Two-Stage Hybrid Malware Detection Using Deep Learning

Abstract

With the increasing number and variety of Internet of Things (IoT) devices supporting a wide range of services such as smart homes, smart transportation, and smart factories in smart cities, malware carrying various cybersecurity threats are rapidly increasing in terms of type and number. To protect IoT devices from cyberattacks, studies on malware detection using artificial intelligence are being conducted. However, with the emergence of IoT malware and their various evasion techniques, the probability of falsely detecting malware as benign is also increasing. In this study, we propose a two-stage hybrid malware detection (2MaD) scheme for the protection of IoT devices from obfuscated malware in a smart city setting. The 2-MaD consists of two stages of IoT malware detection. First, after performing static analysis, the opcode is extracted, and using the learned information through a bidirectional long short-term memory model, benign files are detected. In the next stage, a dynamic analysis is performed on files classified as benign in a nested virtual environment. After extracting information on behavior and process memory from the behavior log based on system changes, malware can be detected through the trained EfficientNet-B3 model.