A Classification System for Visualized Malware Based on Multiple Autoencoder Models

In this paper, we propose a classification system that uses multiple autoencoder models for identifying malware images. It is crucial to accurately classify malware before we can deploy appropriate countermeasures to prevent them from spreading. Rapid malware classification is the first step in preparing effective countermeasures. Typical approaches to this problem, which can be divided into static or dynamic methods, are not suitable for efficient malware classification because they require either fixed malware patterns or lots of time to investigate, respectively. If the malware analysts have enough time and resources, they can analyze any malware thoroughly. However, finite resources mean they always suffer from a lack of time due to the malware that needs analyzing increasing at a dramatic rate. In the real world, new malware and variants of existing malware are constantly emerging. To address this issue, many researchers have developed approaches using machine learning techniques. However, to date these systems have had difficulty responding appropriately to the rapidly changing malware environment and also suffer from data imbalance problems in the training data. The system proposed in this paper consists of multiple autoencoder models that classify malware that has been converted to an image. Each autoencoder model classifies only one type of malware and is trained using only samples from the corresponding family, this allows the system to update quickly and mitigates the data imbalance problem. We demonstrate our method’s superior performance through various experiments compared to other state-of-the-art techniques using the Malimg dataset.


I. INTRODUCTION
Malware is any malicious code or program that can be harmful to computer systems. These days, various types of malware are used in attempts to damage information systems, as such, detecting and preventing malware is essential to protect these information systems. Malware classification is a widely carried out task that can be efficiently accomplished by machine learning models.
The purpose of malware analysis is to detect the malware present in order to deploy the most appropriate countermeasures for that malware type. We typically categorize malware analysis methods into two types: static and dynamic methods. Both ways have advantages and disadvantages. A static method is a signature-based approach that uses a typical The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad . pattern as the basis for detection, such as checking how similar the file hash, Shannon entropy, N-gram, or JSON structure is to known malware [1]- [4]. The static method is fast and can detect known malware with minimal false positives. However, the static method can often not detect some variants of common malware [5]. Whenever malware variants appear, new signatures must be found and continuously updated to the database by analysts. Moreover, static methods are vulnerable to obfuscation techniques, including dead code insertion, register reassignment, instruction substitution, and code manipulation designed to hide that piece of malware's typical pattern.
On the other hand, dynamic methods are behavior-based approach that execute suspicious code in a controlled environment and monitors for any malicious behavior [6]- [10]. The dynamic method can detect new kinds of malware, malware variants, and obfuscated known malware.
However, this approach is time-consuming suffers from a considerable false-positive rate while also being subject to platform/environment dependency [5].
These methods' common critical drawback is they both require a lot of time and effort relative to the speed malware and their mutations are being produced. Furthermore, once effective countermeasures appear, the malware will be quickly transformed to take another form. In this sense, the analysts' task is endless while the time and human resources available are limited. Accurate, detailed analysis of all malware through static and dynamic methods is possible if we have enough time and human resources. However, only the results achieved within the limited time available are meaningful as a countermeasure. As a result, we need a new approach to save time and man hours for malware analysis and detection.
Several types of research are being conducted to overcome the problems of these conventional malware analysis methods. One of the most attractive areas of research for malware analysis is the use of deep learning. Unlike traditional machine learning, whose performance depends on the effectiveness of the identified features, deep learning does not need hand-crafted features. In other words, it automatically extracts the distinguishable features. Several deep learning models have been proposed to detect and classify malware using autoencoders [11], CNNs [12]- [14], RNNs [15], LSTM [16], or a combination of these [17].
In this paper, we adopt an autoencoder model for classification of malware. Autoencoders are unsupervised deep learning algorithms with a unique neural network structure. An autoencoder transforms the input into an output with minimal reconstruction errors. They can be widely used in many useful applications such as in data compression, visualization of higher-dimensional data, and denoising.
The basic structure of an AE consists of two parts: the encoder and decoder. The encoder, which is represented as a function f , maps the input x to the output y. The encoding output represents the original data's feature while reducing the dimensions by setting the number of neurons in the encoder layer to less than the number in the input layer. On the other hand, the decoder, described as the function g, maps the encoding output y to the reconstructionx. The autoencoder is trained to make the input data x and the decoding datax as similar as possible, while never becoming exactly the same. Note that the autoencoder is a data-specific feature extractor. It is only able to extract meaningful features from data that is similar to what it has been trained on. We take advantage of these characteristics of the autoencoder.
In this paper, we present a malware classification system that uses multiple autoencoder models. We represented malware by converted them to gray-scale images before resizing them to reduce the computational burden. We trained the autoencoder models independently with separate malware images belonging to different families of malware. The reconstruction errors from each autoencoder model for the same input image are different because they have different weights and bias parameters. The error of a specific model will be relatively small if the input image belongs to the family used to train the model. Therefore, that image can be classified into the corresponding family. We adopted the Malimg dataset to analyze the performance of the proposed system through various experiments. The results show that the proposed system is straightforward to implement while being superior to CNN-based systems with a large deep learning models. Our approach is also flexible allowing it to respond to changing trends in malware quickly.
The main contribution of this paper is to present an image-based malware classification system that uses multiple autoencoder models. The proposed system does not require any malware knowledge to use it because it classifies malware only by malware images, not by any other criteria such as binary features, functions, or the structure of the malware. It quickly provides the malware family of the unknown malicious code and is easily updated with emerging malware and variants. Our system also saves analysts' time and effort because countermeasures against malware belonging to the same family will be similar.
The rest of this paper is organized as follows. Section II presents related works while Section III describe the proposed system in detail. Section IV evaluates the performance of the proposed system in comparison with a CNN-based system. Finally, we present our conclusions in Section V.

II. RELATED WORKS
In this section, we investigate various approaches that have been used previously for the classification of malware. The classical methods for the classification of malware based on static or dynamic analysis methods is not scalable, on top of this, their performance is undermined by the dramatic increases seen in the variants of malware.
To mitigate these issues, new strategies have emerged that apply machine learning. One is the use of independent feature extraction procedures before applying machine learning algorithms. These features are then used as input data to the algorithm. The classification performance with this approach depends heavily on the extracted features. Moreover, extracting high-quality features requires expertise in malware, while the quality of features can depend to a large degree of the specific dataset tested. Another strategy involves the algorithm including a feature extraction procedure, where the original data is used as input data. This approach is independent and learns the discriminative representations from the original data.
For the first time, Nataraj et al. proposed a novel approach for visualizing and classifying malware using image processing techniques [18]. They visualized malware as a gray-scale image based on the observation that images of the same class were very similar in layout and texture. The classification task used either GIST [19], [20], based on wavelet decomposition of an image as a feature, or k-NN (k-Nearest Neighbors), a traditional machine learning algorithm. After the paper was published, many researchers became interested in this new concept for malware classification. They also tried to apply deep learning based algorithms rather than traditional machine learning. CNN-based algorithm have proven the most popular amongst the numerous deep learning models because of the impressive image classification performance they showed.
Zhao et al. [14] proposed a malware detection method based on an improved Faster RCNN that combines transfer learning. They applied a CNN to malware images in order to acquire the representative textures. An RPN (Region Proposal Network) was also used to generate the target image frame. Since the Faster RCNN requires a large dataset, they pre-trained the Faster RCNN model with ImageNet, a database including 14 million pictures, before repurposing the trained model for malware classification to improve the performance. The method achieved 92.8% accuracy and a 6.8% false-positive rate in an experiment with 1,821 malware samples in 5 classes that were provided by the Microsoft Corporation, the samples were extended by image transformation operations such as flipping, cropping, and changing the brightness.
Yue proposes a simple and effective weighted softmax loss approach for the final layer of the deep CNN to mitigate any performance degradation caused by the unbalanced data set [21]. The original softmax loss method is not suitable for unbalanced data sets because it treats misclassification equally, which degrades model performance. The value of the weighted softmax loss for an arbitrary class reflects the relative size of that arbitrary class to the largest class. By the way, an empirically selected parameter, that takes into account the dataset's characteristics, is used to calculate the weighted softmax values. As such, this value should be tailored for each specific dataset. Therefore, this method is not practical in the real world.
Vasan et al. [12] proposed an ensemble convolutional neural network-based architecture to classify visualized malware. They noted the fact that different CNN models provide different semantic representations of the image. VGG16 and ResNet-50 pre-trained on ImageNet were fine-tuned for malware images by transfer learning. The features extracted by these fine-tuned models were processed by classifiers such as softmax and multiclass SVM. The class of new malware images was obtained by ensembling the results from the classifiers. The experimental results with the Malimg dataset show that these kinds of ensemble methods can achieve high detection accuracy with low false alarm rates.
On the other hand, while CNN models are most commonly used for feature extraction from malware images, some studies have used other models. Kebede et al. [11] proposed a malware classification system comprised of multiple encoders that are part of an autoencoder. After training the autoencoder with the training images that were converted from malware samples, the encoder part of the autoencoder is only used in the classification system to extract features. The system then passes the extracted features through a softmax layer to determine the malware class. This system achieved 99.15% accuracy with the dataset provided by the MS Malware Classification Challenge (BIG 2015).
All the research mentioned above is basically composed of two stages. The first stage is to extract features using a deep learning model. The second stage is to classify each sample using the extracted features. The types of malware found in the real world are not fixed and vary over time. With this emergence of new types of malware, it is vital the classifications system are updated in a timely manner before the malware can spread and damages systems. Due to the data imbalances issue, the deep learning model requires enough samples belonging to the new classes to recognize the new malware class in their classification system. However, there may not be enough samples of these new malware, especially in the early days surrounding a particular malware's emergence. We must consider this issue when designing a malware classification system that can be used successfully in the real world. Fig. 1 shows the architecture of the proposed system. The input x enters each autoencoder models. For each model, the reconstruction error is calculated, and the index of the model representing the minimum error is a predicted class for input x.

III. PROPOSED SYSTEM A. SYSTEM STRUCTURE
We formulate a discrete function f x [i] with values of re i for the input image x as follows: Then, we calculate the predicted class for input x as follows: The argument that takes the function to its minimum is the identity of the predicted class for x. Table 1 shows the symbols used in the paper and their meaning. Fig. 2 shows the procedures of converting malware into an image. A given malware binary is converted to a grayscale image by reading every 8 bits as vectors of unsigned integers and converting those vectors into a 2-dimensional matrix with a fixed number of columns. The values of the matrix elements, i.e., the pixels in the image, form integers from 0 (black) to 255 (white). The size of the image depends on the size of the malware binary. The size of the malware images, when used as the input of a deep learning model, should all be the same. Interpolation techniques such as nearest-neighbor interpolation, bilinear interpolation, and bicubic interpolation are used to make different-sized images the same size. Nearest-neighbor interpolation degrades the performance of image classifiers relative to using bilinear or bicubic interpolation. Bilinear and bicubic interpolation achieve similar classifier performance. However, bicubic interpolation is much more computationally complex than bilinear interpolation. Therefore, we use bilinear interpolation to resize the malware images, due to its decreased computational complexity and strong classifier performance [22].

C. AUTOENCODER
The AE consists of two components: the encoder and the decoder. The encoder is responsible for compressing the input x into a low-dimensional representation that retains relevant information from the input, and the decoder attempts to reconstruct the input x from the features extracted by the encoder [23], [24].
AEs can be created using various network structures such as feed-forward neural networks or convolutional neural networks. Furthermore, various AEs can be applied to identify each different class. In other words, our system consists of multiple types of AE that are optimized to make samples belonging to a specific family. As such, each AE is only trained with samples belonging to the one family. That is, the ith AE model is only trained with data belonging to the ith family, T i . Therefore, if the input of the ith AE model belongs to the ith family, the output of the model will be similar to the input. However, if the input comes from a different family, the reconstruction error between the input and output of the model will be significant. For instance, a sample belonging to family A will have only a small reconstruction error when processed by an AE trained with samples belonging to family A. On the other hand, a sample belonging to class B will have a significant reconstruction error if processed by that same AE. We utilize these characteristic of AEs to solve classification problems.
The proposed system in this paper applies AEs based on feed-forward neural networks, but other types of neural network for AEs could also be used. The AEs for each family have different configurations and hyper-parameters to minimize their reconstruction errors for inputs from that family. Four hyperparameters need to be set before training an AE: feature size, number of layers, number of neurons per layers, and loss function.

1) FEATURE SIZE
This is the number of dimensions of the encoding output y, which is equal to the number of neurons in the middle layer. The smaller the size, the higher the compression rate for the VOLUME 9, 2021 input image. The feature size of each AE is determined by considering the size of the input image.

2) NUMBER OF LAYERS
We can add as many layers as we like to the AE. However, as the number of layers increase, the number of parameters to be trained increases rapidly. We select the number of layers for each AE by considering the number of available training samples and the model's performance.

3) NUMBER OF NEURONS PER LAYER
In general, AEs have a tendency that the deeper the layers are, the smaller the number of neurons in the encoder part layers, and the greater the number of neurons in the decoder part layers. Meanwhile, the number of neurons in the input/output layer is fixed according to the malware image size. We need to consider the impact of image resizing on model performance. If the image is too large or too small compared to the original image, it will not be able to capture the identifying features of the original image effectively, causing degradation in the performance of the AE. The AE should be able to adequately extract and preserve features within the input image. Therefore, it is essential to resize the image to an appropriate size. We set the number of neurons for the input /output layer and middle layer by considering the size of the malware image itself.

4) LOSS FUNCTION
We compile the AE model using cross-entropy loss. Each pixel value in a converted malware image is in the range [0, 255]. However, we normalize this range to [0, 1] before entering the image into the input layer.
Note that feature size, the number of layers, the number of neurons per layer, and the loss functions for appropriate training depend on the data being used in the specific AE. This is a great advantage because samples belonging to different families have different image characteristics. This allows the proposed system to be updated easily.
Meanwhile, AEs are trained using only samples belonging to the target family. That is, the ith AE model is only trained using samples belonging to the ith family. Therefore, if the ith AE model's input belongs to the ith family, the final output will be similar to the input, i.e., the reconstruction error will be tiny. However, if the input does not belong to the ith family, the reconstruction error between the input and output is significant. This is a key idea behind the proposed classification system. Fig. 3 shows the basic structure of an autoencoder used in the proposed system.

IV. PERFORMANCE ANALYSIS A. DATASET
We used the Malimg dataset for performance analysis of the proposed system. The Malimg dataset contains 9,339 malware images, each belonging to one of 25 classes. Table 2 shows the malware classes and the number of malware samples in each class. Looking at this table, it becomes clear that the dataset is imbalanced. There are 80 samples in the Skintrim.N class, while there are 2,949 samples in the Allaple.A class, which is over 36 times more samples.
The Malimg dataset is a highly imbalanced dataset, which will lead to class imbalance problems unless addressed. Class imbalance problems are classification problems caused by biased or skewed distributions between classes. This results in poor performance from models using these kinds of datasets, especially for the minority classes. This issue becomes critical if the minority class is more important than the majority classes [25]. In terms of malware classification, not only majority classes but minor classes are also important. The number of samples in the minor classes tend to be small because this type of malware has not yet been widely used making it more attractive to malicious users in the future. As such, we must take appropriate countermeasures against these threats before significant damage can be done.
To evaluate our method we first split the dataset into two parts: 70% training samples and 30% testing samples in each class.

B. EVALUATION METRICS
We use accuracy, precision, recall, F1 score as evaluation metrics for the classification performance of the deep learning models tested.

1) ACCURACY
The accuracy is simply the ratio of the correctly predicted samples to the total number of samples. It is a very intuitive measure and is appropriate only when the numbers of false-positives and false negatives are roughly the same. Imbalanced datasets can easily lead to distortion of model performance. The dataset we are dealing with is imbalanced, as shown in Table 2. Thus, we must look for other metrics to evaluate the performance of the models tested.

2) PRECISION
The precision is the ratio of the correctly predicted positive samples to the total number of predicted positive samples. High precision means a low false-positive rate. This is a good measure to use when there is a high cost associated with False Positives.

3) RECALL
Recall is the ratio of correctly predicted positive samples to all samples in the actual class. It is useful to select the best model when there is a high cost associated with False Negatives.

4) F1 SCORE
The F1 score is a weighted average of precision and recall that seeks to find a balance between them. It takes both false positive and false negatives into account to evaluate the performance of the models. The classification of malware into the correct class has a high cost associated with false negatives. Note that the task under consideration here is not to determine whether some code is malicious or not, it is, instead, to determine the type of code that has already been identified or suspected as malicious in order to save malware analysts time and effort in creating anti-malware defenses. Countermeasures against malware in the same class will be similar. As such, costs are associated with both false negatives and false positives. False negatives and false positives lead malware analysts to take the wrong approach when trying to defend against these malicious programs. Therefore, the F1 score is a useful metric to measure the performance of a malware classification model.
As we mentioned above, the dataset we are using is highly imbalanced. We take a weighted average value of each class as the performance metric of the proposed system. We define the weighted average metrics as system metrics, including system recall and system F1 score.
Meanwhile, Top-N metrics take the N predictions with a higher probability. If one of them matches the true label, it classifies the prediction as correct. We calculate the TOP-1, TOP-2 and TOP-3 metrics for accuracy, precision, recall, and F1 score. The model then provides N prediction results to malware analysts. The analyst will can then attempt to create appropriate anti-malware defense based on the provided results. If the highest predicted result is not correct, the next result is used.

1) IMPACT OF IMAGE SIZE
The number of neurons in the input and output layers depends on the image size, which affects the overall structure of the AE. We set the number of neurons in the hidden layers based on multiple experiments to determine the optimal number of neurons. However, we set the same latent space dimensions in order to compare the performance impact of image size. In addition, the AEs were all trained in the same way.
We resized the images to a certain fixed size to feed as inputs to the AEs. The image will not be able to contain critical information about the malware if the image size is set too small. On the other hand, the computational time and burden are only increased with little to no performance improvement if the image size is set too large. Table 3 shows the performance according to the image size. The values presented are a weighted average of the results for each class. It can be seen that the image size is a significant impact on the performance. In the case of using a 64 × 64 image size, the performance was better than in other cases. This is only because the training dataset is suitable for the model structure used in the experiment. If different types of dataset were used, the performance results would also be different. Therefore, it would not be reasonable to use the same model structure and make the model learn in the same way. For example, when the image size and the number of data samples are small, a lightweight AE, which has small latent VOLUME 9, 2021 space dimensions and fewer neurons to reduce parameters for optimization, would be suitable. Table 4 shows the performance of scenarios in which the number of classes to be classified is different. We compared the performance of the proposed system in cases where the number of classes to be classified was 5, 10, 15, 20, and 25, respectively. As can be expected, the performance tends to degrade but this is not significant. The number of classes does not significantly affect the entire system's performance if each AE is well trained. It is natural that the more classes there are to classify, the poorer performance the classifier will have. However, if the number of classes is maintained at a certain level, a certain level of performance can be guaranteed. Meanwhile, if images from two classes are very similar, they can be merged into the same class through analysis by malware experts. In this way, we can control any unnecessary increases in the number of classes.

3) PERFORMANCE OF SYSTEM WITH THE SAME AE
Here we investigate the performance of the proposed system consisting of AEs that have the same network structure and have been trained in the same way, regardless of samples used for training each AE. As can be seen in Table 5, the proposed system achieved more than 94% accuracy for 25 malware families, which is not a bad result. However, it is hard to say that each AE is optimized to the corresponding samples in terms of image reconstruction.
Generally, the structure of an AE depends on the complexity of features in the samples and the size of the dataset used for training. If the features are simple, it does not matter if the latent space dimensions of the AE are small. However, if not, the latent space dimensions must be large enough to represent the features present adequately. Meanwhile, if the number of samples in the dataset is large, training a complex model with many parameters to optimize classification is possible. On the contrary, it is challenging to train a model if there are not enough samples. In such a case, a simple model can be more beneficial than a complex model. As a result, each AE should be configured and trained differently according to its corresponding dataset. Based on these facts, we can improve the current system's performance by applying AEs that are adjusted to their corresponding samples.

4) PERFORMANCE OF SYSTEM WITH VARIOUS AEs
As we explained in the previous section, it could be efficient to apply different AEs that have been optimized in terms of adjusting the number of neurons, image size, latent space dimensions, etc. according to the given dataset. In this section, we investigate the performance of the system, including the various AEs used to classify malware. Table 6 shows a confusion matrix that gives the detailed performance of the proposed system.
As can be seen, the proposed system achieved more than 97% accuracy for the 25 malware families, higher than that achieved by Gibert et al. who used a large CNN-based deep learning model [26]. The performance of our system has shown significant improvements compared to systems using the same AEs under the same conditions. This is because that the modified AEs in our system better represent samples in the corresponding class.
There were two sources of poor performance. One is where some malware in class 6 and 7 are misclassified as being in class 21. The both of class 6 and 7 are variants of C2Lop. Therefore, there is a tendency for these to be misclassified as they are so similar to each other. On the other hand, some malware in class 20 was incorrectly classified as being in class 21. Class 20 and 21 are also variants of the same malware, known as Swizzoer.gen. This shows our system may not be able to adequately discriminate between subclasses from the same parent class. This is because malware belonging to the same class is converted to images that appear very similar.
Nevertheless, if the malware size is small and the number of samples is large, the proposed system classifies these cases well, even if they are variations of the same malware. For example, classes 2 and 3 are both variations of Allaple. However, the F1-score for these is more than 0.99. The same goes for classes 12, 13, 14, and 15, which are small in size compared to other classes while being variants of the same malware. As a result, if the size of variants belonging to different classes derived from the same malware are large but their quantities are insufficient, combining two classes into one class can improve the classification performance of the proposed system.
Based on these observations, we experimented by combining class 6 and 7 into one class, and classes 20 and 21 into one class. After this, the accuracy is increased from 0.9775 to 0.9821. This is because combining similar classes into one class increases the number of samples and reduces the number of the target classes, which leads to an improvement in classification performance.

D. STRENGTH OF THE PROPOSED SYSTEM
The purpose of malware classification is to identify malware quickly and accurately so appropriate countermeasures can VOLUME 9, 2021 be deployed in a timely manner. It takes time to classify malware families, unfortunately, malware analyst suffer from a lack of time due to the continuous emergence of new malware and variants. Therefore, we should reduce malware analysis burden as much as possible so that malware experts can focus on preparing countermeasures against the various types of malware. Countermeasures against malware in the same family would be similar. Therefore, fast and exact classification of malware can reduce the overall time needed to prepare effective countermeasures.
It is of note that classifying malware images is somewhat different from classifying images that do not vary significantly over time. For example, a system that classifies images of dogs and cats does not require much modification after being properly trained initially. This is because new types of dogs or cats hardly ever appear. However, new types of malware appear continuously while existing malware is constantly mutating. Therefore, systems that classify malware need to be updated continuously and quickly.
Considering these requirements, the system proposed in this paper has some distinct advantages over the typical static or dynamic analysis methods seen in conventional systems based on complex machine learning models.
First, the proposed system provides malware analysts with the malware classification results in real-time, just like any other image-based malware classification system. This approach does not require additional manual work or knowledge about malware, unlike those traditional static or dynamic analyses.
Second, the class imbalance problem can be mitigated. The AE models in the proposed system are trained independently using only samples belonging to a specific family. Therefore, there is no class imbalance problem. Classification systems that consist of one large deep learning model find it difficult to resolve this imbalance issue because the model must be trained on the available real-world datasets which are imbalanced.
Third, the proposed system has excellent flexibility. Malware families are created often and also disappear quickly over time. As such, the classification systems should be able to adapt to the changing trends seen in malware quickly. A large deep learning model must be retrained from scratch to add a new family to classify. On the other hand, the current AE models in the proposed system are unchanged when a new family is added. We simply create an AE model for the new family and insert it into the existing system without affecting other parts of the system. If a current malware family needs to be deleted, we simply remove the AE model for the corresponding class from the system while keeping the other AEs models as they are. This feature of the proposed system enables rapid responses to the ever evolving malware ecosystem.
Fourth, the proposed system achieved the best performance on the Malimg dataset compared to other state-of-the-art image-based classification approaches.

V. CONCLUSION
In this paper, we proposed a malware classification system using multiple AEs. New malware appears continuously at a great rate while known malware mutates to avoid detection systems. This means in the task of identifying malware, the classes to classify are constantly changing, unlike in other applications. Therefore, the classification system used for this purpose needs to be updated rapidly according to the changing operating environment.
Since the system proposed in this paper uses lightweight AEs to identify each malware family, only the corresponding AE needs to be modified when classes need to be added or changed. Therefore, it is possible to quickly update the system and mitigate any class imbalance problems.
To verify the practicality of the proposed system, we analyzed the performance of our system according to image size, the number of classes, etc., through various experiments based on the Malimg dataset. The proposed system achieved better classification performance than all previous methods in the literature where malware was represented as gray-scale images. We expect that the proposed system can help save time and effort, decreasing the burden on malware analysts allowing them to dedicate more resources to preparing effective countermeasures for malware.