Navigating concept drift and packing complexity in malware family classification

Numan Halit Guldemir; Oluwafemi Olukoya; Jesús  Martínez-del-Rincón

Navigating concept drift and packing complexity in malware family classification

School of Electronics, Electrical Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

192 Downloads (Pure)

Abstract

In the rapidly evolving landscape of cybersecurity, classification of malware families presents significant challenges due to the dynamic nature of malware, a phenomenon known as concept drift. In this research, we classify Windows PE malware families using static analysis of raw opcode sequences. By leveraging Convolutional Neural Networks (CNNs) to extract unique features from these sequences, our approach achieves high classification accuracy rates of 98.20% and 89.55% on the Microsoft Malware Classification Challenge and BODMAS datasets, respectively. We also conducted a temporal analysis on BODMAS over a 13-month period to observe the evolution of malware families and identify periods where our model’s accuracy decreases. We implemented a retraining strategy, allowing us to observe how retraining the model with new data helps it adapt to new malware patterns. The study also examined the impact of packed malware and different types of packers on the model’s performance. Our findings indicate that packed malware significantly affects the model’s accuracy, with some packers having a more pronounced impact than others. These results underscore the importance of regular model updates and specialized handling of packed malware to maintain robust detection capabilities.

Original language	English
Title of host publication	Conference on Applied Machine Learning for Information Security (CAMLIS 2024): Proceedings
Publisher	CEUR-WS
Pages	129-144
Number of pages	15
Volume	3920
Publication status	Published - 09 Feb 2025
Event	Conference on Applied Machine Learning for Information Security - Arlington, United States Duration: 24 Oct 2024 → 25 Oct 2024 Conference number: 2024 https://www.camlis.org/

Publication series

Name	CEUR Workshop Proceedings
Volume	3920
ISSN (Print)	1613-0073

Conference

Conference	Conference on Applied Machine Learning for Information Security
Abbreviated title	CAMLIS
Country/Territory	United States
City	Arlington
Period	24/10/2024 → 25/10/2024
Internet address	https://www.camlis.org/

Keywords

concept drift
packing complexity
malware family classification

Access to Document

Navigating concept drift and packing complexity in malware family classification
Copyright 2024 The Authors. This is an open access conference proceedings published under a Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium, provided the author and source are cited.
Final published version, 1.55 MBLicence: CC BY

https://ceur-ws.org/Vol-3920/Licence: CC BY

Cite this

@inproceedings{5071289d62e74ec8a037b2a26e8c9396,

title = "Navigating concept drift and packing complexity in malware family classification",

abstract = "In the rapidly evolving landscape of cybersecurity, classification of malware families presents significant challenges due to the dynamic nature of malware, a phenomenon known as concept drift. In this research, we classify Windows PE malware families using static analysis of raw opcode sequences. By leveraging Convolutional Neural Networks (CNNs) to extract unique features from these sequences, our approach achieves high classification accuracy rates of 98.20\% and 89.55\% on the Microsoft Malware Classification Challenge and BODMAS datasets, respectively. We also conducted a temporal analysis on BODMAS over a 13-month period to observe the evolution of malware families and identify periods where our model{\textquoteright}s accuracy decreases. We implemented a retraining strategy, allowing us to observe how retraining the model with new data helps it adapt to new malware patterns. The study also examined the impact of packed malware and different types of packers on the model{\textquoteright}s performance. Our findings indicate that packed malware significantly affects the model{\textquoteright}s accuracy, with some packers having a more pronounced impact than others. These results underscore the importance of regular model updates and specialized handling of packed malware to maintain robust detection capabilities. ",

keywords = "concept drift, packing complexity, malware family classification",

author = "Guldemir, \{Numan Halit\} and Oluwafemi Olukoya and Jes{\'u}s Mart{\'i}nez-del-Rinc{\'o}n",

year = "2025",

month = feb,

day = "9",

language = "English",

volume = "3920",

series = "CEUR Workshop Proceedings",

publisher = "CEUR-WS",

pages = "129--144",

booktitle = "Conference on Applied Machine Learning for Information Security (CAMLIS 2024): Proceedings",

note = "Conference on Applied Machine Learning for Information Security, CAMLIS ; Conference date: 24-10-2024 Through 25-10-2024",

url = "https://www.camlis.org/",

}

Guldemir, NH , Olukoya, O & Martínez-del-Rincón, J 2025, Navigating concept drift and packing complexity in malware family classification. in Conference on Applied Machine Learning for Information Security (CAMLIS 2024): Proceedings. vol. 3920, CEUR Workshop Proceedings, vol. 3920, CEUR-WS, pp. 129-144, Conference on Applied Machine Learning for Information Security, Arlington, Virginia, United States, 24/10/2024. <https://ceur-ws.org/Vol-3920/>

Navigating concept drift and packing complexity in malware family classification. / Guldemir, Numan Halit ; Olukoya, Oluwafemi ; Martínez-del-Rincón, Jesús .
Conference on Applied Machine Learning for Information Security (CAMLIS 2024): Proceedings. Vol. 3920 CEUR-WS, 2025. p. 129-144 (CEUR Workshop Proceedings; Vol. 3920).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Navigating concept drift and packing complexity in malware family classification

AU - Guldemir, Numan Halit

AU - Olukoya, Oluwafemi

AU - Martínez-del-Rincón, Jesús

N1 - Conference code: 2024

PY - 2025/2/9

Y1 - 2025/2/9

N2 - In the rapidly evolving landscape of cybersecurity, classification of malware families presents significant challenges due to the dynamic nature of malware, a phenomenon known as concept drift. In this research, we classify Windows PE malware families using static analysis of raw opcode sequences. By leveraging Convolutional Neural Networks (CNNs) to extract unique features from these sequences, our approach achieves high classification accuracy rates of 98.20% and 89.55% on the Microsoft Malware Classification Challenge and BODMAS datasets, respectively. We also conducted a temporal analysis on BODMAS over a 13-month period to observe the evolution of malware families and identify periods where our model’s accuracy decreases. We implemented a retraining strategy, allowing us to observe how retraining the model with new data helps it adapt to new malware patterns. The study also examined the impact of packed malware and different types of packers on the model’s performance. Our findings indicate that packed malware significantly affects the model’s accuracy, with some packers having a more pronounced impact than others. These results underscore the importance of regular model updates and specialized handling of packed malware to maintain robust detection capabilities.

AB - In the rapidly evolving landscape of cybersecurity, classification of malware families presents significant challenges due to the dynamic nature of malware, a phenomenon known as concept drift. In this research, we classify Windows PE malware families using static analysis of raw opcode sequences. By leveraging Convolutional Neural Networks (CNNs) to extract unique features from these sequences, our approach achieves high classification accuracy rates of 98.20% and 89.55% on the Microsoft Malware Classification Challenge and BODMAS datasets, respectively. We also conducted a temporal analysis on BODMAS over a 13-month period to observe the evolution of malware families and identify periods where our model’s accuracy decreases. We implemented a retraining strategy, allowing us to observe how retraining the model with new data helps it adapt to new malware patterns. The study also examined the impact of packed malware and different types of packers on the model’s performance. Our findings indicate that packed malware significantly affects the model’s accuracy, with some packers having a more pronounced impact than others. These results underscore the importance of regular model updates and specialized handling of packed malware to maintain robust detection capabilities.

KW - concept drift

KW - packing complexity

KW - malware family classification

M3 - Conference contribution

VL - 3920

T3 - CEUR Workshop Proceedings

SP - 129

EP - 144

BT - Conference on Applied Machine Learning for Information Security (CAMLIS 2024): Proceedings

PB - CEUR-WS

T2 - Conference on Applied Machine Learning for Information Security

Y2 - 24 October 2024 through 25 October 2024

ER -

Navigating concept drift and packing complexity in malware family classification

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this