Detecting Malicious .NET Files Using CLR Header Features and Machine Learning

Abstract

The .Net Framework has made writing windows applications easier than ever. Several programming languages can be used to write software using the .Net Framework, the most common one being C#. Due to the abundance of modules and pre-built functionalities that allow programmers to easily manipulate the windows operating system with high abstraction and no need for low-level coding, the .Net framework has also become a desirable environment for malicious actors to write their malware. To best of our knowledge, researchers have been treating .NET malware and other malware the same way by utilizing features from the PE header to classify the files. This is not possible for.Net files because their PE headers are nearly identical. In this paper, we tackle the problem of detecting malicious .Net files by extracting features from the CLR header. As far as we know, we are the first ones to explore this approach. Furthermore, we create a new dataset comprised of.Net malware and benign files, which we freely distribute to the research community. Finally, we assess the performance of several machine learning algorithms to detect malicious .NET files. The random forest model was the best solution among the set of algorithms tested, exhibiting a performance of 92% for this predictive task.