A Multi-Leveled Approach and its Application in Classifying Malware Programs using Multiple Sources of Telemetry Data

We use features obtained from both compiled and disassembly files, provided for each malware program in the BIG 2015 dataset, to classify the said malware programs. The HEX codes in the compiled files are represented as images and the Latent Dirichlet Allocation (LDA) algorithm is used to represent documents of opcodes, with the opcodes extracted from the disassembly files, as weighted mixtures of LDA generated topics. For classification of the malware programs, we propose a Multi-Layer Perceptron (MLP) based system that consists of two serially connected levels, with each level only accepting one type of feature as input. The first level takes in the malware image features exclusively. Its output and the LDA topic weight features are then fed into the second level, which finally outputs the classification predictions. Using backpropagation, the MLPs at both levels are trained by minimizing the cross entropy loss based on the second level's classification predictions. On a held-out, test set containing 25% of malware programs randomly sampled along class lines from the labeled set of the BIG 2015 dataset, we get a 98.9% classification accuracy using our proposed classification system.