Runtime-Behavior Based Malware Classification Using Online Machine Learning

Pektas A., ACARMAN T. , Falcone Y., Fernandez J.

World Congress on Internet Security (WorldCIS), Dublin, Ireland, 19 - 21 October 2015, pp.166-171 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Doi Number: 10.1109/worldcis.2015.7359437
  • City: Dublin
  • Country: Ireland
  • Page Numbers: pp.166-171
  • Keywords: malware classification, online machine learning, dynamic analysis


Identification of malware's family is an intricate process whose success and accuracy depends on different factors. These factors are mainly related to the process of extracting of meaningful and distinctive features from a set of malware samples, modeling malware via its static or dynamic features and particularly techniques used to classify malware samples. In this paper, we propose a new malware classification method based on behavioral features. File system, network, registry activities observed during the execution traces of the malware samples are used to represent behavior based features. Existing classification schemes apply machine-learning algorithms to the stored data, i. e., they are off-line. In this study, we use on-line machine learning algorithms that can provide instantaneous update about the new malware sample by following its introduction to the classification scheme. To validate the effectiveness and scalability of our method, we have evaluated our method by using 18,000 recent malicious files. Experimental results show that our method classifies malware with an accuracy of 92%.