TMaD: Three-tier malware detection using multi-view feature for secure convergence ICT environments

Abstract

As digital transformation accelerates, data generated in a convergence information and communication technology (ICT) environment must be secured. This data includes confidential information such as personal and financial information, so attackers spread malware in convergence ICT environments to steal this information. To protect convergence ICT environments from diverse cyber threats, deep learning models have been utilized for malware detection. However, accurately detecting rapidly generated variants and obfuscated malware is challenging. This study proposes a three-tier malware detection (TMaD) scheme that utilizes a cloud-fog-edge collaborative architecture to analyse multi-view features of executable files and detect malware. TMaD performs signature-based malware detection at the edge device tier, then sends executables detected as unknown or benign to the fog tier. The fog tier conducts static analysis on non-obfuscated executables and those transferred from the previous tier to detect variant malware. Subsequently, TMaD sends executables detected as benign in the fog tier to the cloud tier, where dynamic analysis is performed on obfuscated executables and those detected as benign to identify obfuscated malware. An evaluation of TMaD's detection performance resulted in an accuracy of 94.78%, a recall of 0.9794, a precision of 0.9535, and an f1-score of 0.9663. This performance demonstrates that TMaD, by analysing executables across several tiers and minimizing false negatives, exhibits superior detection performance compared to existing malware detection models.