Using Four Modalities for Malware Detection Based on Feature Level and Decision Level Fusion

Abstract

This paper is focused on multimodal approaches to malware detection, which have not been explored widely in related works. We use static code-based features and dynamic power-based, network traffic-based, and system log-based features, and propose multimodal approaches that use feature level and decision level fusion. Our findings include: (1) For all considered learners, power-based features alone were very good predictors; some learners performed well using only network traffic-based features. (2) For most standard supervised learning algorithms, feature level fusion improved all performance metrics. If Recall is the highest priority, Random Forest or J48 with feature level fusion should be selected. (3) The proposed deep neural network with decision level fusion had lower Recall, but higher Precision and (1-FPR) values, which led to comparable F-score and better G-score than the Random Forest with feature level fusion. In addition to improving classification performance, multimodal approaches make malware evasion of detection much harder.