SAGMAD—a Signature Agnostic Malware Detection system based on binary visualisation and fuzzy sets

Betty Saridou, Joseph Ryan Rose, Stavros Shiaeles*, Basil Papadopoulos

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

9 Downloads (Pure)

Abstract

Image conversion of byte-level data, or binary visualisation, is a relevant approach to security applications interested in malicious activity detection. However, in practice, binary visualisation has always been seen to have great limitations when dealing with large volumes of data, and would be a reluctant candidate as the core building block of an intrusion detection system (IDS). This is due to the requirements of computational time when processing the flow of byte data into image format. Machine intelligence solutions based on colour tone variations that are intended for pattern recognition would overtax the process. In this paper, we aim to solve this issue by proposing a fast binary visualisation method that uses Fuzzy Set theory and the H-indexing space filling curve. Our model can assign different colour tones on a byte, allowing it to be influenced by neighbouring byte values while preserving optimal locality indexing. With this work, we wish to establish the first steps in pursuit of a signature-free IDS. For our experiment, we used 5000 malicious and benign files of different sizes. Our methodology was tested on various platforms, including GRNET’s High-Performance Computing services. Further improvements in computation time allowed larger files to convert in roughly 0.5 s on a desktop environment. Its performance was also compared with existing machine learning-based detection applications that used traditional binary visualisation. Despite lack of optimal tuning, SAGMAD was able to achieve 91.94% accuracy, 90.63% precision, 92.7% recall, and an F-score of 91.61% on average when tested within previous binary visualisation applications and following their parameterisation scheme. The results exceeded malware file-based experiments and were similar to network intrusion applications. Overall, the results demonstrated here prove our method to be a promising mechanism for a fast AI-based signature-agnostic IDS.
Original languageEnglish
Article number1044
Number of pages26
JournalElectronics
Volume11
Issue number7
DOIs
Publication statusPublished - 26 Mar 2022

Keywords

  • intrusion detection system
  • binary visualisation
  • fuzzy logic
  • space-filling curves
  • pattern dectection
  • malware dectection
  • machine learning
  • security

Fingerprint

Dive into the research topics of 'SAGMAD—a Signature Agnostic Malware Detection system based on binary visualisation and fuzzy sets'. Together they form a unique fingerprint.

Cite this