A Kullback-Liebler divergence-based representation algorithm for malware detection

Faitouri A Aboaoja; Anazida Zainal; Fuad A Ghaleb; Norah Saleh Alghamdi; Faisal Saeed; Husayn Alhuwayji

doi:10.7717/peerj-cs.1492

A Kullback-Liebler divergence-based representation algorithm for malware detection

PeerJ Comput Sci. 2023 Sep 22:9:e1492. doi: 10.7717/peerj-cs.1492. eCollection 2023.

Authors

Faitouri A Aboaoja^{1

2}, Anazida Zainal³, Fuad A Ghaleb¹, Norah Saleh Alghamdi³, Faisal Saeed⁴, Husayn Alhuwayji⁵

Affiliations

¹ Faculty of Computing, Universiti Teknologi Malaysia, Johor Baru, Johor, Malaysia.
² Faculty of Education-Elgobbah, University of Derna, Libya, Elgobbah, Barka, Libya.
³ Department of Computer Sciences, College of Computer and Information Sciences, Princess Nourah Bint Abdulrahman University, Riyadh, Saudi Arabia.
⁴ DAAI Research Group, Department of Computing and Data Science, School of Computing and Digital Technology, Birmingham City University, Birmingham, UK.
⁵ Higher Institute of Science and Technology, Qarabulli, Higher Institute of Science and Technology, Qarabulli, Tripoli, Libya.

Abstract

Background: Malware, malicious software, is the major security concern of the digital realm. Conventional cyber-security solutions are challenged by sophisticated malicious behaviors. Currently, an overlap between malicious and legitimate behaviors causes more difficulties in characterizing those behaviors as malicious or legitimate activities. For instance, evasive malware often mimics legitimate behaviors, and evasion techniques are utilized by legitimate and malicious software.

Problem: Most of the existing solutions use the traditional term of frequency-inverse document frequency (TF-IDF) technique or its concept to represent malware behaviors. However, the traditional TF-IDF and the developed techniques represent the features, especially the shared ones, inaccurately because those techniques calculate a weight for each feature without considering its distribution in each class; instead, the generated weight is generated based on the distribution of the feature among all the documents. Such presumption can reduce the meaning of those features, and when those features are used to classify malware, they lead to a high false alarms.

Method: This study proposes a Kullback-Liebler Divergence-based Term Frequency-Probability Class Distribution (KLD-based TF-PCD) algorithm to represent the extracted features based on the differences between the probability distributions of the terms in malware and benign classes. Unlike the existing solution, the proposed algorithm increases the weights of the important features by using the Kullback-Liebler Divergence tool to measure the differences between their probability distributions in malware and benign classes.

Results: The experimental results show that the proposed KLD-based TF-PCD algorithm achieved an accuracy of 0.972, the false positive rate of 0.037, and the F-measure of 0.978. Such results were significant compared to the related work studies. Thus, the proposed KLD-based TF-PCD algorithm contributes to improving the security of cyberspace.

Conclusion: New meaningful characteristics have been added by the proposed algorithm to promote the learned knowledge of the classifiers, and thus increase their ability to classify malicious behaviors accurately.

Keywords: Evasion techniques; Feature engineering; Feature representation techniques; Machine learning-based malware detection models; TF-IDF technique.

Grants and funding

This research work is funded by the Princess Nourah bint Abdulrahman University Researchers Supporting Project (PNURSP2023R40), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.