Malware visualization methods based on deep convolution neural networks

In this paper, we propose two visualization methods for malware analysis based on n-gram features of byte sequences. The space filling curve mapping (SFCM) method uses fractal curves to visualize the one-gram features of byte sequences, i.e. malware files themselves, and distinguishes the printable characters from non-printable ones by different colors. This method addresses the issues that the existing methods cannot interactively locate characters and avoid the risk of the Decompression Bomb attack caused by large malware. The Markov dot plot (MDP) method visualizes the bi-gram features and their statistical information of byte sequences as the coordinates and brightness of the pixels and solves the problem that the relocation of code sections or the addition of redundant information helps malware escape the global image detection. The two methods are applied to the Microsoft malware samples (BIG 2015| Kaggle) and their visualized results are learned by the deep convolution networks to extract image features used for classification by SVM (support vector machine). In terms of malware classification, our methods obtained 98.36% and 99.08% classification accuracy, respectively. We also visualized the benign PE (portable executable) files in the Windows OS and verified them with the above malware set. In terms of malware detection, the two methods obtained 99.21% and 98.74% detection accuracy, respectively. These results are better than the existing grayscale method.