pith. machine review for the scientific record. sign in

arxiv: 1804.04637 · v2 · submitted 2018-04-12 · 💻 cs.CR

Recognition: unknown

EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models

Hyrum S. Anderson , Phil Roth
Authors on Pith no claims yet
classification 💻 cs.CR
keywords datasetlearningembermachinemaliciousmodelbaselinebenign
0
0 comments X
read the original abstract

This paper describes EMBER: a labeled benchmark dataset for training machine learning models to statically detect malicious Windows portable executable files. The dataset includes features extracted from 1.1M binary files: 900K training samples (300K malicious, 300K benign, 300K unlabeled) and 200K test samples (100K malicious, 100K benign). To accompany the dataset, we also release open source code for extracting features from additional binaries so that additional sample features can be appended to the dataset. This dataset fills a void in the information security machine learning community: a benign/malicious dataset that is large, open and general enough to cover several interesting use cases. We enumerate several use cases that we considered when structuring the dataset. Additionally, we demonstrate one use case wherein we compare a baseline gradient boosted decision tree model trained using LightGBM with default settings to MalConv, a recently published end-to-end (featureless) deep learning model for malware detection. Results show that even without hyper-parameter optimization, the baseline EMBER model outperforms MalConv. The authors hope that the dataset, code and baseline model provided by EMBER will help invigorate machine learning research for malware detection, in much the same way that benchmark datasets have advanced computer vision research.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 9 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Quantifiable Uncertainty: A Stochastic Consensus Multi-Agent RAG Framework for Robust Malware Detection

    cs.CR 2026-05 unverdicted novelty 7.0

    MAGMA combines RAG with a stochastic consistency ensemble over dual code embeddings to derive Function Evidence Strength and Evidence Conflict Score metrics, enabling reject-option decisions and achieving 98.4% malwar...

  2. AsmRAG: LLM-Driven Malware Detection by Retrieving Functionally Similar Assembly Code

    cs.CR 2026-04 unverdicted novelty 7.0

    AsmRAG detects malware at 96% F1 and attributes families at 95% F1 by retrieving functionally similar assembly code via LLM embeddings and density-weighted anchor selection, remaining robust to metamorphic obfuscation.

  3. FreeMOCA: Memory-Free Continual Learning for Malicious Code Analysis

    cs.CR 2026-05 unverdicted novelty 6.0

    FreeMOCA enables memory-free continual learning for malicious code analysis via adaptive layer-wise interpolation between warm-started task optima, outperforming baselines on EMBER and AZ benchmarks with up to 42% acc...

  4. FreeMOCA: Memory-Free Continual Learning for Malicious Code Analysis

    cs.CR 2026-05 unverdicted novelty 6.0

    FreeMOCA enables memory-free continual learning for malicious code analysis by adaptive layer-wise parameter interpolation between task updates, outperforming baselines on EMBER and AZ malware benchmarks with up to 42...

  5. Trident: Improving Malware Detection with LLMs and Behavioral Features

    cs.CR 2026-04 unverdicted novelty 6.0

    Trident combines static decision trees, LLM-generated behavioral rules from sandbox reports, and direct LLM analysis via majority voting to outperform static methods while resisting concept drift without retraining.

  6. Adversarial Co-Evolution of Malware and Detection Models: A Bilevel Optimization Perspective

    cs.CR 2026-04 unverdicted novelty 6.0

    Bilevel optimization models attacker-defender co-evolution in malware detection, cutting evasion rates from up to 90% to 0-1.89% on three families while raising attacker query costs by up to 100x.

  7. LCC-LLM: Leveraging Code-Centric Large Language Models for Malware Attribution

    cs.CR 2026-05 unverdicted novelty 5.0

    LCC-LLM creates a code-centric dataset and RAG-based LLM framework that reaches 0.634 average semantic similarity on 43 malware tasks and 10/10 pass rate in real-world case studies.

  8. NeuroTrace: Inference Provenance-Based Detection of Adversarial Examples

    cs.CR 2026-04 unverdicted novelty 5.0

    NeuroTrace framework builds heterogeneous graphs of inference provenance to detect adversarial examples in DNNs, showing strong transferable performance across attack families in vision and malware domains.

  9. Explainable Attention-Based LSTM Framework for Early Detection of AI-Assisted Ransomware via File System Behavioral Analysis

    cs.CR 2026-04 unverdicted novelty 4.0

    An attention-based LSTM model with XAI detects AI-assisted ransomware at early stages by analyzing file system behavioral sequences.