Using fake text vectors to improve the sensitivity of minority class for macro malware detection

To detect new malware, machine learning approaches require many training samples. These training samples contribute to build an accurate model. To maintain the accuracy, collecting comprehensive samples continuously is very important. However, new malicious samples appear one after another, and ther...

Full description

Saved in:
Bibliographic Details
Published inJournal of information security and applications Vol. 54; p. 102600
Main Author Mimura, Mamoru
Format Journal Article
LanguageEnglish
Published Elsevier Ltd 01.10.2020
Subjects
CNN
Data augmentation
Doc2vec
Machine learning
MLP
NLP
Paragraph Vector
Random Forests
SVM
VBA macro
MLP
Paragraph Vector
CNN
NLP
Machine learning
Doc2vec
Data augmentation
VBA macro
Random Forests
SVM
Online AccessGet full text

Cover

More Information
Summary:To detect new malware, machine learning approaches require many training samples. These training samples contribute to build an accurate model. To maintain the accuracy, collecting comprehensive samples continuously is very important. However, new malicious samples appear one after another, and thereby making it difficult. Hence, actual small training samples do not likely to represent the entire population adequately. Despite this gap between ideal and reality, few studies have addressed this practical problem in macro malware. To enhance small training samples, data augmentation is efficient in the field of image recognition. Data augmentation with Generative Adversarial Networks (GANs) is a reasonable approach for oversampling the minority class. A major difficulty of GANs is to generate fake samples that represent the context. This paper attempts to generate fake text vectors with Paragraph Vector to enhance small training samples. Paragraph Vector is a model to convert text into vectors, which represents the context and numerical distance. These features allow to directly vary each element of the vectors. Our method adds random noise to the vectors to generate fake text vectors which represent the context. This paper applies this technique to detect new malicious VBA (Visual Basic for Applications) macros to address the practical problem. This generic technique could be used for not only malware detection, but also any imbalanced and contextual data. To simulate small training samples, we reduce the malicious samples, and generate fake samples from the reduced ones. The experimental result shows that the fake samples enhance our model, and improve the detection rate.
ISSN:2214-2126
DOI:10.1016/j.jisa.2020.102600