A multiview learning method for malware threat hunting: windows, IoT and android as case studies

Malware remains a threat to our cyberspace and increasingly digitalized society. Current malware hunting techniques employ a variety of features, such as OpCodes, ByteCodes, and API calls, to distinguish malware from goodware. However, existing malware hunting approaches generally focus on a single particular view, such as using dynamic information or opcodes only. While single-view malware hunting systems may provide lean and optimized basis for detecting a specific type of malware, their performance can be significantly limited when dealing with other types of malware; thus, making it trivial for an advanced attacker to develop malware that simply obfuscates features monitored by a single-view malware detection system. To address these limitations, we propose a multi-view learning method that uses multiple views including OpCodes, ByteCodes, header information, permission, attacker’s intent and API call to hunt malicious programs. Our system automatically assigns weights to different views to optimize detection in different environment. Using experiments conducted on various Windows, Android and Internet of Things (IoT) platforms, we demonstrate that our method offers high accuracy with a low false positive rate on these case study platforms. Moreover, we also investigate the robustness of detection against weak views (features with low power of discrimination). The proposed method is the first malware threat hunting method that can be applied to different platforms, at the time of this research, and it is considerably difficult for attackers to evade detection (since it requires attackers to obfuscate multiple different views).