Stories behind decisions: Towards interpretable malware family classification with hierarchical attention
Abstract: Malware family classification is essential for understanding malware code and behavioral characteristics, significantly reducing analysis time and response time for emerging malware. However, existing malware family classification methods are limited for two reasons. (1) The feature representation learned from a single information source is not sufficiently discriminative for large-scale malware family classification. (2) The lack of interpretability of classification results makes it difficult to provide intuitive guidance for malware analysis. To tackle the issues, we propose MalAtt, a novel malware family classification method for interpretable and large-scale classification. Specifically, a unified feature engineering approach is proposed to obtain integrated embedding from heterogeneous static and dynamic information. Then, a hierarchical attention encoder module is employed to progressively extract semantic features from the static and dynamic embedding. A collaborative attention module is introduced to model the association between high-level static and dynamic features. Finally, MalAtt is pluggable for different classifiers, such as SVM and RF, to implement malware family classification. For evaluations, we carefully collected a dataset from 62 malware families containing over 20,070 in-the-wild samples. MalAtt is proved to be effective when classifying large-scale malware families, with an accuracy of 93.26%. Besides, the ablation study demonstrates the rationality of the proposed modules. Additionally, we provide a case study to show how MalAtt intuitively guides in-depth malware analysis by highlighting partial input features with high attention scores.
Loading