MalwareMind: CNN Malware Detector

Overview

MalwareMind is an advanced malware detection system leveraging Convolutional Neural Networks (CNNs) to identify and classify malware from binary executables. The web UI is a single-page landing experience with anchor navigation (for example #analyze for Live detection): users upload PE samples, run the same CNN-oriented pipeline as in research workflows, and read calibrated threat scores. With modularity and scalability in mind, MalwareMind aims to facilitate secure and efficient malware analysis.

Note: This project temporarily supports only .exe files for better accuracy.

Features

• CNN-based Malware Detection: Utilize a pre-trained CNN model for accurate malware classification.

• File upload (Live detection): Drag-and-drop or browse for .exe files in the Live detection section.

• Results visualization: Threat scores and analysis cards in the Live detection panel (plus supporting landing sections for pipeline and binary visualization).

• Dockerized deployment: Simplified setup using Docker Compose for the backend and database; the frontend may run as a separate service (see below).

• Scalability: Modular codebase supporting future enhancements.

Architecture

The project consists of the following components:

1. Backend

   • FastAPI: RESTful API to handle file uploads, process data, and return detection results.
   • Model Inference: The CNN model performs predictions on binary data converted into image format.
   • Result storage (configurable): Set RESULT_STORAGE in malwaremind-server/.env to json (append-only data/results.json, good for serverless demos) or mongodb (Docker / Render with Mongo). See malwaremind-server/.env.example.

2. Frontend:

   • Vite, Vue 3, and Tailwind CSS: Responsive single-page UI. The page shell lives in malwaremind-web/src/pages/MalwareMindLanding.vue. Upload and analysis orchestration are in malwaremind-web/src/composables/useMalwareAnalysis.js; the interactive scan surface is malwaremind-web/src/components/landing/LiveDetectionPanel.vue, with other marketing sections under components/landing/. HTTP calls use axios; icons use lucide-vue-next; motion helpers use @vueuse/motion.

3. Docker:

   • Docker Compose: Backend (FastAPI), frontend (Vite), and MongoDB are defined in docker-compose.yml and can be started together from the repository root.

Prerequisites

Ensure that you have the following installed:

• Docker (with Docker Compose)
• Recommended OS: Linux/macOS/Windows

Installation

Setup

1. Clone the repository:

   git clone https://github.com/DarriusChen/MalwareMind.git
   cd MalwareMind

2. Modify environment variables (if necessary)

   • Backend (malwaremind-server/.env)

     Copy malwaremind-server/.env.example to malwaremind-server/.env and adjust as needed:

     FRONT_END_IP=http://localhost:5173
     RESULT_STORAGE=mongodb

     Use the same scheme and host you open in the browser (for example http://127.0.0.1:5173 if you use 127.0.0.1). If you omit http://, the backend normalizes it for CORS. For docker compose, the backend service sets RESULT_STORAGE=mongodb and MONGO_URI in docker-compose.yml; your .env can still override other keys. Use RESULT_STORAGE=json on hosts without MongoDB (for example a minimal Render demo).

   • API base url

     Edit malwaremind-web/.env (requests are sent from your browser, not from inside Docker, so use the host URL):

     VITE_API_URL=http://localhost:8000

3. Start the stack (repository root, next to docker-compose.yml):

   docker compose up --build -d

   Stop:

   docker compose down

4. Open the app

   • UI: http://localhost:5173
   • Backend API: http://localhost:8000

Local development (without Docker for the frontend)

cd malwaremind-web && npm install && npm run dev

Keep VITE_API_URL=http://localhost:8000 while the API runs on the host or is published on port 8000.

Usage

1. Live detection: Open the app at http://localhost:5173, scroll to Live detection (or use Run scan in the header to jump to #analyze). Drag and drop .exe files onto the ingest area, or click to browse.
2. API: Alternatively, call the backend REST API for uploads and bulk workflows.
3. Detection results: After upload, the service runs inference and shows calibrated scores and threat-oriented summaries in the analysis cards beside the ingest panel.
4. Multiple files: Several .exe files can be queued and processed in one batch.

Development Workflow

Modify Backend:

• FastAPI: Customize endpoints and wiring in malwaremind-server/src/main.py. (REST API for uploads and the CNN detection flow.)
• CNN model: Adjust inference and model usage in malwaremind-server/src/module.py and related modules under malwaremind-server/src/.

Enhance Frontend:

• Edit files under malwaremind-web/src/: landing layout in pages/, section components in components/landing/, shared logic in composables/. Global styles live in src/assets/tailwind.css with malwaremind-web/tailwind.config.js.

File Structure Overview

MalwareMind/
├── malwaremind-web/              # Vite + Vue 3 frontend
│   ├── src/
│   │   ├── pages/                # e.g. MalwareMindLanding.vue
│   │   ├── components/landing/   # Landing sections, Live detection UI
│   │   ├── composables/          # e.g. useMalwareAnalysis.js
│   │   └── ...
│   ├── public/
│   └── Dockerfile
│
├── malwaremind-server/
│   ├── src/
│   │   ├── main.py               # FastAPI entry point
│   │   ├── module.py             # CNN / inference integration
│   │   ├── model.py
│   │   ├── file2image.py
│   │   ├── fixed_model.h5        # Pre-trained weights (path used at runtime in container)
│   │   └── ...
│   └── Dockerfile
│
├── docker-compose.yml            # Backend, frontend, MongoDB
├── render.yaml                   # Render deployment (still testing)
└── README.md

Future Improvements

• Enhanced Model Training: Improving the accuracy of the CNN model by incorporating more data and fine-tuning the model.
• Additional File Formats: Extending the system to support a wider range of file formats for detection.
• User Feedback System: Adding functionality for users to provide feedback on detection results, potentially improving the model through retraining.
• Dynamic Threat Analysis: Integration with real-time threat intelligence feeds.
• Richer explainability: Deeper diagnostics beyond score cards (for example saliency or region-level cues on converted binary images) to support analyst review.
• Cloud Integration: Deploy the system on cloud platforms for scalability.

Contributions

Contributions are welcome! Please follow the standard GitHub workflow:

1. Fork the repository.
2. Create a new branch (feature/new-feature).
3. Commit changes and push to your branch.
4. Submit a pull request for review.

Contact

For inquiries, please contact:

• Name: Darrius Chen
• Email: darriuschen0926@gmail.com