Malware Classification using Deep Neural Networks: Performance

Evaluation and Applications in Edge Devices

Akhil M R1, Adithya Krishna V Sharma2, Harivardhan Swamy1, Pavan A1, Ashray Shetty1,
Anirudh B Sathyanarayana1
1Student, Dept. of Computer Science and Engineering, PES University, Bengaluru, Karnataka, India
2Associate Software Engineer, Red Hat, Bengaluru, Karnataka, India

Abstract - With the increasing extent of malware attacks in detection by sifting through malware samples and deriving
the present day along with the difficulty in detecting modern useful representations.
malware, it is necessary to evaluate the effectiveness and
performance of Deep Neural Networks (DNNs) for malware
classification. Multiple DNN architectures can be designed and
trained to detect and classify malware binaries. Results
demonstrate the potential of DNNs in accurately classifying
malware with high accuracy rates observed across different
malware types. Additionally, the feasibility of deploying these
DNN models on edge devices to enable real-time classification,
particularly in resource-constrained scenarios proves to be
integral to large IoT systems. By optimizing model
architectures and leveraging edge computing capabilities, the
proposed methodologies achieve efficient performance even
with limited resources. This study contributes to advancing
malware detection techniques and emphasizes the significance
of integrating cybersecurity measures for the early detection
of malware and further preventing the adverse effects caused
by such attacks. Optimal considerations regarding the
distribution of security tasks to edge devices are addressed to
ensure that the integrity and availability of large-scale IoT
systems are not compromised due to malware attacks, Fig–1: ML based Malware Classification Flow
advocating for a more resilient and secure digital ecosystem.
IoT devices are complex in nature and are subject to a wide
Key Words: Cybersecurity, Data Protection, Deep Neural variety of cyber-attacks with malware attacks being one of
Networks, IoT Security, Malware Classification, the prominent ones. Additionally with the increasing
Performance Evaluation adoption of IoT devices in industries, these IoT systems will
experience a rise in cyber-attacks. Therefore, it is deemed
1. INTRODUCTION necessary to deploy efficient methodologies to detect and
mitigate the adverse effects which would otherwise be
caused by such malware attacks. According to Quoc-Dung
Combating the constant spread of malware continues to be a
Ngo et al., IoT malware detection techniques can be broadly
major concern in the constantly changing world of
classified into two domains, namely static analysis, and
cybersecurity. The integrity, confidentiality, and availability
dynamic analysis [5].
of digital assets are seriously threatened by malicious
Dynamic analysis includes having to execute the
software, or malware, making accurate malware
binaries and monitor for any malicious activity which could
categorization a critical component of contemporary
potentially infect the real time execution environment. In
security systems. Long used for malware detection,
contrast, static analysis involves analyzing the binaries
traditional signature-based methods are ineffective against
without executing them. [5] The methodologies explored in
fast-evolving and zero-day malware. This calls for the
this paper leverage deep learning techniques to identify
adoption of more advanced methodologies. Deep neural
patterns and classify malware binaries without having to
networks (DNNs), a particularly noteworthy development in
execute them.
deep learning in recent years, have shown significant
Additionally, we cover a crucial topic of
promise in several areas, including image identification,
implementing advanced malware classification algorithms in
natural language processing, and autonomous systems. In
contexts with limited resources. The computational and
the field of malware categorization, its capacity to
memory resources of edge devices, such as Internet of
automatically learn sophisticated patterns and features from
Things (IoT) gadgets and low-powered computer systems,
raw data has attracted interest. DNNs can dramatically
are constrained. For effective and real-time malware
improve the precision and effectiveness of malware
detection at the network edge, it is critical to assess the
applicability of our deep neural network approach in such
1
devices. Therefore, the computation time or the latency to Lanzi et al. [8], which captures generalized interactions of
classify malware binaries is measured once the trained benign applications with operating system resources,
model is obtained. This research intends to advance resulting in a low false positive rate. However, dynamic
cybersecurity procedures by examining the functionality and analysis techniques face challenges in handling execution-
applicability of our DNN-based malware classification driven datasets, security precautions during
methodology. By providing security experts with a cutting- experimentation, and dynamic anti-analysis defenses used
edge tool for malware detection that is early and accurate, by modern malware to evade detection.
our research has the potential to increase the resilience of
digital ecosystems to the ever-increasing cyberthreats. Static Analysis: On the other hand, static approaches
perform analysis without executing the program. The
2. RELATED WORK research literature demonstrates a wide variety of static
analysis methods, with SAFE [11] and SAVE [10] being
Previous research on malware classification can be influential heuristic static malware detection approaches.
broadly categorized into two main approaches: they are, These works proposed using different patterns to detect
malicious content in executable files. Since then, numerous
techniques have emerged based on different malware
attributes, such as the header or body of the Portable
Executable (PE) file, with analysis conducted on bytecode or
by disassembling the code to extract opcodes and other
relevant information. The main challenge in static analysis is
coping with packing and obfuscation. Recently, generic
approaches for the automatic de-obfuscation of obfuscated
programs have been proposed. Additionally, static
techniques have been employed to assess if a detected
malware is like a previously seen variant without performing
costly unpacking.

Fig –2: Types of Malwares 2.2 Machine Learning Models

2.1 Non-Machine Learning Models To address the limitations of non-machine learning

methods and capitalize on the shared behavior patterns
Traditionally, malware detection relied on non- among malware variants, anti-malware organizations have
machine learning techniques, such as static or dynamic developed sophisticated classification methods based on
signature-based methods. Static analysis involves examining data mining and machine learning techniques. These
the syntax or structural properties of the program to identify methods employ various feature extraction methods to build
malware before its execution. However, malware developers intelligent malware detection systems, often using SVM-
employ various encryption, polymorphism, and obfuscation based classifiers, Naïve Bayes classifiers, or multiple
techniques to evade these detection algorithms. In the classifiers [9].
dynamic approach, malware is executed in a controlled For example, Nataraj et al. [7] proposes a strategy to
virtual environment, and its behavior is analyzed to detect represent malware as grayscale images and use GIST to
harmful actions during or after execution. While dynamic compute texture features, which are then classified using a
analysis shows promise, it remains complex and time- k-nearest neighbor algorithm. However, these shallow
consuming. The major drawback of classical signature-based learning techniques suffer from scalability issues with the
detection is its lack of scalability, and its effectiveness can be growing number of malware samples and require manual
compromised with the emergence of new variants of feature engineering. To overcome these challenges, the
malware. As a result, researchers have turned to intelligent current research focuses on developing deep learning
machine learning algorithms as an alternative approach. architectures that are more robust and applicable to various
malware samples.
Dynamic Analysis: Researchers have made significant While some techniques target superior performance
efforts to propose behavior-based malware detection on specific datasets, like the Microsoft Malware Dataset [12],
methods that capture program behavior at runtime. One we aim to construct a more versatile framework applicable
approach is to monitor the program's interactions with the to any type of malware sample. For instance, Drew et al. [13],
operating system through the analysis of API calls. To [14] employed a modern gene sequence classification tool
develop effective and robust systems, some studies consider for malware classification on the Microsoft Malware Dataset.
additional semantic information, such as the sequence of API Ahmadi et al. [15] trained a classifier based on the XGBoost
calls and the use of graph representations. These approaches technique, while the winning team of the Microsoft Malware
analyze the temporal order of API calls, the effect of API calls Classification Challenge (BIG 2015) utilized a complex
on registers, or extract behavioral graphs based on combination of features with the XGBoost classifier.
dependencies between API call parameters. In contrast to Another related work proposed in [16] involves the
program-centric approaches, global, system-wide methods application of a CNN for malware classification. The author
have been proposed, such as an access activity model by experimented with three different architectures by adding

2
an extra block consisting of a convolutional layer followed by
8 Dinwod Trojan 140
a Max-pooling layer each time to the base model. However,
their model remains relatively shallow. In contrast, our 9 Hex Trojan 140
research delves into exploring deeper CNN architectures for
improved malware classification. 10 Expiro Virus 140

3. DATA AVAILABILITY AND PREPARATION

4. IMPLEMENTATION METHODOLOGY
For the purpose of demonstrating the effectiveness of The experimental setup involved training the models for
DNNs on malware binaries, the dataset chosen was MaleVis 10 epochs on a system with RTX 3050 as the GPU. For
[6]. The MaleVis [6] dataset contains 14,226 malware images increasing the effectiveness of the models, pre-trained
spanning across 26 classes which also includes 1 cleanware imagenet weights were imported and applied before
class. From the dataset, 10 malware classes were sampled initiating the training process. A learning rate of 10-4 was
and a total of 1400 images were further sampled from these used while also being configured to be adaptive in nature
classes overall for the purpose of training. during the training process with the minimum allowed
For testing and validation purposes, a total of 550 images learning rate being 10-7.
were sampled spanning across the 10 classes. The images in We run extensive tests to gauge the precision and
the MaleVis [6] dataset was obtained by extracting the binary effectiveness of our method in order to evaluate its
images from the malware files in 3 channel RGB format. The performance. We do this by comparing the deep neural
images are then resized into square sized resolutions of network's classification accuracy against unseen samples
224x224 and 300x300. after training it on a broad array of malware samples. One of
the key metrics used in the evaluation of resource efficiency
is computational latency. This computational latency was
measured as the time taken to classify the set of 550 test
images. Other metrics such as accuracy, recall and F1 score
were also taken into consideration while testing the model
and are covered below. The details pertaining to the models
utilized are explored as follows.
4.1 ResNetV2
Deep convolutional neural networks (CNNs) present
issues, therefore ResNetV2 is an extension of ResNet created
to address those challenges. By introducing "bottleneck"
blocks that compress feature maps, it can retain efficiency
while lowering computational complexity. To reduce
deterioration and hasten convergence during training, "pre-
activation" modules place batch normalization and ReLU
activation before convolutions. ResNetV2 performs better
than its predecessor, especially in more complex network
topologies, displaying increased training effectiveness and
Fig -3: Images pertaining to the classes of the MaleVis precision. ResNetV2, a pioneering architecture in computer
dataset [6] vision research, has been widely used for image classification,
object recognition, and semantic segmentation applications.
Its breakthroughs advance state-of-the-art in image
recognition applications by solving gradient problems and
Table -1: Classes Sampled for the Purpose of Training optimizing learning functions in deep CNNs.
4.2 DenseNet201
Class ID Family Malware Sample Size
Category DenseNet201 is a deep convolutional neural network
architecture that extends the DenseNet concept by employing
1 Adposhel Adware 140 201 layers. It utilizes dense blocks, where each layer receives
feature maps from preceding layers, facilitating feature reuse,
2 Agent Trojan 140 and mitigating the vanishing gradient problem. This densely
connected structure fosters efficient information flow and
3 Allaple Worm 140 parameter sharing, resulting in improved memory utilization
and better gradient propagation during training. With its
4 Amonetize Adware 140 substantial depth, DenseNet201 excels in learning complex
patterns and representations from data, making it highly
5 Androm Backdoor 140 effective for various computer vision tasks such as image
classification, object detection, and semantic segmentation.
6 Autorun Worm 140 Its exceptional performance on benchmark datasets has
solidified DenseNet201 as a leading architecture in the field
7 BrowseFox Adware 140 of deep learning for visual recognition tasks.

3
4.3 InceptionNetV3 applications because of this design decision, which enables
real-time processing and reduces computational and energy
An improved convolutional neural network architecture expenses. MobileNet Small, which is widely used in edge
called InceptionNetV3, sometimes known as Inception V3, computing applications, demonstrates its usefulness in
was created for image identification applications. It provides enhancing deep learning for mobile and embedded devices.
numerous parallel convolutional layers of various filter sizes
to effectively capture features at various scales and
resolutions, building on the strengths of its forerunners,
InceptionNet and Inception V2. In order to capture both fine-
grained and global characteristics, the "Inception module"
concurrently uses 1x1, 3x3, and 5x5 convolutions.
Meanwhile, "Factorized 7x7" convolutions lessen
computational complexity without sacrificing the receptive Fig -5: MobileNet Architecture
field. 4.5 MobileNet Large
With the use of batch normalization and auxiliary It is a lightweight deep learning architecture designed for
classifiers, it also improves convergence and addresses the efficient image classification on mobile devices. It also utilizes
vanishing gradient issue. Global average pooling minimizes depth wise separable convolutions, a width multiplier, and a
the number of parameters and avoids overfitting. resolution multiplier to reduce computational complexity and
InceptionNetV3 has been widely used for research and model size. Despite its efficiency-focused design, MobileNet
practical applications because of its exceptional performance Large maintains competitive accuracy and is well-suited for
in picture classification, object identification, and visual real-time applications on resource-constrained devices,
recognition tasks. making it a significant advancement in the field of computer
vision.
In summary, MobileNet Small sacrifices some accuracy for
even greater efficiency and compactness, making it ideal for
scenarios where minimizing model size and computational
requirements are critical, while MobileNet Large strikes a
balance between efficiency and accuracy, making it more
suitable for general-purpose mobile vision applications on
devices with moderate resources.

5. RESULTS AND DISCUSSIONS

Fig -4: MobileNet Architecture
Table -2: Results Obtained from Training Various DNNs

4.4 Xception Model Comput Accurac Recall F1 Score

The deep convolutional neural network architecture e y
known as Xception, short for "Extreme Inception," was Latency
unveiled by Google and was motivated by the Inception idea.
It uses "depth wise separable convolutions," which combine ResNetV 8.062 86.54 86.27 86.78
depth wise and pointwise convolutions, to replace 2
conventional standard convolutions while maintaining
accuracy. DenseN 10.87 94.54 94.43 94.42
et201
Xception speeds up training and inference times by
improving feature learning and parameter efficiency, making
Inceptio 8.33 91.81 91.53 91.64
it the best choice for computer vision workloads, especially in
nNetV3
contexts with limited resources like mobile devices and edge
computing. Xception has established itself as a leading deep
Xceptio 8.11 93.63 93.68 93.64
learning model and a popular option for image recognition
applications thanks to its outstanding performance. n

4.5 MobileNet Small MobileN 3.51 85.63 84.52 81.77

et-Small
A variation of the MobileNet architecture called MobileNet
Small is designed for quick and effective deep learning on
MobileN 6.17 88.01 87.92 87.87
devices with limited resources. It significantly decreases the
et-Large
model size and computational complexity by using depth
wise separable convolutions, ensuring excellent performance
on mobile devices and embedded systems. The above table summarizes the results obtained
In spite of its effectiveness, MobileNet Small retains from testing various DNNs on the MaleVis [6] dataset. The
respectable accuracy in jobs like object detection and image compute latency depicts the time taken in seconds to classify
categorization. It is an ideal option for on-device AI 550 test images sampled from the dataset. It was observed
4
that DenseNet201 achieved the highest accuracy in and ensure the transparency and accountability of the
comparison to the other models during the test run, although deployed models.
a tradeoff between the computational latency and accuracy
can be significantly noticed. REFERENCES
DenseNet201 showed the highest latency to
compute along with an increased model accuracy. [1] Bozkir, Ahmet Selman, et al. “Utilization and
MobileNet-small on the other hand showed an accuracy on Comparision of Convolutional Neural Networks in
par with that of ResNetV2 with an exceptional computational Malware Recognition.” 2019 27th Signal Processing and
latency of just 3.51 seconds. Communications Applications Conference (SIU), IEEE,
2019.
This proves that with effective fine tuning of the
model, it could be deployed viably in real-world scenarios as [2] Chen, Yuanfang, et al. “Deep Learning for Secure Mobile
Edge Computing.” ArXiv [Cs.CR], 2017,
well. MobileNet-large showed exceptional results achieving http://arxiv.org/abs/1709.08025
an accuracy higher than that of its smaller counterpart [3] Kalash, Mahmoud, et al. “Malware Classification with
version, but with a slight tradeoff with the computational Deep Convolutional Neural Networks.” 2018 9th IFIP
latency. International Conference on New Technologies, Mobility
Furthermore, the above set of results can be utilized and Security (NTMS), IEEE, 2018, pp. 1–5.
for choosing the right model for deployment in resource [4] Khoda, Mahbub E., et al. “Malware Detection in Edge
constrained scenarios as per the requirement and the Devices with Fuzzy Oversampling and Dynamic Class
availability of computational power in edge devices. Weighting.” Applied Soft Computing, vol. 112, no.
107783, 2021, p. 107783,
doi:10.1016/j.asoc.2021.107783.
6. CONCLUSION
[5] Ngo, Quoc-Dung, et al. “A Survey of IoT Malware and
Detection Methods Based on Static Features.” ICT
In this survey article, we have explored the Express, vol. 6, no. 4, 2020, pp. 280–286,
application of deep neural networks (DNNs) for malware doi:10.1016/j.icte.2020.04.005.
classification. Malware detection and classification are [6] Pascanu, Razvan, et al. “Malware Classification with
critical tasks in today's cybersecurity landscape due to the Recurrent Networks.” 2015 IEEE International
ever-evolving nature of malicious threats. Traditional non- Conference on Acoustics, Speech and Signal Processing
machine learning methods such as static and dynamic (ICASSP), IEEE, 2015, pp. 1916–1920.
analysis have been widely used but are facing challenges in [7] L. Nataraj, S. Karthikeyan, G. Jacob, and B. Manjunath,
coping with the increasing complexity and diversity of “Malware images: visualization and automatic
classification,” in Proceedings of the 8th international
malware. symposium on visualization for cyber security. ACM,
The machine learning methods section focused on 2011, p. 4.
DNN architectures, namely ResNet, DenseNet, InceptionNet, [8] A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and
Xception, MobileNet Small, and MobileNet Large. These E. Kirda. Accessminer: Using system-centric models for
DNNs have demonstrated promising results in various malware protection. In Proceedings of the 17th ACM
computer vision tasks and have shown potential for tackling Conference on Computer and Communications Security,
malware classification as well. CCS ’10, pages 399–412, New York, NY, USA, 2010. ACM.
From the performance evaluation, it is evident that [9] Kalash, M., Rochan, M., Mohammed, N., Bruce, N.D.,
DNN architectures can effectively detect and classify Wang, Y., & Iqbal, F. (2018). Malware Classification with
Deep Convolutional Neural Networks. 2018 9th IFIP
malware binaries with high accuracy and improved International Conference on New Technologies, Mobility
generalization. DenseNet201 showed the best performance and Security (NTMS), 1-5.
among the models evaluated with an accuracy of 94.5. The [10] A. H. Sung, J. Xu, P. Chavez, and S. Mukkamala. Static
ability to handle large-scale datasets and learn intricate analyzer of vicious executables (save). In Proceedings of
patterns allows DNNs to discern even the most sophisticated the 20th Annual Computer Security Applications
malware variants. Moreover, transfer learning techniques Conference, ACSAC ’04, pages 326–334, Washington, DC,
can be leveraged to adapt pre-trained models on related USA, 2004. IEEE Computer Society
tasks, reducing the data requirements and training time. [11] M. Christodorescu and S. Jha. Static analysis of
Regarding the applicability in edge devices, the executables to detect malicious patterns. In Proceedings
of the 12th Conference on USENIX Security Symposium -
compact nature of some DNNs like MobileNet Small and Volume 12, SSYM’03, pages 12–12, Berkeley, CA, USA,
MobileNet Large allows for efficient deployment on 2003. USENIX Association.
resource-constrained devices, such as IoT devices and [12] “Microsoft malware classification challenge (big 2015),”
smartphones. The ability to perform classification on the https://www.kaggle.com/c/malware-classification,
edge can enhance real-time threat detection and response, 2017, accessed: 2017-01-30.
mitigating the need for constant cloud communication and [13] J. Drew, T. Moore, and M. Hahsler, “Polymorphic
reducing latency. malware detection using sequence classification
However, societal concerns also need to be methods,” in Security and Privacy Workshops. IEEE,
addressed when using DNNs for malware classification. 2016, pp. 81–87.
There are ethical and privacy considerations related to data [14] J. Drew, M. Hahsler, and T. Moore, “Polymorphic
collection, model fairness, and potential misuse of these malware detection using sequence classification
methods and ensembles,” EURASIP Journal on
technologies. It is crucial to adhere to robust privacy policies Information Security, vol. 2017, no. 1, p. 2, 2017.

5
[15] M. Ahmadi, D. Ulyanov, S. Semenov, M. Trofimov, and G.
Giacinto, “Novel feature extraction, selection and fusion
for effective malware family classification,” in
Proceedings of the Sixth ACM Conference on Data and
Application Security and Privacy. ACM, 2016, pp. 183–
194.
[16] D. Gibert Llaurado, “Convolutional neural networks for
malware classification,” Master’s thesis, Universitat
Politecnica de Catalunya, 2016