We design a classifier for transactional datasets with application in malware detection. We build the classifier based on the minimum description length (MDL) principle. This involves selecting a model that best compresses the training dataset for each class considering the MDL criterion. To select a model for a dataset, we first use clustering followed by closed frequent pattern mining to extract a subset of closed frequent patterns (CFPs). We show that this method acts as a pattern summarization method to avoid pattern explosion; this is done by giving priority to longer CFPs, and without requiring to extract all CFPs. We then use the MDL criterion to further summarize extracted patterns, and construct a code table of patterns. This code table is considered as the selected model for the compression of the dataset. We evaluate our classifier for the problem of static malware detection in portable executable (PE) files. We consider API calls of PE files as their distinguishing features. The presence-absence of API calls forms a transactional dataset. Using our proposed method, we construct two code tables, one for the benign training dataset, and one for the malware training dataset. Our dataset consists of 19696 benign, and 19696 malware samples, each a binary sequence of size 22761. We compare our classifier with deep neural networks providing us with the state-of-the-art performance. The comparison shows that our classifier performs very close to deep neural networks. We also discuss that our classifier is an interpretable classifier. This provides the motivation to use this type of classifiers where some degree of explanation is required as to why a sample is classified under one class rather than the other class.
翻译:我们设计了交易数据集的分类器, 并应用了恶意软件检测。 我们根据最低描述长度原则( MDL) 构建了分类器。 这包括选择一个模型, 最能压缩每个班级的培训数据集, 考虑到 MDL 标准。 要选择数据集的模型, 我们首先使用封闭的频繁模式采掘, 并随后采用封闭的常见采掘模式来提取封闭式频繁模式的子集。 我们发现, 这种方法是一种模式合成方法, 以避免模式爆炸; 这样做的方法是优先考虑较长的 CFP, 不需要提取所有 CFP 。 我们然后使用 MDL 标准来进一步总结提取的模式, 并构建一个模式的代码表。 这个代码表被认为是用于压缩数据集的选定模式。 我们首先评估了在便携式可操作文件( PE) 文件中的静态软件检测问题。 我们将API 调用 PE 文件作为它们的区别特性。 为何 API 调用一个交易数据集组成一个交易数据集。 我们用两个代码表, 一个用于更深层的内径的内脏数据网络, 一个用来比较我们1969年的内程的 。