A. Malware Detection Using Byte Streams of Multiple Formats

Assuming that we have a target file format $f_{t}$ of the malware detection task, and we have training datasets D$^{F}_{train}$ for a certain list of file formats $F=\{f_{1}, f_{2}, \ldots, f_{|F|}\}$ including the target format $f_{t}$ as well as a test dataset $D^{f_{t}}_{test}$ . Note that the training datasets cover all file formats, whereas the test dataset is only for the target format, as shown in Fig. 1. When the malware detection model $M^{f_{t}}$ is trained in a supervised manner for the target format, the model is trained not only with $D^{f_{t}}_{train}$ but also with all other datasets D$^{F}_{train}$ . If we want to have a separated validation set $D^{f_{t}}_{val}$ out of the training datasets, the validation set should be sampled from $D^{f_{t}}_{train}$ but not from other datasets in order to make the validation set to have similar characteristics to the test set.

There is a learning concept, multi-task learning (MTL), that allows a model to learn and solve two or more tasks at the same time. The motivation behind the MTL concept is that the model may learn better through the relationship between multiple tasks. The MTL is different from transfer learning; the MTL aims at solving all the tasks at the same time whereas the transfer learning exploits a source task to solve a target task. The MTL is mostly implemented by parameter sharing that allows the parameters are trained for two or more different tasks at the same time. There are two parameter sharing ways of the MTL concept: soft sharing and hard sharing. Most previous work of MTL concept adopts the hard sharing; it has a single model that has parameters shared across different tasks. The soft sharing way assumes that there are task-specific models that share their parameters. These ways are somewhat related to our proposed method, but they are different because the MTL concept assumes that the model takes the same or similar input for solving multiple tasks closely related to each other. For example, [19] applied the MTL concept for malware detection and malware classification tasks, and their model takes the same shape of sparse binary input vector for solving the tasks; that is, it assumes that we want to solve the two tasks at the same time for a given input. Similarly in [20], their model takes the same input sequence of API calls for solving malware classification and file access pattern generation task. On the other hand, we aim at malware detection task for a specific file format because we will not want to have to run the model on two or more file formats every time. We assume that byte streams of multiple different file formats may complement to each other, and propose a way of utilizing the byte streams of different file formats for training malware detection model.

Even though our method is generally applicable to any set of file formats, we focused two non-executables, PDF and HWP, in this paper; the number of file formats $|F| = 2$ . There are two reasons for this. First, the PDF is one of the most widely-used file formats in the world as reported in [21], so we chose the PDF as it seems to contain more diverse malicious patterns than other formats. Second, because of the special situation between South Korea and North Korea, North Korea continuously cyber-attack South Korea, and malicious code attacks on HWP files is increasing. As the HWP files are widely used by South Korean governments and institutions, it becomes important to develop a robust malware detection model for HWP files.

We use and compare two recently designed CNN models for measuring our method: MalConv [3] and SPAPConv [1]. The MalConv has a shallow and wide architecture using a gate mechanism, and the SPAPConv enhanced embedding representation by employing spatial pyramid average pooling. These models commonly adopt an embedding layer because each byte token is not numerical but a categorical value; the embedding layer generates a distributed representation (i.e., real-numbered vector) from a given byte token. Although these CNN models are known to be able to capture arbitrary features automatically without feature engineering, it is still important to study data characteristics for better model design and parameter engineering. The byte streams of the PDF and HWP files have different lengths on average. As reported in [22], the PDF byte streams are normally 1,000 bytes long, whereas the HWP byte streams often have millions of bytes. Following the previous studies [1], [22], we set the input length $I^{pdf}$ of the PDF-specific detection model $M^{pdf}$ to be 1,000, and the input length of the HWP-specific detection model $I^{hwp}$ is 100,000. To manage the huge gap of input length between the two models, we compare two different padding strategies: post padding and stretch padding [1]. The post padding is widely used in many previous studies, whereas the stretch padding is to spread the element values of the stream evenly and make it a longer stream. Specifically, the PDF streams are much shorter than the HWP streams, so just padding the back of the PDF stream may degrade the performance of CNN model because many convolutional operations run on byte sequences made of only padding tokens. On the other hand, the stretch padding has a potential to alleviate this problem as it allows the convolutional operations run on the evenly spread byte tokens; more details of the stretch padding can be found in [1].

B. Byte Streams of HWP and PDF Formats

To better understand and find motivation of utilizing the byte streams of HWP and PDF files, we investigated the byte streams and studied some cases related to our method. One or more byte streams exist in a single file, as depicted in Fig. 2, and malicious actions can appear in any of these streams. If a byte stream has at least one malicious action, then the stream is called malicious or malware stream, whereas the benign stream contains no malicious action at all.

FIGURE 2.

Malicious and benign byte streams within files.

Show All

The purpose of malware includes stealing industrial secrets from infrastructure, collecting personal information, and making money demands using ransomware. In the past, PE files were mainly used to achieve this purpose, but recently, attacks using document files are increasing. This attack exploits vulnerabilities and functions provided by programs that read and edit document files. Hangul word processor (HWP) provides JavaScript and Visual Basic For Application (VBA) macro functions, and Encapulated PostScript (EPS) files for high-quality pictures can be inserted into documents. Especially, the JavaScript language is often used as a means to make writing interactive web pages easier, and PDFs uses the JavaScript to format data, calculate data, validate data, or specify actions. For this reason, even if the document format is different, when the program supports the same language, such as JavaScript, it can be helpful to use a part of a specific document-type malware for deep learning training in a different document format. In addition, attackers are always devising new attack methods to circumvent existing detection rules; for example, as one of the ideas, attackers try to apply malicious code of a different file format to create a new malicious code that operates on the target file. In many cases, other vulnerabilities for different document types do not work properly in a specific document type, but the potential for malware execution still exists. For example, CVE-2014-1761 utilizes a vulnerability in Rich Text Format (RTF), which has been included in the PrvText stream in HWP. As another example, CVE-2017-11882 uses a vulnerability in Microsoft Office Word. Since the purpose of the malicious behavior is the same, it may be advantageous to use a document-type malware sample in a different format for deep learning training of the target document.

A. Data and Environment

We got 1,856 HWP files and 12,367 PDF files from anti-virus company, and its statistics are summarized in Table 1, where every malware file has at least one malicious byte stream; for example, as shown in Fig. 2, there are two malicious streams and one benign stream in the sample file, so this sample is a malware file as it contains malicious streams. The byte streams are extracted from the files using the algorithm of [22]. The per-stream annotation was performed by using malware detection tools and manual confirmation by human experts. Table 2 summarizes the statistics of byte streams. Note that, for each target, byte streams of the two formats are used to train the corresponding model. For example, when we train $M^{pdf}$ , the byte streams of PDF and HWP are used for training, where the HWP byte streams are only for training; in this case, the HWP byte streams for $M^{pdf}$ are sampled from the set of all HWP files while we kept its label ratio as similar as possible to the label ratio of PDF files.

TABLE 1 Number of Data Files

TABLE 2 Number of Byte Streams

We adopted two recent malware detection models for experiments: MalConv and SPAPConv. The SPAPConv was implemented exactly same as in [1], and MalConv was implemented as done in [3] but with 2-dimensional convolution instead of 1-dimensional convolution. This modification is borrowing the idea of SPAPConv, and it exhibited performance improvements (e.g., 4-5% of accuracy). The input length of PDF byte streams was 1K, and the input length of HWP byte streams was 100K. We used a machine having Intel(R) Core(TM) i9-10900X CPU@3.70GHz and two graphics processing unit (GPU) of GeForce RTX 3090. The models were implemented using Python3 language with Tensorflow packages.

B. Results

We independently conducted experiments for different target formats (e.g., PDF, HWP). For each target format, we performed three experiments and averaged per-class precision, recall, and F1 scores. Following the training recipe of SPAPConv [1], we applied batch normalization [13] for the convolutional layer and drop-out technique [14] for the fully-connected layer. For MalConv, we also took the drop-out technique for the fully-connected layer as done in [3]. For both models, we adopted the cost function of cross-entropy and Adam optimizer [23] with initial learning rate 0.001. The label ratio is skewed as shown in Table 2, so we employed the cost-sensitive learning technique. With the validation dataset, we got the proper number of epochs (e.g., 5-10 epochs) by a grid searching.

The per-class performance of HWP malware detection is described in Table 3, where HWP+PDF indicates that the model is trained using HWP and PDF byte streams together, and stretch and post represent the stretch padding and the conventional post padding, respectively. As the PDF byte streams are relatively shorter than the HWP byte streams in length, the PDF byte streams are mostly padded in either of the two padding ways. Interestingly, with MalConv, training with both byte streams together exhibits performance improvements; especially, precision of malware case was dramatically improved. In terms of the F1 score, using the two byte streams (i.e., HWP+PDF) was superior to using only HWP byte streams. The best F1 score was achieved when we use the stretch padding, and this is consistent with the results of [1]. On the other hand, with SPAPConv, we did not observe any performance improvement. Fig. 3 shows the per-class receiver operating characteristic (ROC) curves of MalConv and SPAPConv, where the padding way is chosen based on their recall values. The SPAPConv exhibits smooth curves, and it might be preferable if we want a detection model with smaller false negative rates.

TABLE 3 Malware Detection Performance on HWP Byte Streams, Where P, R, and F1 Represent Precision, Recall, and F1 Score (%), Respectively

FIGURE 3.

Receiver operating characteristic (ROC) curves of (up) MalConv with stretch padding and (down) SPAPConv with post padding, where area indicates area under the curve (AUC) score.

Show All

Table 4 summarizes the per-class performance of PDF malware detection. As the HWP byte streams are much longer than the PDF byte streams, we got samples of 1000-bytes from the HWP byte streams so the PDF+HWP byte streams have the same length. As shown in this table, we observed that the MalConv has shown the performance improvement but it was not that much, whereas the SPAPConv does not exhibit any improvement. This result is similar to the HWP malware detection result of Table 3, and this might be related to two factors as follows. The first factor is the model size. The number of parameters of MalConv and SPAPConv are 1M and 70K, respectively, therefore the SPAPConv might not have enough power to encode the underlying patterns of different file formats. The second factor is the model architecture, especially what representation it takes for convolutional operations. The MalConv feeds the conventional embedding representations to the convolutional operations, whereas the convolutional layer of SPAPConv takes as input the result of 1-level spatial pyramid average pooling (SPAP) layer. The SPAP layer extracts a representative value for each region of an arbitrary size that allows it to yield an output of a fixed size; that is, long streams will be roughly looked at whereas short streams are closely looked at. Since the difference in length between the PDF and HWP byte streams is large, the SPAP layer might act like a telescope for two objects with a huge difference in distance, so it eventually confused the entire model.

TABLE 4 Malware Detection Performance on PDF Byte Streams, Where P, R, and F1 Represent Precision, Recall, and F1 Score (%), Respectively