An Enhanced Stacked LSTM Method with No Random Initialization for Malware Threat Hunting in Safety and Time-Critical Systems

Authors

Amir Namavar Jahromi, Shiraz University
Sattar Hashemi, Shiraz University
Ali Dehghantanha, University of Guelph
Reza M. Parizi, Kennesaw State University
Kim Kwang Raymond Choo, The University of Texas at San Antonio

Department

Software Engineering and Game Development

Document Type

Article

Publication Date

10-1-2020

Abstract

© 2017 IEEE. Malware detection is an increasingly important operational focus in cyber security, particularly, given the fast pace of such threats (e.g., new malware variants introduced every day). In recent years, there has been increased interest in exploring the use of machine learning techniques in automating and enhancing the effectiveness of malware detection and analysis. In this paper, we present a deep recurrent neural network solution as a stacked long short-term memory (LSTM) with a pre-training as a regularization method to avoid random network initialization. In our proposed approach, we use global and short dependencies of the inputs. With pre-training, we avoid random initialization and are able to improve the accuracy and robustness of malware threat hunting. The proposed method speeds up the convergence, in comparison to the stacked LSTM, by reducing the length of malware OpCode or bytecode sequences. Hence, the complexity of our final method is reduced. This leads to better accuracy, higher Mattews Correlation Coefficients (MCC), and Area Under the Curve (AUC) in comparison to a standard LSTM with similar detection time. Our proposed method can be applied in real-time malware threat hunting, particularly, for safety critical systems, such as electronic health or Internet of Battlefield / Military of Things, where poor convergence of the model could lead to catastrophic consequences. We evaluate the effectiveness of our proposed method on Windows, Ransomware, Internet of Things (IoT), and Android malware datasets using both static and dynamic analysis. For the IoT malware detection, we also present a comparative summary of the performance on an IoT-specific dataset of our proposed method and the standard stacked LSTM method. More specifically, our proposed method achieves an accuracy of 99.1% in detecting IoT malware samples, with AUC of 0.985 and MCC of 0.95; thus, outperforming standard LSTM-based methods in these key metrics.

Journal Title

IEEE Transactions on Emerging Topics in Computational Intelligence

Volume

4

Issue

5

First Page

630

Last Page

640

Digital Object Identifier (DOI)

10.1109/TETCI.2019.2910243