malwaregan: Visualizing malware behavior, and proactive protection using GANs
Emulating malware authors for proactive protection using GANs over a distributed image visualization of dynamic file behavior.
References to the code
- The WGAN-GP model trained is based on the code published at here.
We used the improved_wgan_training/gan_64x64.py script with the network architectures defined by GoodGenerator and GoodDiscriminator functions.
- The 64-bit dHash used per channel is based on the implementation here. An extension of the hash by concatenating dHashes across the channels for color images is presented in the color_dHash192.py script.
dataset_filedetails.csv: Lists the file SHA256 hashes and the file names of the 12,006 distinct executables used.
API Calls Hooked
HookedApiCallList.txt: Lists all the 1,984 individual API calls that were hooked for determining the call invocation sequences of executables.
Figures (full resolution)
Figure 7a: figure7a_samples_malware_gan_train.png: Samples of 64×64 image representations corresponding to 32 distinct Malicious files randomly chosen from the images used for Training the WGAN-GP model.
Figure 7b: figure7b_samples_malware_gan_valid.png: Samples of 64×64 image representations corresponding to 32 distinct Malicious files randomly chosen from the images used for Validating the WGAN-GP model.
Figure 10b: figure10b_wgan_generated_samples.png: Samples of 64×64 image representations corresponding to 64 synthetic images generated by the Generator after training the WGAN-GP model for 45,000 generator iterations.
software_categorization_details/: Contains the 64×64 PNGs of the scaled images used in Table 3 of the paper for demonstrating software categorization using images.
software_categorization_details/table3_filedetails.csv: Lists the details of the files used in Table 3 of the paper, including, the file names, SHA256 digests, and their corresponding image hashes (SHA256 and 192-bit color dHash).
software_categorization_details/figure5_filedetails_categories_dhash_cutoff.csv: Lists the details of the 254 files belonging to 21 file categories used for determining an optimal dHash cutoff demonstrated in Figure 5 of the paper.
Vector Arithmetic and Image Decodings
vector_arithmetic_and_decodings/: Contains the PNGs used to demonstrate the decoding of the images to the API information and the vector arithmetic in the noise vs pixel space. The image decodings of the corresponding images are contained in the vector_arithmetic_and_decodings/image_decodings/ folder.
Training the GAN
The WGAN-GP model was trained on 4 Nvidia GTX TITAN X GPUs for about a day (~1.7 seconds per generator iteration) using tensorflow 1.5.0 on an Ubuntu 14.04 system with Nvidia driver version 389.80, CuDNN 7, and CUDA 9.0.
Training the XGBoost Model
The XGBoost model of Section 4 of the paper was trained on the XGBoost 0.6 release with the following booster hyperparameters:
Author: V.S. Bhaskara, and D. Bhattacharyya