Harnessing AI and analytics to enhance cybersecurity and privacy for collective intelligence systems

Introduction

According to the 2019 McAfee Labs Threat Report, around 70 million new malware is circulating, with 1 billion instances of harmful software. Such a volume necessitates malware detection and categorization that is both effective and efficient. The situation becomes even direr when we include the 25% increase in assaults attributable to destructive malware or malware that may harm hardware components. A technique based on deep learning (DL) is beginning to be employed as a new paradigm to remove the inadequacies of previously used methods for identifying and classifying malware. On the other hand, it has not been used to a significant degree in cyber security, particularly in the identification of malware. DL is a subfield of artificial intelligence that operates via computer simulations of neural networks. Learning from examples and using several hidden layers is how DL works. The most effective deep neural network architectures for natural photo classification are convolutional neural networks (CNNs) and fully connected feed-forward neural networks (Azab & Khasawneh, 2020). Deep neural network architectures, loosely inspired by cortical visual information processing hierarchies, have seen increasing success in recent years due to more powerful computing hardware, larger datasets, and improved training algorithms, which have enabled the training of much deeper networks while avoiding overfitting problems. Despite its efficacy, the high computational cost of training and executing deep networks has forced the development of specialized hardware accelerators and new computing paradigms to enable deep networks to be employed in real-time practical applications (Obaidat et al., 2022). Spiking neural networks (SNNs) are a promising candidate for enabling such acceleration. A new optimization method for spiking deep architectures, including fully connected feed-forward networks and CNN, can outperform previous spiking solutions while requiring fewer operations and latencies than traditional computing methods.

The term Internet has evolved from connecting personal computers to a network that includes various devices. Traditional microdevices, such as sensors and controllers, can only execute function-specific activities based on pre-defined rules. These “things” become “smart” and can now do complicated tasks by replacing function-specific devices with CPU-controlled ones and enabling connectivity among them through the Internet. Furthermore, users may simply receive and control their reported data by activating cloud services on these smart devices. Despite these benefits, more intelligent devices have more significant vulnerabilities due to increased hardware and software complexity and more opportunities for prospective adversaries to attack them (Zhu et al., 2021).

Furthermore, creating universal standards for the numerous types of Internet of Things (IoT) hardware and software platforms is challenging. As a result, IoT systems are often unsafe. Finally, even though IoT devices are more intelligent than traditional sensors, they lack the computing power to employ standard PC-based security solutions. Cloud services may be used to build security protection for IoT devices in specific circumstances, such as malware detection.

Explosive malware strains constitute a significant danger to cybersecurity and can result in substantial financial losses for people, societies, and governments. Malware assaults on IoT devices are becoming more common. Researchers must investigate more efficient methods for identifying malware’s harmful intent and attack patterns and countermeasures (Tuncer, Ertam & Dogan, 2020). Code repetition and obfuscation methods are used to create several malware versions. The obfuscation approach employs encryption, code substitution, and other techniques to alter the look of existing malware code, resulting in the emergence of new malware versions with the same destructive objectives and characteristics as the original virus. A family is a group of malware samples like this. As a result, they were classifying malware families to aid in rapidly analyzing malware behavior and functioning. In recent years, machine learning has advanced incredible computer vision and natural language processing. Several researchers have also employed machine learning to solve malware detection and classification problems. Although malware analysis approaches based on classical machine learning have produced favorable results, feature engineering takes time and money. Malware visualization is a crucial aspect of malware investigation. Grayscale pictures are used in almost all static analysis approaches based on malware visualization (Naeem et al., 2022). Previous work in malware classification has examined detecting malware samples at both the file and family levels. A family refers to a group of malware variants that originate from the same original virus source code. Malware authors often create many variants of a single virus through techniques like code obfuscation that alter the code’s appearance but maintain similar functionality and behavioral characteristics as the original. Classifying malware at the family level can aid in analyzing common traits shared across variants of a virus. On the other hand, a single low-order feature representation may make it difficult to find hidden characteristics in a virus family. Existing classification approaches do not necessarily function effectively for all families in some datasets, particularly imbalanced datasets.

Traditional machine learning has been widely employed to solve various complicated real-world issues, including picture categorization, particularly for photos with nested and overlapping areas. The non-linear features or relationships among the pixels make categorizing such pictures difficult. Traditional classification approaches rely on learning hand-crafted features and fitting them into a machine-learning model. For example, when the number of training instances is restricted, a support vector machine (SVM) with a non-linear kernel function is most utilized. However, because of the non-linear correlations between the collected intensity values and the related object, the performance of SVM or similar non-linear methods is not good, making classification more difficult for such approaches (Yadav et al., 2022).

On the other hand, hand-crafted features can effectively represent an image’s various attributes, making them compatible with the data being analyzed. However, in the case of actual data, many features may be insignificant, making it difficult to fine-tune the balance between robustness and discriminability, as the set of ideal features varies greatly. Furthermore, human engagement in feature creation significantly impacts the classification process, as generating hand-crafted features necessitates a high level of topic expertise. DL has been developed and shown tremendous success for picture classification in recent years to counter the constraints of hand-crafted feature design. They outperformed previous approaches due to their ability to learn automatically- and low-level features (Mallik, Khetarpal & Kumar, 2022). For example, CNNs extract feature maps invariant to local changes in their input. However, due to their greater depth, most DL approaches suffer from the disappearing or ballooning gradient issue.

Malware detection poses significant challenges due to the sheer volume and evolving nature of threats. According to security reports, over 1 billion new malware instances now circulate annually. Addressing this deluge necessitates detection methods that are highly accurate, efficient, and able to identify unknown (“zero-day”) malware variants. Traditional static and dynamic analysis approaches have limitations. Static analysis is susceptible to obfuscation techniques, while dynamic analysis incurs high computational overhead from running each sample. Additionally, existing machine learning-based methods rely on manually extracting features, which is an expert-intensive process that risks omitting important patterns.

To overcome these challenges, this study proposes a novel deep learning-based approach for malware detection and classification. By representing malware binaries as grayscale images and leveraging convolutional neural networks, we hypothesize that discriminative features can be automatically learned from raw data in an end-to-end manner. This obviates the need for manual feature engineering while enabling the discovery of subtle patterns. Through a series of experiments, we aim to validate that our method achieves high detection accuracy comparable to or exceeding other techniques, while also offering computational efficiency gains. If successful, this research could advance the state-of-the-art by providing an effective and scalable solution for addressing the growing malware problem. Detection performance in malware analysis refers to both the accuracy of detection as well as the computational efficiency and speed of the detection method. An ideal approach aims to maximize accuracy while minimizing the required time and system resources for inference.

This article’s essential contribution is to use cutting-edge DL techniques to improve accuracy and learning speed. Various combinations of epochs, batch size, learning rate, and classes were utilized to investigate validation and test accuracy. Thus, we discover the optimal combination with high test and validation accuracy and minimum loss.

Literature Review

Static and dynamic analysis are the two most used approaches for detecting and classifying malware. To mine the program, static analysis frequently employs lexical analysis, parsing, control flow, and data flow analysis techniques. Signature-based malware detection is a standard static malware detection technology used by prior industry communities. It can detect whether an unknown executable file is a known virus. This is done by looking for a matching signature in the harmful code database. Based on certain personally defined traits, this detection system generated a unique signature identification for malware (Zhang et al., 2021). On the other hand, signature-based approaches are restricted in their ability to identify unknown malware since unknown malware may have novel characteristics not captured by signatures. Furthermore, these signatures contain a set of pre-programmed harmful properties. As a result, if the virus undergoes any form of encryption or obfuscation, it will have a high chance of evading signature-based detection. Dynamic analysis entails running a program. This allows watching how the program behaves in the system. Unlike static analysis, dynamic analysis allows watching a program’s actual behaviors (Ren, Chen & Lu, 2020). It is usually used after static analysis has halted, either owing to obfuscation and packing or because all other static analysis approaches have been exhausted.

Both strategies have their own set of benefits and drawbacks. On the one hand, static analysis is faster, but it suffers from code obfuscation, a method employed by malware developers to hide the program’s destructive intent. On the other hand, code obfuscation methods and polymorphic viruses fail in dynamic analysis because they examine a program’s runtime behavior by monitoring it while it is running. However, each malware sample must be run in a secure environment for a certain period to monitor its activity, which is a lengthy procedure. Furthermore, the environment may change significantly from the actual runtime environment, and malware may behave differently in the two contexts (Ünver & Bakour, 2020). In other cases, malware operations may not be initiated and hence not reported.

Materials & Methods

This research section explains how to classify malware using a DL algorithm. To classify malware into several classes, a novel approach is proposed. Malware byte code is converted into grayscale images using our proposed model. Figure 1 shows that grayscale images are input into a DL model to identify and classify the malware family. Correct placement of malware family used to get behavior and types of malware leads to developing anti-malware products.

After converting byte code into grayscale images, we have a collection of malware families according to their class and behavior. Grayscale images generated from byte code have no fixed dimensions, making classification difficult. As a solution, we reduce the size of ideas to 224 × 224 pixels. These images are normalized and ready for our proposed model as input. A graphical representation of malware families is shown in Fig. S1. The collation of binary files is collected using Eq. (1). (1)${\displaystyle \sum _{i=1}^{n}Bfil{e}_i.}$

The file size is divided by fixed image width, i.e., 1,024. The image height is derived using Eq. (2). (2)${\displaystyle imageHeight=⌈\frac{BfileSize}{width}⌉.}$

The image is converted from the data and taken in the image collection, as shown in Eq. (3). (3)${\displaystyle \sum _{k=1}^{n}im{g}_k=byte2image\left(imageHeight,width,Bfil{e}_i\right).}$

The images are resized using Eq. (4). (4)${\displaystyle \sum _{k=1}^{n}img{R}_k=imgresize\left(224,224,im{g}_k\right).}$

The histogram of the images is equalized using Eq. (5). (5)${\displaystyle \sum _{k=1}^{n}imgEqHis{t}_k=histeq\left(img{R}_k\right).}$

We analyzed and categorized malware in a manner distinct from earlier efforts. To overcome this issue, we employ CNN, an architecture for machine learning that uses DL methods, as seen in Fig. S2. DL’s recent success in classification suggests it can classify malware more accurately than SVMs. CNNs have proven to be highly effective at addressing image processing challenges. Because of this, we transform the problem of categorizing malware into one that involves the categorization of images and can be solved using CNN. We develop a general architecture for malware classification based on a deep CNN as opposed to the present methods. Initially, each hexadecimal representation was converted to its decimal equivalent. As indices for a two-dimensional color map, utilize each unit’s upper and lower nibbles. Thus, a dataset comprising images of malware is obtained. Each picture is altered to accommodate 224 rows and columns. A dataset from 15 distinct classes was used to train and validate 6,414 samples. Training set samples are processed using a twelve-layered residual network. The model has two convolution layers, one max pooling layer, etc. The detailed methodology of the proposed model is shown in Fig. S2.

A loss function is used to optimize a machine learning method. The loss, dependent on training and validation data, is determined according to the model’s performance in these two sets. It is the total number of errors created for each example in training or validation sets. The loss value of a model reflects how well or poorly it performs following each optimization cycle. The algorithm’s performance is assessed using an accurate metric that is simple to comprehend. Following the model’s input parameters, a model’s accuracy is frequently evaluated and represented as a percentage. It gauges how well the predictions made by the model match the facts. One key aspect of our experimental methodology was the decision to repeat the epochs with different batch size settings. This approach was motivated by insights from prior research, which indicated that deeper neural network architectures often benefit from using smaller batch sizes towards the later stages of training. The rationale is that smaller batch sizes can help regulate overfitting by introducing more noise and variability into the gradient updates, preventing the model from overly fitting to the training data.

By systematically varying the batch size across multiple epochs, we aimed to uncover the optimal balance between convergence and generalization. This strategy allowed us to identify the hyperparameter configurations that not only minimized the training loss but also resulted in superior performance on the held-out test data. The method for assessing the model’s accuracy is given in the equation below in Eq. (6). (6)${\displaystyle Accuracy=\frac{\left(Truepositive+Truenegative\right)}{\left(Truepositive+Truenegative+Falsepositive+Falsenegative\right)}.}$

The study employed a robust experimental configuration featuring an Intel(R) Xeon(R) CPU E5-2643 v3 @ 3.40 GHz processor equipped with 32 GB of memory. The operating system utilized was Windows 10 Pro 22H2 with OS build 19,045.2364. Renowned for its multi-core design and high-performance capabilities, the Xeon CPU is commonly employed in servers and workstations. Complementing the setup, a Nvidia Quadro M4000 GPU with 8GB video memory, known for its substantial memory capacity and numerous compute unified device architecture (CUDA) cores, was incorporated. This professional graphics processing unit is well-suited for tasks involving machine learning and scientific computing. It is imperative to ensure the compatibility of both hardware and software with the specific demands of the experiment. The chosen hardware configuration, particularly leveraging the graphics processing unit (GPU) for accelerated training in machine learning tasks, is deemed suitable. Additionally, the precise version and build number of the Windows operating system are critical considerations to guarantee compatibility with the employed software.

Results and Discussion

The performance of the models was evaluated using two separate datasets - a training set used for fitting the models, and a holdout test set containing previously ‘unseen’ samples not shown during training. This test set, referred to hereafter as ‘unseen data’, provides an unbiased evaluation of how well the models generalize to new examples. A total of 13 experiments were conducted with different specifications (epochs, batch size, learning rate, classes, etc.) and parameters to examine the accuracy of the proposed model. In training our proposed model, we have different accuracies (a) training accuracy 99.76, test accuracy 99.48, (b) training accuracy 99.60, test accuracy 99.56, (c) training accuracy 99.74, test accuracy 98.65, and (d) 98.84 accuracies, test accuracy 98.86 as shown in Fig. 2.

While testing with our proposed model, we have different training losses as (a) training loss of 0.0065 and test loss of 0.0214, (b) training loss of 0.0120 and test loss of 0.0378, (c) training loss 0.0066 and test loss 0.0476, and (d) training loss 0.0364 and test loss 0.0402 as shown in Fig. 3.

The confusion matrix shows our proposed model’s performance with different parameters, as shown in Fig. 4.

Results after updating parameters

After changing different parameters, we have different accuracies (a) training accuracy 99.72, test accuracy 99.17, (b) training accuracy 99.52, test accuracy 98.67, (c) training accuracy 99.76, test accuracy 99.17, and (d) 47.07 accuracy, test accuracy 46.79 as shown in Fig. S3.

While testing with changed parameters, we have different training losses as (a) training loss of 0.0059 and test loss of 0.0337, (b) training loss of 0.0127 and test loss of 0.0375, (c) training loss of 0.0046 and test loss 0.0513, and (d) training loss 4.87 and test loss 4.90 as shown in Fig. S4.

We can see the changes in the confusion matrix as the parameters of the experiments changed, as shown in Fig. S5, which shows the working of our proposed model.

In training our proposed model, we have different accuracies (a) training accuracy 99.87, test accuracy 99.27, (b) training accuracy 99.92, test accuracy 99.44, (c) training accuracy 99.77, test accuracy 99.38, and (d) 99.79 accuracy, test accuracy 99.27 as shown in Fig. S6.

While testing with our proposed model, we have different training losses as (a) training loss of 0.0031 and test loss of 0.0494, (b) training loss of 0.0037 and test loss of 0.0217, (c) training loss of 0.0084 and test loss 0.0158, and (d) training loss 0.0051 and test loss 0.0321 as shown in Fig. S7.

Each confusion matrix has a unique representation due to changes in the parameters of the experiments, which show that the proposed model is working fine with high accuracy, as shown in Fig. S8.

In the end, we found the best accuracy in training and testing of the proposed model with a training accuracy of 99.81, testing accuracy of 99.86 in (a), training loss of 0.0103, and testing loss of 0.0558 in (b), as shown in Fig. 5.

The proposed model’s performance is outstanding on both the training and test sides. We have conducted 13 experiments with different parameters, and almost the accuracy remains plus 99%, showing that our methodology works fine using the CNN model. A confusion matrix shows the performance of our model, as shown in Fig. 6.

Conclusion

This study classifies malware using DL. We have taken byte code as input, converted it into grayscale images, and then input it to DL model malware categorization. A comprehensive evaluation was conducted, encompassing 13 experiments to assess the efficacy of various model architectures, hyperparameters, and preprocessing techniques for malware classification. This investigation included rigorous testing of CNNs and residual neural networks (ResNets) with diverse configurations of filter counts, layer depths, batch sizes, and other critical parameters. The empirical results demonstrably established the proposed methodology as the superior performer, achieving an exceptional 99.2% accuracy on unseen test data. This research significantly contributes to the field by introducing a novel deep-learning approach for malware detection that leverages grayscale image representations of binary files. When combined with an optimized CNN architecture, this end-to-end method achieves state-of-the-art performance without the requirement for manual feature engineering, a significant advancement in the field. Further refinement of this technique holds substantial promise for efficiently addressing the burgeoning challenge of large-scale malware detection. In the future, we will compare our state-of-the-art DL models and use large datasets to validate our model. We will further enhance our model from grayscale to RGB images to test the malware family’s classification performance.

Supplemental Information