Week 9 Lecture 2: Machine Learning for Malware Detection 2

Flashcards on Malware Detection and Analysis using Neural Networks

Why is manual malware analysis insufficient?

It is slow, expensive, and not scalable due to the exponentially increasing number of malware types.

What is a key advantage of using neural networks for malware detection?

Removes the need for human experts to design malware signatures manually.

What hardware component can speed up neural network execution for malware detection?

Graphics Processing Unit (GPU)

What is the role of 'weights' in a neural network?

Parameters inside the network that are learned to produce a desired output.

What triggered the resurgence of neural networks around 2006?

Hinton's paper on training very deep networks and advancements in computing power (GPUs).

What file type contains Dalvik byte-code in Android applications, and how is it accessed?

The .apk file contains a .dex file of Dalvik byte-code, which is recovered using a disassembler like Apktool.

In the pre-processing pipeline, what is done with the operands of each Dalvik instruction?

The operands are discarded, and only the opcode is kept.

What is the purpose of converting Dalvik opcodes to numbers?

To represent the opcodes in a numerical format suitable for neural network processing.

How is the dataset typically split when training a neural network for malware detection?

Typically split into 90% for training and 10% for testing.

What is an 'embedding layer' in a neural network architecture for malware detection?

A layer that transforms each opcode into a corresponding vector, allowing the network to learn its own internal representation for each opcode.

What does a 'convolutional filter' learn to detect in the sequence of opcodes?

A different pattern in the sequence of opcodes.

What is the purpose of 'max pooling' in the network architecture?

To determine how well a convolutional filter matched with any part of the opcode sequence.

What is the role of the 'classifier layer' in the neural network?

To output the network's decision on whether the given opcode sequence is likely to be malware or not.

What type of classifier is used in the classifier layer mentioned in the notes?

Binary Cross Entropy classifier

What is the range of the output from the neural network, and what does it represent?

A number between 0 and 1, representing the network’s estimated probability that a given .apk is malware.

What is the purpose of a cost function during neural network training?

To compare the network's prediction with the correct answer and calculate the cost, which the network aims to minimize through back propagation.

What does the neural network use to adjust its 'weights' during training?

Back propagation to minimize the cost function.