Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification
Daniel Gibert, Carles Mateu, Jordi Planes, Quan Le
TL;DR
This work addresses malware classification by fusing hand-crafted features with deep representations in a unified multimodal framework. By extracting features from hex and assembly views, grayscale malware images, and structural entropy, and then applying early fusion to feed a single XGBoost model, the approach achieves state-of-the-art performance on the Microsoft Malware Classification Challenge. The key contributions include three deep feature streams (grayscale texture, entropy-based shapelets, and N-gram like features) combined with extensive hand-crafted features, and a demonstration that careful feature selection and fusion can outperform sole reliance on deep learning. The findings highlight the practical value of multimodal feature fusion for scalable, signature-less malware classification and point to future work in architecture improvements, texture analysis, and defenses against adversarial and concept-drift threats.
Abstract
Machine learning has become an appealing signature-less approach to detect and classify malware because of its ability to generalize to never-before-seen samples and to handle large volumes of data. While traditional feature-based approaches rely on the manual design of hand-crafted features based on experts knowledge of the domain, deep learning approaches replace the manual feature engineering process by an underlying system, typically consisting of a neural network with multiple layers, that perform both feature learning and classification altogether. However, the combination of both approaches could substantially enhance detection systems. In this paper we present an hybrid approach to address the task of malware classification by fusing multiple types of features defined by experts and features learned through deep learning from raw data. In particular, our approach relies on deep learning to extract N-gram like features from the assembly language instructions and the bytes of malware, and texture patterns and shapelet-based features from malwareś grayscale image representation and structural entropy, respectively. These deep features are later passed as input to a gradient boosting model that combines the deep features and the hand-crafted features using an early-fusion mechanism. The suitability of our approach has been evaluated on the Microsoft Malware Classification Challenge benchmark and results show that the proposed solution achieves state-of-the-art performance and outperforms gradient boosting and deep learning methods in the literature.