Citation: Kumar, R.; Subbiah, G.
Zero-Day Malware Detection and
Effective Malware Analysis Using
Shapley Ensemble Boosting and
Bagging Approach. Sensors 2022, 22,
2798. https://doi.org/10.3390/
s22072798
Academic Editors: Alexios Mylonas
and Nikolaos Pitropakis
Received: 15 February 2022
Accepted: 28 March 2022
Published: 6 April 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
Zero-Day Malware Detection and Effective Malware Analysis
Using Shapley Ensemble Boosting and Bagging Approach
Rajesh Kumar * and Geetha Subbiah
School of Computer Science and Engineering, Vellore Institute of Technology, Chennai Campus,
Chennai 600127, Tamil Nadu, India; geetha.s@vit.ac.in
* Correspondence: rajesh.kumar@vit.ac.in; Tel.: +91-909-295-2221
Abstract:
Software products from all vendors have vulnerabilities that can cause a security concern.
Malware is used as a prime exploitation tool to exploit these vulnerabilities. Machine learning (ML)
methods are efficient in detecting malware and are state-of-art. The effectiveness of ML models can be
augmented by reducing false negatives and false positives. In this paper, the performance of bagging
and boosting machine learning models is enhanced by reducing misclassification. Shapley values
of features are a true representation of the amount of contribution of features and help detect top
features for any prediction by the ML model. Shapley values are transformed to probability scale
to correlate with a prediction value of ML model and to detect top features for any prediction by a
trained ML model. The trend of top features derived from false negative and false positive predictions
by a trained ML model can be used for making inductive rules. In this work, the best performing
ML model in bagging and boosting is determined by the accuracy and confusion matrix on three
malware datasets from three different periods. The best performing ML model is used to make
effective inductive rules using waterfall plots based on the probability scale of features. This work
helps improve cyber security scenarios by effective detection of false-negative zero-day malware.
Keywords:
machine learning; computer security; artificial intelligence; boosting; bagging; cyber
security; zero-day vulnerability; zero-day malware detection; Shapley value
1. Introduction
Malware are meant to exploit the vulnerability and exposure of various software
product such as applications, Operating Systems (OS), drivers, etc. The popularity of OS
and applications make them a hot target for malware attacks. The ten top vendors from
the top 50 software vendors that have vulnerabilities in their various software products
are listed in Table 1, and the ten top products from fifty top software products are listed in
Table 2 from a common vulnerability and exposure website. The speed of the generation of
malware is very high these days. AlienVault—Open Threat Exchange is a crowd-sourced
computer-security platform. It shares more than 19 million potential threats daily among
more than 80,000 participants from 140 countries. Malware authors have polymorphic
and metamorphic engines for generating new malware at high speed. These malware
are exploited to convert these threats into attacks. The polymorphic and metamorphic
engines generate dissimilar malware variants for zero-day attacks. The polymorphic and
metamorphic engines modify some parts of the source code of existing malware to produce
a new malware variant. For instance, reassignment of the registers such as replacing [PUSH
eax] with [PUSH ebx] and related changes for POP instructions replace code between
registers by exchanging register names. The program behavior is the same as before. These
methods change the hash values and signatures for the malware and it is not detectable by
anti-virus software, which depends on signatures or hash values.
Sensors 2022, 22, 2798. https://doi.org/10.3390/s22072798 https://www.mdpi.com/journal/sensors