Abstract
Malware continues to evolve despite intense use of antimalware techniques. Detecting malware becomes a tough task as malware attackers adapt different counter detection methods. The long forgotten signature method used by many antimalware companies has become inefficient due to different new and unknown malwares. This paper presents an effective classification method that integrates static and dynamic features of a binary executable and classifies data using machine learning algorithms. The method initially gathers static features by exploring binary code of an executable which includes PE header Information and Printable Strings. After executing binary file in a sandbox environment, it gathers dynamic features i.e. API call logs. The integrated feature vector is then analyzed and classified using classification algorithms. In this work, we also present a comparison of the performance of four classifiers i.e. SVM, Naïve Bayes, J48 and Random Forest. Based on the classification results, we deduce that Random Forest performs best with an accuracy of 97.2 %.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Stallings, W.: Cryptography and Network Security Principles and Practices, 4th edn. Prentice Hall, Upper Saddle River (2005)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer Security Applications Conference, ACSAC 2007, pp. 421–430, December 2007
Gurrutxaga, I., Arbelaitz, O., Ma Perez, J., Muguerza, J., Martin, J.I., Perona, I.: Evaluation of malware clustering based on its dynamic behavior. In: Roddick, J.F., Li, J., Christen, P., Kennedy, P.J. (eds.) Seventh Australasian data mining conference (AusDM 2008), Glenelg, South Australia, ACS 2008, pp. 163–70 (2008)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 6:1–6:42 (2008)
Schultz, M., Eskin, E., Zadok, F., Stolfo, S.: Data mining methods for detection of new malicious executables. In: Proceedings of 2001 IEEE Symposium on Security and Privacy, Oakland, 14–16 May 2001, pp. 38–49 (2001)
Baldangombo, U., Jambaljav, N., Horng, S.-J.: A static malware detection system using data mining methods. Int. J. Artif. Intell. Appl. (IJAIA) 4(4), 113–126 (2013)
Wang, T.-Y., Wu, C.-H., Hsieh, C.-C.: Detecting unknown malicious executables using portable executable headers. In: NCM, Fifth International Joint Conference on INC, IMS and IDC, pp. 278–284 (2009)
Tian, R., Islam, R., Batten, L., Versteeg, S.: Differentiating malware from cleanware using behavioural analysis. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software: MALWARE 2010, pp. 23–30 (2010). Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virol. 4(4), 279–287 (2008)
Wang, C., Pang, J., Zhao, R., Liu, X.: Using API sequence and Bayes algorithm to detect suspicious behavior. In: International Conference on Communication Software and Networks, pp. 544–548 (2009)
Santos, I., Nieves, J., Bringas, P.G.: Semi-supervised learning for unknown malware detection. In: Abraham, A., Corchado, J.M., González, S.R., De Paz Santana, J.F. (eds.) International Symposium on DCAI. AISC, vol. 91, pp. 415–422. Springer, Heidelberg (2011)
The Cuckoo sandbox. http://www.cuckoosandbox.org/
VirusShare Malware dataset. http://virusshare.com/
Weka 3: Data Mining open source Software. www.cs.waikato.ac.nz/ml/weka/
Han, J., Kamber, M.: Data Mining: Concepts and Techniques. The Morgan Kaufmann, San Francisco (2006)
Vapnik, V.N.: An overview of statistical learning theory. IEEE Trans. Neural Netw. 10(5), 988–999 (1999)
Langley, P., Iba, W., Thompson, K.: An analysis of Bayesian classifiers. In: Proceedings of the Tenth National Conference on Artificial Intelligence, pp. 223–228. MIT Press (1992)
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)
Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 36(2013), 646–656 (2013)
Zhao, H., Xu, M., Zheng, N., Yao, J., Ho, Q.: Malicious executables classification based on behavioral factor analysis. In: International Conference on e- Education, e-Business, e-Management and e-Learning, pp. 502–506 (2010)
Kasama, T., Yoshioka, K., Inoue, D., Matsumoto, T.: Malware detection method by catching their random behavior in multiple executions. In: 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet (SAINT), pp. 262–266 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Awan, S., Saqib, N.A. (2016). Detection of Malicious Executables Using Static and Dynamic Features of Portable Executable (PE) File. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy and Anonymity in Computation, Communication and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10067. Springer, Cham. https://doi.org/10.1007/978-3-319-49145-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-49145-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49144-8
Online ISBN: 978-3-319-49145-5
eBook Packages: Computer ScienceComputer Science (R0)