Topic area: Modeling
There is no single machine learning model that is best for all applications. In the process of building a malware classifier, Endgame used a bakeoff process in order to choose the model best suited for us. We will describe this process, how the results could be improved with further research, and the challenge of using machine learning for malware classification in general.
Each machine learning model has advantages and disadvantages. Machine learning practitioners must keep these tradeoffs in mind when choosing a model for their application and implement the one that best meets their specific requirements and constraints.
At Endgame, we wanted to use machine learning to help distinguish between benign software and malware. In order to pick the best model for our requirements, we implemented a basic version of each one in order to compare their performance. I’ll describe the results of this bakeoff between logistic regression, support vector machines (SVMs), nearest neighbor, gradient boosted decision trees (GBDTs), and neural nets. The evaluation metrics include the accuracy of the predictions, as well as the query time, model size, and other measures of the model’s suitability for real world use.
The metrics for each model can be improved in practice with some additional tailoring. Some models will improve with better search techniques while others will require additional feature engineering or data selection. Neural networks have achieved such spectacular results in image classification and language processing that it’s hard to imagine their results in this domain couldn’t be improved with more research.
There are many challenges to applying machine learning to the security industry that don’t exist in those other industries. These challenges slow the process of building tools like a static malware classifier, but there are still ways to make intelligent data tools that can aid security analysts.
Our bakeoff demonstrated the importance of evaluating the range of models and properly fitting the model to the use case.