Convolutional Long Short-Term Memory for fileless malware detection

In the realm of cybersecurity, the rise of fileless malware presents a significant challenge to endpoint security. Traditional malware detection methods often fall short against these sophisticated attacks, necessitating the use of advanced techniques such as deep learning models. This study addresses the limitations of Bi-Directional Long Short-Term Memory (BLSTM) models in dynamic malware analysis and proposes enhancements through the Convolutional Long Short-Term Memory (ConvLSTM) architecture. BLSTM models are commonly used in dynamic malware analysis, where they process input sequences in both forward and backward directions, combining the results into a single output. This dual-layer approach enhances the model's ability to analyze data from multiple perspectives. However, the process is time-consuming, potentially increasing the window for successful fileless malware attacks. A key limitation of BLSTM models is the lack of parameter sharing between the forward and backward directions. This absence of shared parameters can restrict the model's ability to capture spatial and temporal features simultaneously, potentially reducing its effectiveness in detecting fileless malware attacks. To address these challenges, this study introduces the ConvLSTM model, which optimizes malware analysis by consolidating feature extraction within a single LSTM cell layer. ConvLSTM employs a twodimensional approach, breaking down samples into subsequences and leveraging timesteps for additional feature extraction. This strategy enables the analysis of spatial-temporal data, enhancing the prediction accuracy of true malware instances. Unlike traditional LSTM models, ConvLSTM integrates convolutional layers within its architecture, allowing for parameter sharing across both spatial and temporal dimensions. This approach reduces computational complexity and improves the model's performance in understanding multidimensional data structures. The research involved re-simulating existing work with the BLSTM model using the same malware dataset. The Spyder app was used to run the event simulator, and the results from previous work were replaced with those from the ConvLSTM model, applying the same parameters. Time, accuracy, and loss were selected as the primary performance metrics to assess the model's effectiveness. The ConvLSTM model demonstrated superior performance in detecting fileless malware, achieving a detection accuracy of 98% compared to BLSTM's 90%. ConvLSTM also significantly reduced processing time, averaging 10 seconds per completion, while BLSTM took 22 seconds. Furthermore, ConvLSTM experienced lower losses, averaging 10% per epoch compared to BLSTM's 20%. In conclusion, ConvLSTM represents a promising advancement in fileless malware detection, offering superior performance over traditional BLSTM models. Its ability to accurately identify and swiftly mitigate threats, coupled with enhanced computational efficiency, makes it a robust solution for fortifying endpoint security against evolving cyber threats. As the cybersecurity landscape continues to evolve, ConvLSTM holds significant potential in bolstering defense mechanisms against sophisticated malware attacks, providing a proactive approach to safeguarding enterprise networks and data assets.

Text 119873.pdf Download (936kB) Official URL or Download Paper: http://ethesis.upm.edu.my/id/eprint/18482

Actions (login required)

View Item