Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

kNN Classification of Malware Data Dependency Graph Features

John Musgrave, Anca Ralescu

TL;DR

The paper tackles explainability in malware classification by proposing data dependency graph based features that capture both data movement semantics and program structure. It constructs DDG fingerprints via Weisfeiler-Lehman hashing, encodes them in a high-dimensional Hamming space through one-hot vectors, and applies a non-parametric kNN classifier to labeled Kaggle 2015 malware data. Results show strong multi-class performance with total accuracy of $0.871$ for $k=2$ and at least $0.85$ for $k=3$ and $k=4$, indicating that DDG-based representations correlate with ground truth labels. The approach enables direct similarity computation without training and supports fine-grained, explainable analysis of malware behavior, with clear avenues for extending to more instructions and benign samples.

Abstract

Explainability in classification results are dependent upon the features used for classification. Data dependency graph features representing data movement are directly correlated with operational semantics, and subject to fine grained analysis. This study obtains accurate classification from the use of features tied to structure and semantics. By training an accurate model using labeled data, this feature representation of semantics is shown to be correlated with ground truth labels. This was performed using non-parametric learning with a novel feature representation on a large scale dataset, the Kaggle 2015 Malware dataset. The features used enable fine grained analysis, increase in resolution, and explainable inferences. This allows for the body of the term frequency distribution to be further analyzed and to provide an increase in feature resolution over term frequency features. This method obtains high accuracy from analysis of a single instruction, a method that can be repeated for additional instructions to obtain further increases in accuracy. This study evaluates the hypothesis that the semantic representation and analysis of structure are able to make accurate predications and are also correlated to ground truth labels. Additionally, similarity in the metric space can be calculated directly without prior training. Our results provide evidence that data dependency graphs accurately capture both semantic and structural information for increased explainability in classification results.

kNN Classification of Malware Data Dependency Graph Features

TL;DR

The paper tackles explainability in malware classification by proposing data dependency graph based features that capture both data movement semantics and program structure. It constructs DDG fingerprints via Weisfeiler-Lehman hashing, encodes them in a high-dimensional Hamming space through one-hot vectors, and applies a non-parametric kNN classifier to labeled Kaggle 2015 malware data. Results show strong multi-class performance with total accuracy of for and at least for and , indicating that DDG-based representations correlate with ground truth labels. The approach enables direct similarity computation without training and supports fine-grained, explainable analysis of malware behavior, with clear avenues for extending to more instructions and benign samples.

Abstract

Explainability in classification results are dependent upon the features used for classification. Data dependency graph features representing data movement are directly correlated with operational semantics, and subject to fine grained analysis. This study obtains accurate classification from the use of features tied to structure and semantics. By training an accurate model using labeled data, this feature representation of semantics is shown to be correlated with ground truth labels. This was performed using non-parametric learning with a novel feature representation on a large scale dataset, the Kaggle 2015 Malware dataset. The features used enable fine grained analysis, increase in resolution, and explainable inferences. This allows for the body of the term frequency distribution to be further analyzed and to provide an increase in feature resolution over term frequency features. This method obtains high accuracy from analysis of a single instruction, a method that can be repeated for additional instructions to obtain further increases in accuracy. This study evaluates the hypothesis that the semantic representation and analysis of structure are able to make accurate predications and are also correlated to ground truth labels. Additionally, similarity in the metric space can be calculated directly without prior training. Our results provide evidence that data dependency graphs accurately capture both semantic and structural information for increased explainability in classification results.
Paper Structure (11 sections, 5 equations, 8 figures, 4 tables)

This paper contains 11 sections, 5 equations, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Outline
  4. Experiment
  5. Data Pre-Processing
  6. Hamming Space
  7. k-Nearest Neighbors Classifier
  8. Accuracy Metrics
  9. Results
  10. Discussion
  11. Conclusion

Figures (8)

  • Figure 1: Histogram of opcode frequencies in the Microsoft 2015 Kaggle malware dataset
  • Figure 2: Kaggle Malware Dataset Hamming Space. This figure shows the dataset projected from a high dimensional metric space with Hamming Distance to 2 dimensions using t-SNE.
  • Figure 4: Confusion matrix for k-Nearest Neighbors classifier with k=2.
  • Figure 6: Confusion Matrix for kNN classifier, k=3
  • Figure 8: Decision boundary for kNN classifier, k=2. The decision boundary is plotted in the 2 dimensional projection of the Hamming space using t-SNE.
  • ...and 3 more figures