Enterprises are striving to remain protected against malware-based cyber-attacks on their infrastructure, facilities, networks and systems. Static analysis is an effective approach to detect the malware, i.e., malicious Portable Executable (PE). It performs an in-depth analysis of PE files without executing, which is highly useful to minimize the risk of malicious PE contaminating the system. Yet, instant detection using static analysis has become very difficult due to the exponential rise in volume and variety of malware. The compelling need of early stage detection of malware-based attacks significantly motivates research inclination towards automated malware detection. The recent machine learning aided malware detection approaches using static analysis are mostly supervised. Supervised malware detection using static analysis requires manual labelling and human feedback; therefore, it is less effective in rapidly evolutionary and dynamic threat space. To this end, we propose a progressive deep unsupervised framework with feature attention block for static analysis-based malware detection (PROUD-MAL). The framework is based on cascading blocks of unsupervised clustering and features attention-based deep neural network. The proposed deep neural network embedded with feature attention block is trained on the pseudo labels. To evaluate the proposed unsupervised framework, we collected a real-time malware dataset by deploying low and high interaction honeypots on an enterprise organizational network. Moreover, endpoint security solution is also deployed on an enterprise organizational network to collect malware samples. After post processing and cleaning, the novel dataset consists of 15,457 PE samples comprising 8775 malicious and 6681 benign ones. The proposed PROUD-MAL framework achieved an accuracy of more than 98.09% with better quantitative performance in standard evaluation parameters on collected dataset and outperformed other conventional machine learning algorithms. The implementation and dataset are available at https://bit.ly/35Sne3a.

企业正在努力保护其基础设施、设施、网络和系统免受基于恶意软件的网络攻击。静态分析是检测恶意软件，即恶意便携式可执行文件（PE）的有效方法。它在不执行的情况下对 PE 文件进行深入分析，这对于最大限度降低恶意 PE 污染系统的风险非常有用。然而，由于恶意软件的数量和种类呈指数级增长，使用静态分析进行即时检测变得非常困难。对基于恶意软件的攻击进行早期检测的迫切需求极大地激发了对自动化恶意软件检测的研究倾向。最近使用静态分析的机器学习辅助恶意软件检测方法大多是有监督的。使用静态分析的监督式恶意软件检测需要手动标记和人工反馈；因此，它在快速演变和动态的威胁空间中不太有效。为此，我们提出了一种渐进式深度无监督框架，该框架具有用于基于静态分析的恶意软件检测（PROUD-MAL）的特征注意块。该框架基于无监督聚类的级联块，并具有基于注意力的深度神经网络。所提出的嵌入特征注意块的深度神经网络在伪标签上进行训练。为了评估提议的无监督框架，我们通过在企业组织网络上部署低交互和高交互蜜罐来收集实时恶意软件数据集。此外，端点安全解决方案还部署在企业组织网络上以收集恶意软件样本。经过后处理和清理，新数据集由 15,457 个 PE 样本组成，其中包括 8775 个恶意样本和 6681 个良性样本。提出的 PROUD-MAL 框架实现了超过 98.09% 的准确率，在收集的数据集上的标准评估参数具有更好的定量性能，并且优于其他传统的机器学习算法。实施和数据集可在 https://bit.ly/35Sne3a 获得。