Deep Transfer Learning for Static Malware Classification

Abstract--We propose to apply deep transfer learning from computer vision to static malware classification. In the transfer learning scheme, we borrow knowledge from natural images or objects and apply to the target domain of static malware detection. As a result, training time of deep neural networks is accelerated while high classification performance is still maintained. We instrument an interpretation component to the algorithm and provide interpretable explanations to enhance security practitioners' trust to the model. We further discuss a convex combination scheme of transfer learning and training from scratch for enhanced malware detection, and provide insights of the algorithmic interpretation of vision-based malware classification techniques. I. INTRODUCTION Malware is a type of software that possesses malicious characteristics to cause damage to the user, computer or network. Categories of malware include virus, trojan horses, worms, spyware, ransomware and so on. Static analysis is a quick and straightforward way to detect malware without executing the application or monitoring the run time behavior. Onemain technique is the so-called signature matching, where the goal is to search whether the strings in the code actually match any identified malicious patterns in database. However when the code is obfuscated or morphed, signature matching cannot be applied and becomes less resilient to detect malicious patterns.