DEFENDIFY: defense amplified with transfer learning for obfuscated malware framework

Abstract

The existence of malicious software (malware) represents a potential threat to users who connect to a large set of services provided by multiple providers. Such malware is capable of stealing, spying on, encrypting data from users, and spreading, provoking impacts that are beyond a single citizen’s device and reaching critical information systems. To detect malware families, Machine Learning and Deep Learning techniques have been employed recently, demonstrating promising results. However, these techniques lack in detecting more advanced malware that employs obfuscation techniques. In this paper, we present DEFENDIFY, a novel framework, empowered by Computer Vision, Deep Learning, and Transfer Learning techniques, that is able to detect completely obfuscated malware with high performance in terms of accuracy and computational consumption. DEFENDIFY comprises three modules: Dataset Creation, Binary Obfuscation, and Model Generation. These modules work together to detect both obfuscated and nonobfuscated malware. The core module, i.e., the Model Generation, employs an entropy tester that determines whether a sample is obfuscated or not. Then, a Deep Learning model powered by Transfer Learning is employed to determine if it is malware or goodware. We validated our framework using real data gathered from malware repositories and legitimate software. The proposed framework was configured to test four Convolutional Neural Network architectures: ResNet18, ResNet34, EfficientNetB3, and EfficientNetV2S. Among them, the ResNet18 architecture obtained the best performance in detecting both non-obfuscated and obfuscated samples with an F1-score of 99.34% and 97.5%, respectively.