Malware Detection of Hangul Word Processor Files Using Spatial Pyramid Average Pooling

Sensors (Basel). 2020 Sep 15;20(18):5265. doi: 10.3390/s20185265.

Abstract

Malware detection of non-executables has recently been drawing much attention because ordinary users are vulnerable to such malware. Hangul Word Processor (HWP) is software for editing non-executable text files and is widely used in South Korea. New malware for HWP files continues to appear because of the circumstances between South Korea and North Korea. There have been various studies to solve this problem, but most of them are limited because they require a large amount of effort to define features based on expert knowledge. In this study, we designed a convolutional neural network to detect malware within HWP files. Our proposed model takes a raw byte stream as input and predicts whether it contains malicious actions or not. To incorporate highly variable lengths of HWP byte streams, we propose a new padding method and a spatial pyramid average pooling layer. We experimentally demonstrate that our model is not only effective, but also efficient.

Keywords: HWP; Hangul Word Processor; convolutional neural network; malware detection; spatial pyramid average pooling; spatial pyramid pooling; stretch padding.