Abstract
Over the last few years, the malware propagation on PC platforms, especially on Windows OS has been even severe. For the purpose of resisting a large scale of malware variants, machine learning (ML) classifiers for malicious Portable Executable (PE) files have been proposed to achieve automated classification. Recently, function call graph (FCG) vectorization (FCGV) representation was explored as the input feature to achieve higher ML classification accuracy, but FCGV representation loses some critical features of PE files due to the hash technique. This paper aims to further improve the classification accuracy of FCGV-based ML model by applying both graph and non-graph features. We propose an FCGV-SF based Random Forest classification model, which applies both FCGV features (graph features) and statistical features (SF, non-graph features) extracted from disassembled PE files. Six types of effective non-graph features are chosen for our integrated vector, namely, metadata, symbol, operation code, register, section and data definition. We evaluate our model on a dataset provided by Microsoft hosted at Kaggle, and the experimental results indicate that the classification accuracy increases from 0.9851 to 0.9957 compared with the existing model based on FCGV only.
Highlights
Over the last few years, the malware propagation on PC platforms, especially on Windows OS, has been even severe, causing various threats to system security and data privacy
This huge intrusion of malicious Portable Executable (PE) files results from the malware modification and obfuscation performed by attackers, so that similar malware samples will be distinct from the others [2] and evade detection
To extract features used for malware classification, static and dynamic analysis techniques have been explored to perform the analysis of malicious PE files
Summary
Over the last few years, the malware propagation on PC platforms, especially on Windows OS, has been even severe, causing various threats to system security and data privacy. To extract features used for malware classification, static and dynamic analysis techniques have been explored to perform the analysis of malicious PE files. By performing static and/or dynamic analysis on each PE sample, two types of features can be extracted from malware binaries, namely, non-graph features and graph features. We propose an FCGV-SF based Random Forest classification model (denoted as FCGV-SF model in the following) which applies both FCGV features (graph features) and statistical features (SF, non-graph features) extracted from disassembled PE files. Six types of effective statistical features [14] are chosen to build our integrated vector, namely metadata, symbol, operation code, register, section and data definition. Compared with prior malware classification work based on FCGV only or non-graph statistical features only, our proposed model preserves more vital information in disassembled PE files.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
