Grouping the executables to detect malware with high accuracy

TL;DR

This paper proposes a malware detection method that groups executables by size using k-Means clustering, enabling high-accuracy classification of known and unknown malware variants with up to 99.11% accuracy.

Contribution

The study introduces a size-based grouping approach combined with machine learning classifiers for effective malware detection, especially for metamorphic variants.

Findings

Size-based grouping effectively clusters malware variants.

High detection accuracy of up to 99.11% achieved.

Method can classify unknown malware with high precision.

Abstract

The metamorphic malware variants with the same malicious behavior (family), can obfuscate themselves to look different from each other. This variation in structure leads to a huge signature database for traditional signature matching techniques to detect them. In order to effective and efficient detection of malware in large amounts of executables, we need to partition these files into groups which can identify their respective families. In addition, the grouping criteria should be chosen such a way that, it can also be applied to unknown files encounter on computers for classification. This paper discusses the study of malware and benign executables in groups to detect unknown malware with high accuracy. We studied sizes of malware generated by three popular second generation malware (metamorphic malware) creator kits viz. G2, PS-MPC and NGVCK, and observed that the size variation in any two generated malware from same kit is not much. Hence, we grouped the executables on the basis of malware sizes by using Optimal k-Means Clustering algorithm and used these obtained groups to select promising features for training (Random forest, J48, LMT, FT and NBT) classifiers to detect variants of malware or unknown malware. We find that detection of malware on the basis of their respected file sizes gives accuracy up to 99.11% from the classifiers.