Runtime-Behavior Based Malware Classification Using Online Machine Learning


Pektas A., ACARMAN T. , Falcone Y., Fernandez J.

World Congress on Internet Security (WorldCIS), Dublin, İrlanda, 19 - 21 Ekim 2015, ss.166-171 identifier identifier

Özet

Identification of malware's family is an intricate process whose success and accuracy depends on different factors. These factors are mainly related to the process of extracting of meaningful and distinctive features from a set of malware samples, modeling malware via its static or dynamic features and particularly techniques used to classify malware samples. In this paper, we propose a new malware classification method based on behavioral features. File system, network, registry activities observed during the execution traces of the malware samples are used to represent behavior based features. Existing classification schemes apply machine-learning algorithms to the stored data, i. e., they are off-line. In this study, we use on-line machine learning algorithms that can provide instantaneous update about the new malware sample by following its introduction to the classification scheme. To validate the effectiveness and scalability of our method, we have evaluated our method by using 18,000 recent malicious files. Experimental results show that our method classifies malware with an accuracy of 92%.