MCPDS: image-based malware classification method using PE metadata alone

Abstract In response to the increasing threat posed by the exponential growth of malware in cybersecurity, researchers have developed a number of malware classification methods based on malware images and deep learning in recent years. Newly proposed methods of this type tend to focus on generating malware images by extracting multiple types of information from a PE file, as well as on using complex convolutional neural network (CNN) models, to achieve high classification accuracy. Methods that involve extracting multiple types of information, especially those that require file disassembly for acquisition and the subsequent use of complex CNN models, result in a lengthy process for generating malware images and significantly increase model training durations. To alleviate this problem, we adopt the idea of using only a small part of the content that can be easily extracted from a PE file to efficiently generate a malware image, and implement malware classification without relying on complex CNN models. As a key component of a PE file, the PE header and the section table (we call them PE metadata) are characterized by a relatively low byte count and are likely to be useful for malware classification according to the similarities observed in the PE metadata between malware from both the same family and different families. Therefore, in this work, we explore the feasibility of using PE metadata alone to generate an image for malware classification and propose an Image of PE metadata (IPM) generated from PE metadata to represent malware. Based on the proposed IPM, we then construct a shallow CNN model and combine it with a support vector machine classifier to introduce a novel malware classification method called MCPDS ( M alware c lassification method using P E metadata, d eep learning and s upport vector machine). The experimental results show that the MCPDS not only achieves high accuracy in terms of classifying malware on two malware datasets but also exhibits high efficiency in terms of image generation and good robustness against adversarial samples.