Malware Detection Based on Opcode Sequence and ResNet

Nowadays, it is challenging for traditional static malware detection method to keep pace with the rapid development of malware variants, therefore machine learning based malware detection approaches begin to flourish. Typically, operation codes disassembled from binary programs were sent to classifiers e.g. SVM and KNN for classification recognition. However, this feature extraction method does not make full use of sequence relations between opcodes, at the same time, the classification model still has less dimensions and lower matching ability. Therefore, a malware detection model based on residual network was proposed in this paper. Firstly, the model extracts the opcode sequences using the disassembler. To improve the vector's expressibility of opcodes, Word2Vec strategy was used in the representation of opcodes, and word vector representations of opcodes were also optimized in the process of training iteration. Unfortunately, the overlapping opcode matrix and convolution operation results in information redundancies. To overcome this problem, a method of downsampling to organize opcode sequences into opcode matrix was adopted, which can effectively control the time and space complexity. In order to improve the classification ability of the model, a classifier with more layers and cross-layer connection was proposed to match malicious code in more dimensions based on ResNet. The experiment shows that the malware classification accuracy in this paper is 98.2%. At the same time, the processing time consumption comparing with traditional classifiers is still negligible.