Question 1

Is EMBER dataset still useful for modern malware research?

Accepted Answer

EMBER provides a valuable baseline for static PE analysis, but since the data is from 2017-2018, researchers should combine it with newer samples to address current threats. It's best for benchmarking and reproducibility studies.

Question 2

How to install EMBER on a Mac?

Accepted Answer

On Mac, especially M1, LIEF 0.9.0 doesn't install directly; the README recommends using the included Dockerfile with conda to set up dependencies, ensuring compatibility for feature extraction.

Question 3

EMBER vs SOREL-20M: which is better for malware detection?

Accepted Answer

EMBER focuses on static PE features with reproducible benchmarks, while SOREL-20M includes more recent samples and dynamic features. EMBER is ideal for standardized research, SOREL-20M for larger, diverse datasets.

Question 4

How to classify a new PE file using EMBER?

Accepted Answer

Use the classify_binaries.py script with a trained model, or import the ember module and call predict_sample() with the model and file data, as shown in the README examples for consistent predictions.

Question 5

What are the differences between EMBER 2017 and 2018 datasets?

Accepted Answer

EMBER 2017 uses feature version 1 with LIEF 0.8.3, while 2018 uses version 2 with LIEF 0.9.0 and includes updated features like data directories. The 2018 samples were selected to be harder to classify, affecting consistency.

Question 6

Can EMBER be used for real-time malware scanning?

Accepted Answer

No, EMBER is designed for batch processing and research benchmarks; real-time deployment would require significant optimization and integration, which it doesn't natively support.

Ember

What is Ember?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions