In [1]:
from __future__ import print_function

import numpy as np
import pandas as pd
from sklearn.feature_extraction.text import CountVectorizer
from sklearn.model_selection import train_test_split
from sklearn.metrics import classification_report,confusion_matrix

NGRAMS = 2
FEATURE_LEN = 128
EPOCHS = 15
SAMPLES = 50000

In [2]:
adf = pd.read_csv('./data/top-1m.csv.zip', header=None, nrows=SAMPLES)
adf.columns = ['rank', 'domain']
adf = adf[['domain']]
adf

Unnamed: 0,domain
0,google.com
1,youtube.com
2,facebook.com
3,baidu.com
4,wikipedia.org
5,yahoo.com
6,google.co.in
7,reddit.com
8,qq.com
9,taobao.com


In [3]:
adf['malware_cat'] = 0
adf

Unnamed: 0,domain,malware_cat
0,google.com,0
1,youtube.com,0
2,facebook.com,0
3,baidu.com,0
4,wikipedia.org,0
5,yahoo.com,0
6,google.co.in,0
7,reddit.com,0
8,qq.com,0
9,taobao.com,0


In [4]:
# Malware Domain
df = pd.read_csv('./data/malware_2017.csv.bz2', usecols=['domain'])
df['malware_cat'] = 1
df

Unnamed: 0,domain,malware_cat
0,amazon.co.uk.security-check.ga,1
1,autosegurancabrasil.com,1
2,dadossolicitado-antendimento.sad879.mobi,1
3,hitnrun.com.my,1
4,maruthorvattomsrianjaneyatemple.org,1
5,paypalsecure-2016.sucurecode524154241.arita.ac.tz,1
6,tei.portal.crockerandwestridge.com,1
7,tonyyeo.com,1
8,update-apple.com.betawihosting.net,1
9,usaa.com-sec-inet-auth-logon-ent-logon-logon-r...,1


In [5]:
sdf = pd.concat([adf, df])
sdf

Unnamed: 0,domain,malware_cat
0,google.com,0
1,youtube.com,0
2,facebook.com,0
3,baidu.com,0
4,wikipedia.org,0
5,yahoo.com,0
6,google.co.in,0
7,reddit.com,0
8,qq.com,0
9,taobao.com,0


## Preprocessing the input data

In [6]:
# build n-gram list
#vect = CountVectorizer(analyzer='char', max_df=0.3, min_df=3, ngram_range=(NGRAMS, NGRAMS), lowercase=False) 
vect = CountVectorizer(analyzer='char', ngram_range=(NGRAMS, NGRAMS), lowercase=False) 
a = vect.fit_transform(sdf.domain)
vocab = vect.vocabulary_

# sort n-gram by freq (highest -> lowest)
words = []
for b in vocab:
    c = vocab[b]
    #print(b, c, a[:, c].sum())
    words.append((a[:, c].sum(), b))
    #break
words = sorted(words, reverse=True)
words_list = [w[1] for w in words]
num_words = len(words_list)
print("num_words = %d" % num_words)


def find_ngrams(text, n):
    a = zip(*[text[i:] for i in range(n)])
    wi = []
    for i in a:
        w = ''.join(i)
        try:
            idx = words_list.index(w)
        except:
            idx = 0
        wi.append(idx)
    return wi

# build X from index of n-gram sequence
X = np.array(sdf.domain.apply(lambda c: find_ngrams(c, NGRAMS)))

# check max/avg feature
X_len = []
for x in X:
    X_len.append(len(x))

max_feature_len = max(X_len)
avg_feature_len = int(np.mean(X_len))

num_words = 1448


In [7]:
print("Max feature len = %d, Avg. feature len = %d" % (max_feature_len, avg_feature_len))
y = sdf.malware_cat

# Split train and test dataset
X_train,  X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=21, stratify=y)
#X_train,  X_test, y_train, y_test = train_test_split(X, y, test_size=0.2)

Max feature len = 209, Avg. feature len = 13


In [8]:
unique, counts = np.unique(y_test, return_counts=True)
dict(zip(unique, counts))

{0: 10000, 1: 3048}

In [9]:
unique, counts = np.unique(y_train, return_counts=True)
dict(zip(unique, counts))

{0: 40000, 1: 12190}

## Train a LSTM model

In [10]:
import keras
from keras.preprocessing import sequence
from keras.models import Sequential
from keras.layers import Dense, Embedding, Dropout, Activation
from keras.layers import LSTM
from keras.layers.convolutional import Conv1D
from keras.layers.convolutional import MaxPooling1D
from keras.models import load_model

max_features = num_words # 20000
feature_len = FEATURE_LEN # avg_feature_len # cut texts after this number of words (among top max_features most common words)
batch_size = 32

print(len(X_train), 'train sequences')
print(len(X_test), 'test sequences')

print('Pad sequences (samples x time)')
X_train = sequence.pad_sequences(X_train, maxlen=feature_len)
X_test = sequence.pad_sequences(X_test, maxlen=feature_len)
print('X_train shape:', X_train.shape)
print('X_test shape:', X_test.shape)

if False:
    num_classes = np.max(y_train) + 1
    print(num_classes, 'classes')

    print('Convert class vector to binary class matrix '
          '(for use with categorical_crossentropy)')
    y_train = keras.utils.to_categorical(y_train, num_classes)
    y_test = keras.utils.to_categorical(y_test, num_classes)
    print('y_train shape:', y_train.shape)
    print('y_test shape:', y_test.shape)

  from ._conv import register_converters as _register_converters
Using TensorFlow backend.


52190 train sequences
13048 test sequences
Pad sequences (samples x time)
X_train shape: (52190, 128)
X_test shape: (13048, 128)


In [11]:
print('Build model...')

model = Sequential()
model.add(Embedding(num_words, 32, input_length=feature_len))
model.add(LSTM(128, dropout=0.2, recurrent_dropout=0.2))
if False:
    model.add(Dense(num_classes, activation='sigmoid'))

    # try using different optimizers and different optimizer configs
    model.compile(loss='categorical_crossentropy',
                  optimizer='adam',
                  metrics=['accuracy'])
else:
    model.add(Dense(1, activation='sigmoid'))
    
    # try using different optimizers and different optimizer configs
    model.compile(loss='binary_crossentropy',
                  optimizer='adam',
                  metrics=['accuracy'])

print(model.summary())

Build model...
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
embedding_1 (Embedding)      (None, 128, 32)           46336     
_________________________________________________________________
lstm_1 (LSTM)                (None, 128)               82432     
_________________________________________________________________
dense_1 (Dense)              (None, 1)                 129       
Total params: 128,897
Trainable params: 128,897
Non-trainable params: 0
_________________________________________________________________
None


In [12]:
print('Train...')
model.fit(X_train, y_train, batch_size=batch_size, epochs=EPOCHS,
          validation_split=0.1, verbose=2)
score, acc = model.evaluate(X_test, y_test,
                            batch_size=batch_size, verbose=2)
print('Test score:', score)
print('Test accuracy:', acc)

Train...
Train on 46971 samples, validate on 5219 samples
Epoch 1/15
 - 486s - loss: 0.4131 - acc: 0.8255 - val_loss: 0.3681 - val_acc: 0.8500
Epoch 2/15
 - 612s - loss: 0.3717 - acc: 0.8456 - val_loss: 0.3712 - val_acc: 0.8494
Epoch 3/15
 - 649s - loss: 0.3605 - acc: 0.8507 - val_loss: 0.3631 - val_acc: 0.8515
Epoch 4/15
 - 711s - loss: 0.3533 - acc: 0.8550 - val_loss: 0.3562 - val_acc: 0.8540
Epoch 5/15
 - 744s - loss: 0.3465 - acc: 0.8586 - val_loss: 0.3591 - val_acc: 0.8517
Epoch 6/15
 - 749s - loss: 0.3399 - acc: 0.8609 - val_loss: 0.3537 - val_acc: 0.8586
Epoch 7/15
 - 752s - loss: 0.3336 - acc: 0.8655 - val_loss: 0.3560 - val_acc: 0.8565
Epoch 8/15
 - 748s - loss: 0.3266 - acc: 0.8672 - val_loss: 0.3561 - val_acc: 0.8561
Epoch 9/15
 - 815s - loss: 0.3217 - acc: 0.8702 - val_loss: 0.3813 - val_acc: 0.8546
Epoch 10/15
 - 836s - loss: 0.3173 - acc: 0.8721 - val_loss: 0.3550 - val_acc: 0.8603
Epoch 11/15
 - 830s - loss: 0.3105 - acc: 0.8751 - val_loss: 0.3651 - val_acc: 0.8613
Epoch

## Confusion Matrix

In [15]:
y_pred = model.predict_classes(X_test, verbose=2)
p = model.predict_proba(X_test, verbose=2) # to predict probability
target_names = list(sdf.malware_cat.astype('category').cat.categories)

In [16]:
target_names = [str(t) for t in target_names]
if False:
    print(classification_report(np.argmax(y_test, axis=1), y_pred, target_names=target_names))
    print(confusion_matrix(np.argmax(y_test, axis=1), y_pred))
else:
    print(classification_report(y_test, y_pred, target_names=target_names))
    print(confusion_matrix(y_test, y_pred))    

             precision    recall  f1-score   support

          0       0.87      0.95      0.91     10000
          1       0.75      0.52      0.62      3048

avg / total       0.84      0.85      0.84     13048

[[9478  522]
 [1451 1597]]


## Save model

In [17]:
model.save('./models/malware_cat_lstm_2017.h5')

In [18]:
words_df = pd.DataFrame(words_list, columns=['vocab'])
words_df.to_csv('./models/malware_cat_vocab_2017.csv', index=False, encoding='utf-8')