 80 10 80 00401050 18 00 00 20 A9 00 00 00 00 04 04 78 01 02 70 90 00401060 00 02 00 08 20 12 00 00 00 40 10 00 80 00 40 19 00401070 00 00 00 00 11 20 80 04 80 10 00 20 00 00 25 00 00401080 00 00 01 00 00 04 00 10 02 C1 80 80 00 20 20 00 00401090 08 A0 01 01 44 28 00 00 08 10 20 00 02 08 00 00 004010A0 00 40 00 00 00 34 40 40 00 04 00 08 80 08 00 08 004010B0 10 00 40 00 68 02 40 04 E1 00 28 14 00 08 20 0A 004010C0 06 01 02 00 40 00 00 00 00 00 00 20 00 02 00 04 004010D0 80 18 90 00 00 10 A0 00 45 09 00 10 04 40 44 82 004010E0 90 00 26 10 00 00 04 00 82 00 00 00 20 40 00 00 004010F0 B4 00 00 40 00 02 20 25 08 00 00 00 00 00 00 00 00401100 08 00 00 50 00 08 40 50 00 02 06 22 08 85 30 00 00401110 00 80 00 80 60 00 09 00 04 20 00 00 00 00 00 00 00401120 00 82 40 02 00 11 46 01 4A 01 8C 01 E6 00 86 10 00401130 4C 01 22 00 64 00 AE 01 EA 01 2A 11 E8 10 26 11 00401140 4E 11 8E 11 C2 00 6C 00 0C 11 60 01 CA 00 62 10 00401150 6C 01 A0 11 CE 10 2C 11 4E 10 8C 00 CE 01 AE 01 00401160 6C 10 6C 11 A2 01 AE 00 46 11 EE 10 22 00 A8 00 00401170 EC 01 08 11 A2 01 AE 10 6C 00 6E 00 AC 11 8C 00 00401180 EC 01 2A 10 2A 01 AE 00 40 00 C8 10 48 01 4E 11 00401190 0E 00 EC 11 24 10 4A 10 04 01 C8 11 E6 01 C2 00
There are nine different classes of malware that we need to classify a given a data point => Multi class classification problem
Source: https://www.kaggle.com/c/malware-classification#evaluation
Multi class log-loss Confusion matrix
Objective: Predict the probability of each data-point belonging to each of the nine classes.
Constraints:
- Class probabilities are needed. * Penalize the errors in class probabilites => Metric is Log-loss. * Some Latency constraints.
Split the dataset randomly into three parts train, cross validation and test with 64%,16%, 20% of data respectively
http://blog.kaggle.com/2015/05/26/microsoft-malware-winners-interview-1st-place-no-to-overfitting/ https://arxiv.org/pdf/1511.04317.pdf First place solution in Kaggle competition: https://www.youtube.com/watch?v=VLQTRlLGz5Y https://github.com/dchad/malware-detection http://vizsec.org/files/2011/Nataraj.pdf https://www.dropbox.com/sh/gfqzv0ckgs4l1bf/AAB6EelnEjvvuQg2nu_pIB6ua?dl=0 " Cross validation is more trustworthy than domain knowledge."
- Due to low latency System, it was impossible for me to save all the extracted files (i.e. of 200GB) in local system. Hence I have used GCP instance.
- Lots of experiments demanded to achieve the goal of case study.
- byte unigrams with Size
- asm unigrams with Size
- Top 1000 byte bigrams
- Top 1000 asm image features
- k-NN
- Logistic Regression
- Random Forest Classifier
- XGBoost Classifier
+------------------------------+---------------------------------------+----------------+---------------+ | Algorithm | Features | Train log-loss | Test log-loss | +------------------------------+---------------------------------------+----------------+---------------+ | k-NN Classification | Unigram of Bytes | 0.1 | 0.2 | | Logistic Regression | Unigram of Bytes | 0.85 | 0.87 | | Random Forest Classification | Unigram of Bytes | 0.02 | 0.08 | | XGBoost Classifier | Unigram of Bytes | 0.02 | 0.07 | | | | | | | k-NN Classification | Unigram of ASM | 0.02 | 0.1 | | Logistic Regression | Unigram of ASM | 0.31 | 0.32 | | Random Forest Classification | Unigram of ASM | 0.01 | 0.04 | | XGBoost Classifier | Unigram of ASM | 0.01 | 0.02 | | | | | | | Random Forest Classification | Unigrams of ASM + byte files | 0.01 | 0.03 | | XGBoost Classifier | Unigrams of ASM + byte files | 0.01 | 0.03 | | | | | | | Random Forest Classifier | Bigram Byte + ASM + Pixel intensity | 0.001 | 0.024 | | XGBoost Classifier | Bigram Byte + ASM + Pixel intensity | 0.001 | 0.007 | +------------------------------+---------------------------------------+----------------+---------------+