English

KiloGrams: Very Large N-Grams for Malware Classification

Cryptography and Security 2019-08-02 v1 Machine Learning Machine Learning

Abstract

N-grams have been a common tool for information retrieval and machine learning applications for decades. In nearly all previous works, only a few values of nn are tested, with n>6n > 6 being exceedingly rare. Larger values of nn are not tested due to computational burden or the fear of overfitting. In this work, we present a method to find the top-kk most frequent nn-grams that is 60×\times faster for small nn, and can tackle large n1024n\geq1024. Despite the unprecedented size of nn considered, we show how these features still have predictive ability for malware classification tasks. More important, large nn-grams provide benefits in producing features that are interpretable by malware analysis, and can be used to create general purpose signatures compatible with industry standard tools like Yara. Furthermore, the counts of common nn-grams in a file may be added as features to publicly available human-engineered features that rival efficacy of professionally-developed features when used to train gradient-boosted decision tree models on the EMBER dataset.

Keywords

Cite

@article{arxiv.1908.00200,
  title  = {KiloGrams: Very Large N-Grams for Malware Classification},
  author = {Edward Raff and William Fleming and Richard Zak and Hyrum Anderson and Bill Finlayson and Charles Nicholas and Mark McLean},
  journal= {arXiv preprint arXiv:1908.00200},
  year   = {2019}
}

Comments

Appearing in LEMINCS @ KDD'19, August 5th, 2019, Anchorage, Alaska, United States

R2 v1 2026-06-23T10:36:54.462Z