pith. sign in

arxiv: 1908.00200 · v1 · pith:AA4XHDVGnew · submitted 2019-08-01 · 💻 cs.CR · cs.LG· stat.ML

KiloGrams: Very Large N-Grams for Malware Classification

classification 💻 cs.CR cs.LGstat.ML
keywords featuresgramslargemalwareclassificationcommonn-gramstested
0
0 comments X
read the original abstract

N-grams have been a common tool for information retrieval and machine learning applications for decades. In nearly all previous works, only a few values of $n$ are tested, with $n > 6$ being exceedingly rare. Larger values of $n$ are not tested due to computational burden or the fear of overfitting. In this work, we present a method to find the top-$k$ most frequent $n$-grams that is 60$\times$ faster for small $n$, and can tackle large $n\geq1024$. Despite the unprecedented size of $n$ considered, we show how these features still have predictive ability for malware classification tasks. More important, large $n$-grams provide benefits in producing features that are interpretable by malware analysis, and can be used to create general purpose signatures compatible with industry standard tools like Yara. Furthermore, the counts of common $n$-grams in a file may be added as features to publicly available human-engineered features that rival efficacy of professionally-developed features when used to train gradient-boosted decision tree models on the EMBER dataset.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Hamm-Grams: An Algorithm for Mining Regular Expressions of Bytes

    cs.CR 2026-07 unverdicted novelty 6.0

    Hamm-grams are a new class of fixed-length regular expressions over bytes with single-character wildcards, mined efficiently with LSH and clustering to yield more robust features than n-grams for malware classificatio...