Portal de Periódicos da CAPES

Detection of Data Scarce Malware Using One-Shot Learning With Relation Network

2023; Institute of Electrical and Electronics Engineers; Volume: 11; Linguagem: Inglês

10.1109/access.2023.3293117

2169-3536

Faiza Babar Khan, Muhammad Hanif Durad, Asifullah Khan, Farrukh Aslam Khan, Sajjad Hussain Chauhdary, Mohammed A. Alqarni,

Advanced Malware Detection Techniques

Malware has evolved to pose a major threat to information security. Efficient anti-malware software are essential in safeguarding confidential information from these threats. However, identifying malware continues to be a challenging task. Signature-based detection methods are quick but fail to detect unknown malware. Additionally, traditional machine learning archetype requires a large amount of data to be effective, which hinders the ability of an anti-malware system to quickly learn about new threats with limited training samples. In a real-world setting, the majority of malware are found in the form of Portable Executable (PE) files. While there are various formats of PE files, samples of all formats such as ocx, acm, com, scr, etc., are not readily available in large numbers. Therefore, building a conventional Machine Learning (ML) model with greater generalization for data-scarce PE formats becomes a hefty task. Consequently, in such a scenario, Few-Shot learning (FSL) is helpful to detect the presence of malware, even with a very slight number of training samples. FSL techniques help to make predictions based on an insufficient number of samples. In this paper, we propose a novel architecture based on the Relation Network for FSL implementation. We propose a Discriminative Feature Embedder for feature extraction. These extracted features are passed to our proposed Relation Module (RM) for similarity measure. RM produces the relation scores that lead to improved classification. We use Portable Executable (PE) file formats, i.e., ocx, acm, com and scr, after transforming them into images. We employ five-shot learning and then one-shot learning, which produce 93% accuracy with only one training instance. We observe that the proposed architecture outpace the baseline method and provides enhanced accuracy by up to 94% with only one sample.