Semantic analysis and classification of malware for UNIX-likeoperating systems with the use of machine learning methods

Abstract

The paper focuses on malware classification, based on semantic analysis of disassembled binaries sections’ opcodes with the use of n-grams, TF-IDF indicator and machine learning algorithms. The purpose of the research is to improve and extend the variety of methods for identifying malware developed for UNIX-likeoperating systems. The taskof the research is to create an algorithm, which can identify the types of threats in malicious binary files using n-grams, TF-IDF indicator and machine learning algorithms. Malware classification process can be based either on static or dynamic signatures. Static signatures can be represented as byte-code sequences, binary-assembled instructions, or importedlibraries. Dynamic signatures can be represented as the sequence of actions made by malware. We will use a static signatures strategy for semantic analysis and classification of malware. In this paper,we will work with binary ELF files, which is the mostcommon executable file type for UNIX-likeoperating systems. For the purpose of this research we gathered 2999 malwareELFfiles, using data from VirusShare and VirusTotal sites, and 959 non malware program files from /usr/bin directory in Linux operatingsystem. Each malware file represents one of 3 malware families: Gafgyt, Mirai, and Lightaidra, which are popular and harmful threats to UNIX systems. Each ELF file in dataset was labelled according to its type. The proposed classification algorithm consists of several preparation steps: disassembly of every ELF binary file from the dataset and semantically processing and vectorizing assembly instructions in each file section. For the settingclassification threshold, the Multinomial Naive Bayes model is used. Using the classification threshold, we define the sizefor n-grams and the section of the file, which will give the best classification results. For obtaining the best score, multiple machine learning models, along with hyperparameter optimization, will be used. As a metric of the accuracy of the designed algorithm, mean accuracy and weighted F1 score are used. Stochastic gradient descent for SVM model was selected as the best performing ML model, based on the obtained experimental results.Developed algorithm was experimentally proved to be effective for classifying malware for UNIX operating systems. Results were analyzed and used for making conclusions and suggestions for future work.