Deep learning (DL) models have shown remarkable performance in detecting malware. However, with the increasing complexity of hidden malware, traditional signature-based detection has become less and less effective. In addition, the deployment of DL models in security operations has become more and more limited due to the lack of interpretability. In this paper, we present an approach that combines robust analysis with high accuracy and explainable understanding. This is a process of normalizing Portable Executable (PE) files into standardized Assembly Language (ASM) code, thereby significantly reducing lexical noise by abstracting operands and eliminating meaningless instructions. Word2Vec is responsible for encoding the sequences, and it will be analyzed using a hybrid architecture consisting of a Convolutional Neural Network (CNN) for local feature extraction and Bidirectional Long Short-Term Memory (BiLSTM) for temporal dependency modeling. Moreover, our contribution lies in the specialized Attention mechanism to visualize decision boundaries, allowing us to see and identify the location of malicious code segments. We tested on a diverse dataset and showed the model accuracy up to 99.68% with a low false positive rate. This shows that our solution brings transparency and efficiency to the problem of detecting current threats.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Explainable Malware Detection from Normalized PE Disassembly Using CNN–BiLSTM with Token-Level Attention

  • Duy Lu Hoang,
  • Kiet Nguyen Tuan,
  • Nguyen Duc Thai

摘要

Deep learning (DL) models have shown remarkable performance in detecting malware. However, with the increasing complexity of hidden malware, traditional signature-based detection has become less and less effective. In addition, the deployment of DL models in security operations has become more and more limited due to the lack of interpretability. In this paper, we present an approach that combines robust analysis with high accuracy and explainable understanding. This is a process of normalizing Portable Executable (PE) files into standardized Assembly Language (ASM) code, thereby significantly reducing lexical noise by abstracting operands and eliminating meaningless instructions. Word2Vec is responsible for encoding the sequences, and it will be analyzed using a hybrid architecture consisting of a Convolutional Neural Network (CNN) for local feature extraction and Bidirectional Long Short-Term Memory (BiLSTM) for temporal dependency modeling. Moreover, our contribution lies in the specialized Attention mechanism to visualize decision boundaries, allowing us to see and identify the location of malicious code segments. We tested on a diverse dataset and showed the model accuracy up to 99.68% with a low false positive rate. This shows that our solution brings transparency and efficiency to the problem of detecting current threats.