International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 07 Issue: 05 | May 2020 www.irjet.net p-ISSN: 2395-0072

Detecting Malware using Deep Learning Model

Shalini Mahalunge1, Iftesam Shaikh2, Vaishakhi Kabir3, Diksha Tiwary4, Prashant Lokhande5
1,2,3,4Student, Dept. .of Computer Engineering, Pillai College of Engineering, Maharashtra, India
5Professor, Dept. of Computer Engineering, Pillai College of Engineering, Maharashtra, India
-------------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - This project demonstrates an approach to detect samples, which may not be a large enough sample to
malware targeted at Microsoft windows. When we accurately generalise these results to the full in- the-wild
download any software or file from unknown links it may population of boot sector infections In 2001, Schultz et
inject malware to the system. These malwares that al[1]. compared various ML methods against each other and
originates from these sites may travel around the internet against a signature based technique in the accuracy of their
and land on an innocent users computer redirecting their binary classification of Windows executables as benign or
browsing experience to these sites. So to prevent systems malware.[1]
from such threats we are implementing a project which will B. Malware Detector Using Naive Bayes
detect the files which has malware. With the help of this
project user can get prior knowledge of malware file and he Their most successful method was an ensemble of Naive
will not execute it. This project demonstrates a novel Bayes classifiers trained on the raw bytes of the executable
files, which achieved a 97.76% malware detection rate,
approach to detecting ransomware targeted at Microsoft
nearly 3 times more accurate than the signature method
Windows, combining 2 deep learning neural network
which was evaluated at just 33.75% Again the number of
classifiers to create an ensemble, taking files as input in sample files used, only 3622, was likely not enough to
Microsoft’s standard PE file format, such as those with a accurately generalize these results to the full population of
‘.exe’ file extension, and returning a prediction of the file in-the-wild malware, estimated to be around 50,000
belonging to 1 of 3 classes: benign, generic malware, or executables at the time (Microsoft, 2012, 26).[2]
ransomware. The model’s ability to distinguish between
ransomware and other forms of malware allows it to be C. Deep Android Malware Detection and
applied as an extension to an existing malware detection Classification
system such as anti-virus software. Vinayakumar et al.[3] had similar success in using the
frequency of API calls to train ML models, but found that a
Key Words: Ransomware, ensemble, benign, Malware. type of DLNN (Deep Learning Neural Network) called an
MLP (Multi-Layer Perceptron) achieved greater accuracy
1. INTRODUCTION than an SVM in both multi-class (98%) and binary (100%)
classification of executable files as either benign or
This project aimed to detect ransom ware using an belonging to 1 of 7 different families of ransomware. This
ensemble of ML (Machine Learning) classifiers, classifying study however, like many recent investigations into ML for
Windows executable files as belonging to 1 of 3 possible ransomware detection, used a small sample, just 974
classes: benign, malware, or ransom ware. The model can executable files.[3]
be used in practice to identify ransom ware on a user’s
machine, or can be integrated into an existing AV (Anti- D. Deep Android Malware Detection
Virus) system to facilitate or improve its ability to Due to security concerns and time requirements this
distinguish between ransom ware and other types of project takes a static approach to malware analysis, as
malware. opposed to a dynamic approach. Static malware analysis
uses features from within the contents of executable files,
2. LITERATURE REVIEW whereas dynamic analysis relies on recording the
behaviours of software during its
A. Application of ML for Detecting Malware
In this paper ANN (Artificial Neural Network)to detect
viral infections of the boot sector of HDDs (Hard Disk
Drives), reporting an 82% detection rate on test
samples unseen in the model’s training, though only
training on a total of 195

© 2020, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page3162
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 07 Issue: 05 | May 2020 www.irjet.net p-ISSN: 2395-0072

execution, typically within a contained environment such format is employed for EXE, DLL, SYS (device driver), and
as a sandbox or virtual machine. There are 4 features that other file types. The Extensible Firmware Interface (EFI)
can be seen frequently being extracted from Windows
specification states that PE is that the standard executable
executables within research into automating static
analysis of malware using ML: bytes, opcodes, strings, and format in EFI environment
metadata encoded in PE files.[4]
B. PE header: The following list describes the Microsoft
3. PROPOSED WORK
PE executable format, with the base of the image header
This project aimed to detect ransom ware using an at the top. The section from the MS-DOS 2.0 Compatible
ensemble of ML (Machine Learning) classifiers, classifying EXE Header through to the unused section just before the
Windows executable files as belonging to 1 of 3 possible PE header is that the MS-DOS 2.0 Section, and is
classes: benign, malware, or ransom ware. The hope is employed for MS-DOS compatibility only.
that by releasing source code to the public, the model can
be used in practice to identify ransom ware on a user’s ● MS-DOS 2.0 Compatible EXE Header
machine, or can be integrated into an existing AV (Anti-
● unused
Virus) system to facilitate or improve its ability to
distinguish between ransom ware and other types of ● OEM Identifier
malware.
● OEM Information
3.1 System Architecture
● Offset to PE Header
The system architecture is given in Figure 1. Each block is
described in this Section. ● PE Header (aligned on 8-byte boundary)

● Section Headers

C. Learning Algorithms: Deep learning uses layers of

neural- network algorithms to decipher higher-level
data at alternative layers supported raw input file.
Neural networks will facilitate cluster points at intervals
an oversized sample of knowledge supported the
similarities of its options, classify knowledge supported
labels from previous knowledge, and extract distinct
options from knowledge. The numerical patterns these
networks acknowledge are kept in vectors that depict
real-world inputs. Deep neural networks may be thought
of as elements of larger machine- learning applications
involving algorithms for reinforcement learning,
Fig. 1 Proposed system architecture
classification, and regression. Deep learning uses self-
A. PE File: The Portable Executable (PE) format may be taught learning and algorithmic program constructs
a file format for executable, code, DLLs, FON Font files, et with several hidden layers, big data, and powerful
al. utilized in 32-bit and 64-bit versions of Windows machine resources. The recursive framework is named
operating systems. The PE format may be an arrangement the neural network, whereas the hidden layers within
that encapsulates the knowledge necessary for the the network provides it the appellation of deep learning.
Windows OS loader to manage the wrapped executable The Google Brain Team project and deep learning
code. This includes dynamic library references for linking, computer code like TensorFlow have
API export and import tables, resource management data
and thread- local storage (TLS) data. On NT operating
systems, the PE

© 2020, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page3163
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 07 Issue: 05 | May 2020 www.irjet.net p-ISSN: 2395-0072

given more traction to the event of deep learning Processor Pentium IV & above
techniques. Such techniques are supported
mathematical functions and parameters for achieving HDD 250 GB
the specified output.
RAM 1 GB
D. Classification results: The deciliter ensemble
model developed during this project automates static
analysis and classification of Windows feasible files as 5. IMPLEMENTATION
either benign, malware, or ransom ware, with a high Obtain samples of ransom ware, other malware, and
degree of accuracy. The model is incontestable to benign Windows Portable Executable (PE) files. Labeled
accurately classify 3000 files unseen in its coaching, by multiple antiviruses. Gathering at least 10,000
suggesting generalizability to sleuthing malware and samples of each class, though more will be required if
ransom ware within the this volume proves too small to train an accurate
machine learning (ML) model. Extract UTF-
wild. For end-users of an easy terminal program 8 strings encoded in the binary contents of the sample
developed for ransom ware detection as a part of this files and build a numerical model of the strings extracted
project, it's vital to the safety of their or their from all training samples. The same process will be
applied to the opposes of assembly code disassembled
organizations devices that the excellence between
from the binary contents of the executable files, as well
benign and malicious files is correct, and then this was as imported library names and exported function /
tested to be ninety eight correct on the set of 3000 library names extracted from the import and export
unseen samples. Jewish calendar month developers and sections of the PE files. Train a variety of machine
security researchers will use, and re-use the ensemble learning classification models on a subset of the sample
model in their own systems, and retrain the models data and compare their accuracy in labeling another
with a bigger dataset and newer samples to take care of subset of the sample data that the models are not shown
in training, finding the most accurate models for
its ability to classify in-the-wild executable.
classifying the unseen sample data. Implement the
machine learning classification model in a user- friendly,
4. REQUIREMENT ANALYSIS
GUI featured, compiled executable program that allows
The implementation detail is given in this section. users to select and analyses multiple files. This program
will report back the model’s estimated probabilities for
4.1 Software the files’ being ransom ware; other forms of malware, or
The minimal software requirement is given in Table benign software, and will allow the user to delete these
1. Table 1 minimal Software requirement files and report them to a popular public malware
repository. Evaluate the accuracy, usability, and source
Operating System Linux/Windows disk encryption.applicability of the solution to real-
Programming Python world problems, and compare it to similar existing
Language solutions.

4.2 Hardware 5.1 Reflective Analysis:

The minimal Hardware requirement is given in Table Discovery of model architectures and data
representations which would lead to high validation
2. Table 2 minimal Hardware requirement accuracy was far more time consuming and challenging
than anticipated, with many approaches not even
achieving training accuracy better than the ~33%
baseline achieved by random guessing. It challenged me
to learn and practice many new skills in data mining, pre-
processing, and development and testing of DLNNs.
Once the architectures had

© 2020, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page3164
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 07 Issue: 05 | May 2020 www.irjet.net p-ISSN: 2395-0072

been designed and implemented that achieved high [8] SM Reasor, AJ Newman, RA Franczyk, J Garms,
validation accuracy, the results of their performance in 2010 driven Malware Detector(2010).
classifying unseen test data were surprisingly
impressive, at 96% test accuracy for the ensemble model, [9] Shabtai et al, Uri Kapoor, Yuval Elovici, 2009, A
considering their ability to compete with contemporary Behavioral Malware Detection Framework for Android
research in the field which is often performed by teams Devices(2009).
of academics. And the test accuracy was even more
impressive when the ensemble model was adapted to [10] Nwokedi Idika, Aditya Mathur 2007, Malware
perform binary classification of executable as either Detection Technique(2007).
benign or malicious, calculated at 98%, which is the most
critical distinction for end-users of the model who are
using it to decide whether or not a Windows program is
safe to execute.

6. CONCLUSION
So we are implementing the deep learning model which
will detect if there is malware in selected file.
For that we have to download an .exe file or we can try
with existing file also by uploading it.
We have used a deep learning model to verify among the
.exe files.
Convolution neural network is one of the deep learning
model we have used.
7. REFERENCES

[1] Kephart et al (1995)”Application of ML for

detecting malware”.

[2] Schultz et al (2001, 10)”Malware Detector using

Naive Bayes”.

[3] Vinayakumar et al, K.P. Soman, Prabaharan

Poornachandran(2017)”Deep android malware
detection and classification”.

[4] Shabtai et al,Uri Kanonov, Yuval Elovici

(2009)”Deep android malware detection and
classification”.

[5] N Scaife, H Carter, P Traynor,2016,

Cryptolock(and drop it):stopping ransomware attacks
on user data(2016).

[6] MQ Li, B Fung, P Charland, SHH Ding, 2019, “A

Novel Interpretable Malware Detector Using
Hirarchical Transformer”.

[7] S Mohurle, M Patil, 2017, A brief study of

wannacry threat:Ransomware attack (2017).

© 2020, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page3165