Scattered feature space for malware analysis

Abstract

Malware prevention methods are gaining attention amongst researchers due to proliferation of new variants. Malware detection methods can be basically categorized as static and dynamic. In this paper, we investigate the use of features like Portable Executable (PE) headers and body (mnemonic n-gram, instruction opcodes) for classifying the executables as malware or benign. The features are preprocessed using Scatter Criterion to reduce the processing overheads incurred during training and testing phase by reducing the dimensionality of the feature space. The results of our experimental study show that the proposed methods can detect packed and obfuscated variants of malware as well as classify malware and benign executables. Through our proposed work we also highlight that the PE Header fields are less obfuscated in comparison with the raw data present in body of executables. Thus, evolutionary possibilities are more pronounced in malware code or Hex dump other than PE Header Fields. © 2011 Springer-Verlag.