Skip to content
🧠 🦠 An artificial neural network and API to detect Windows malware, based on Ergo and LIEF.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
checkpoints
.gitignore first commit May 19, 2019
LICENSE.md added license and readme with stats May 19, 2019
README.md misc: small fix or general refactoring i did not bother commenting May 20, 2019
attribute.names new: model autogenerates the attribute.names file for ergo relevance May 19, 2019
attributes.relevance.json added attributes relevances May 24, 2019
classes.json generating classes.json May 28, 2019
corr_matrix.png misc: small fix or general refactoring i did not bother commenting May 28, 2019
encoder.py generating classes.json May 28, 2019
history.json new: implemented checkpoints May 20, 2019
history.png new: implemented checkpoints May 20, 2019
metadata.json
model.h5 new: implemented checkpoints May 20, 2019
model.py misc: small fix or general refactoring i did not bother commenting May 20, 2019
model.yml first commit May 19, 2019
pca_explained_ratio.png misc: small fix or general refactoring i did not bother commenting May 28, 2019
pca_projection.png
prepare.py generating classes.json May 28, 2019
requirements.txt misc: small fix or general refactoring i did not bother commenting May 27, 2019
roc.png misc: small fix or general refactoring i did not bother commenting May 20, 2019
stats.json new: implemented checkpoints May 20, 2019
stats.txt new: implemented checkpoints May 20, 2019
test_cm.png new: implemented checkpoints May 20, 2019
train.py doc: commented all the encode_* functions May 22, 2019
training_cm.png new: implemented checkpoints May 20, 2019
validation_cm.png new: implemented checkpoints May 20, 2019

README.md

An artificial neural network and API to detect Windows malware, based on Ergo and LIEF.

Installation

cd /path/to/ergo-pe-av
sudo pip3 install -r requirements.txt

Use as an API

ergo serve /path/to/ergo-pe-av --classes "clean, malware"

From the client, to scan a file that the server can access too:

curl "http://localhost:8080/?x=/path/to/file.exe"
# or
curl --data "x=/path/to/file.exe" "http://localhost:8080/"

To upload the whole file:

curl -F "x=@/path/to/file.exe" "http://localhost:8080/"

To encode a file to a vector of raw features:

curl -F "x=@/path/to/file.exe" "http://localhost:8080/encode"

To scan a vector of raw features:

curl --data "x=0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.847058823529,......" "http://localhost:8080/"

Model Statistics

The dataset is made of ~200000 samples divided in two subfolders:

  • classes/pe-malicious with 100000 malware samples from VirusTotal
  • classes/pe-clean with 100000 clean samples

The dataset.csv training file has been generated with:

ergo encode ergo-pe-av /media/evilsocket/4TB/datapath-pe/classes --filter "*.exe"
Training ROC/AUC
Training Validation Testing

License

Made with ♥ by the dev team and it is released under the GPL 3 license.

You can’t perform that action at this time.