A Comparison of Word2Vec, HMM2Vec, and PCA2Vec for Malware Classification
This work addresses malware classification for cybersecurity applications, but it is incremental as it applies existing embedding techniques to a new domain.
The paper compared Word2Vec, HMM2Vec, and PCA2Vec for malware classification using opcode sequences, finding that these embeddings improved classification accuracy over direct HMM use, establishing a baseline for feature engineering in malware analysis.
Word embeddings are often used in natural language processing as a means to quantify relationships between words. More generally, these same word embedding techniques can be used to quantify relationships between features. In this paper, we first consider multiple different word embedding techniques within the context of malware classification. We use hidden Markov models to obtain embedding vectors in an approach that we refer to as HMM2Vec, and we generate vector embeddings based on principal component analysis. We also consider the popular neural network based word embedding technique known as Word2Vec. In each case, we derive feature embeddings based on opcode sequences for malware samples from a variety of different families. We show that we can obtain better classification accuracy based on these feature embeddings, as compared to HMM experiments that directly use the opcode sequences, and serve to establish a baseline. These results show that word embeddings can be a useful feature engineering step in the field of malware analysis.