Detection of malicious executables using static and dynamic features of portable executable (PE) file

Abstract

Malware continues to evolve despite intense use of antimalware techniques. Detecting malware becomes a tough task as malware attackers adapt different counter detection methods. The long forgotten signature method used by many antimalware companies has become inefficient due to different new and unknown malwares. This paper presents an effective classification method that integrates static and dynamic features of a binary executable and classifies data using machine learning algorithms. The method initially gathers static features by exploring binary code of an executable which includes PE header Information and Printable Strings. After executing binary file in a sandbox environment, it gathers dynamic features i.e. API call logs. The integrated feature vector is then analyzed and classified using classification algorithms. In this work, we also present a comparison of the performance of four classifiers i.e. SVM, Naïve Bayes, J48 and Random Forest. Based on the classification results, we deduce that Random Forest performs best with an accuracy of 97.2 %.