Microsoft and Intel corporations use in-depth training and a neural network to detect malicious programs. The STAMINA (STAtic Malware-as-Image Network Analysis) project converts malware samples into 2D images in grayscale that can be analyzed based on their unique criteria.
The researchers from two companies have jointly developed a new approach to malware detection. Microsoft provided the STAMINA project with more than 2 million infected files: 60% of the samples were used to teach the deep neural network (DNN) algorithm, 20% were used to test DNN, and the remaining 20% were used to test the effectiveness of STAMINA. The team achieved an accuracy rate of 99.07% in detecting and classifying malware samples, while the false positives rate was only 2.58%.
“As a rule, deep neural networks are difficult to set up. Here, the use of battle-tested neural network architectures, such as Inception (for tasks such as image classification), allows us to use transfer training, which reduces the load on the training of deep neural networks from scratch,” – said specialist Ravi Saita of Intel.
The use of deep learning technologies provides a broader understanding and allows us to classify malware according to the speed and scale of malware that can be created using automated methods, helping security experts filter out noise and focus on the threats that pose the greatest risk.
However, this type of system also has some problems. Depending on the neural network architecture used, the cost of training and logical deduction may be higher than with traditional, lighter malware detection methods.
STAMINA is also unable to “see” aspects of malware that can only be detected at runtime, such as decrypting useful data in memory or unwanted activity (extortion software). To address this problem, Intel is working on a forward-looking study of counter-resistant approaches, extracting telemetry from runtime templates, and CPU telemetry. Additional information streams can be combined with in-depth learning methods to eliminate blind spots for better classification of malware.