An empirical evaluation on the interpretable methods on Malware analysis
With the upsurge of cybersecurity attacks in recent years, there is a demand for more complex and accurate Malware classifiers to take the limelight. For these complex models to be trusted and be deployed in the wild, it is necessary for the results of these complex models to be explainable and thus...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2021
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/148598 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-148598 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1485982021-05-07T12:27:23Z An empirical evaluation on the interpretable methods on Malware analysis Ang, Alvis Jie Kai Liu Yang School of Computer Science and Engineering Feng Ruitao yangliu@ntu.edu.sg Engineering::Computer science and engineering With the upsurge of cybersecurity attacks in recent years, there is a demand for more complex and accurate Malware classifiers to take the limelight. For these complex models to be trusted and be deployed in the wild, it is necessary for the results of these complex models to be explainable and thus trusted. However, complex black box models are difficult to be explained accurately with existing explanation techniques as different explanation techniques may perform better under different conditions. This report empirically evaluates the performance of the two most popular explanation techniques, LIME and SHAP, on a XGBoost classifier that was trained to classify Malware. The XGBoost model makes use of unigram and bigram as training features. To evaluate the performance of LIME and SHAP on the XGBoost model, we investigate the effects of the top ranked features from both explanation techniques by detecting the Malware class probability before and after eliminating the top ranked feature. While this metric may be a simple one, the consistency of the results show that it is nevertheless an effective one. Additionally, our results also show that SHAP consistently performs better than LIME on our model. Further investigation reveals that features ranked highly by LIME fluctuates greatly, from features that impact the class probabilities greatly to little or no effect from the XGBoost classifier used. Overall, using the metric proposed, we can perform evaluation of various explanation techniques on complex black box models. Bachelor of Engineering (Computer Science) 2021-05-07T12:27:23Z 2021-05-07T12:27:23Z 2021 Final Year Project (FYP) Ang, A. J. K. (2021). An empirical evaluation on the interpretable methods on Malware analysis. Final Year Project (FYP), Nanyang Technological University, Singapore. https://hdl.handle.net/10356/148598 https://hdl.handle.net/10356/148598 en SCSE20-0196 application/pdf Nanyang Technological University |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering |
| spellingShingle |
Engineering::Computer science and engineering Ang, Alvis Jie Kai An empirical evaluation on the interpretable methods on Malware analysis |
| description |
With the upsurge of cybersecurity attacks in recent years, there is a demand for more complex and accurate Malware classifiers to take the limelight. For these complex models to be trusted and be deployed in the wild, it is necessary for the results of these complex models to be explainable and thus trusted. However, complex black box models are difficult to be explained accurately with existing explanation techniques as different explanation techniques may perform better under different conditions.
This report empirically evaluates the performance of the two most popular explanation techniques, LIME and SHAP, on a XGBoost classifier that was trained to classify Malware. The XGBoost model makes use of unigram and bigram as training features. To evaluate the performance of LIME and SHAP on the XGBoost model, we investigate the effects of the top ranked features from both explanation techniques by detecting the Malware class probability before and after eliminating the top ranked feature. While this metric may be a simple one, the consistency of the results show that it is nevertheless an effective one. Additionally, our results also show that SHAP consistently performs better than LIME on our model. Further investigation reveals that features ranked highly by LIME fluctuates greatly, from features that impact the class probabilities greatly to little or no effect from the XGBoost classifier used. Overall, using the metric proposed, we can perform evaluation of various explanation techniques on complex black box models. |
| author2 |
Liu Yang |
| author_facet |
Liu Yang Ang, Alvis Jie Kai |
| format |
Final Year Project |
| author |
Ang, Alvis Jie Kai |
| author_sort |
Ang, Alvis Jie Kai |
| title |
An empirical evaluation on the interpretable methods on Malware analysis |
| title_short |
An empirical evaluation on the interpretable methods on Malware analysis |
| title_full |
An empirical evaluation on the interpretable methods on Malware analysis |
| title_fullStr |
An empirical evaluation on the interpretable methods on Malware analysis |
| title_full_unstemmed |
An empirical evaluation on the interpretable methods on Malware analysis |
| title_sort |
empirical evaluation on the interpretable methods on malware analysis |
| publisher |
Nanyang Technological University |
| publishDate |
2021 |
| url |
https://hdl.handle.net/10356/148598 |
| _version_ |
1699245910687481856 |