Enhancing Efficiency and Privacy in Memory-Based Malware Classification through Feature Selection

TL;DR

This paper demonstrates that feature selection significantly improves the performance and privacy of memory-based malware classification across various classification levels, using mutual information and other methods.

Contribution

It introduces a feature selection approach employing mutual information to enhance malware classification accuracy and privacy, validated across multiple classification tasks.

Findings

Feature selection improves classifier performance in malware detection.

Mutual information-based feature selection reduces data while maintaining accuracy.

Selecting 25-50% of features yields optimal results with Random Forest.

Abstract

Malware poses a significant security risk to individuals, organizations, and critical infrastructure by compromising systems and data. Leveraging memory dumps that offer snapshots of computer memory can aid the analysis and detection of malicious content, including malware. To improve the efficacy and address privacy concerns in malware classification systems, feature selection can play a critical role as it is capable of identifying the most relevant features, thus, minimizing the amount of data fed to classifiers. In this study, we employ three feature selection approaches to identify significant features from memory content and use them with a diverse set of classifiers to enhance the performance and privacy of the classification task. Comprehensive experiments are conducted across three levels of malware classification tasks: i) binary-level benign or malware classification, ii) malware type classification (including Trojan horse, ransomware, and spyware), and iii) malware family classification within each family (with varying numbers of classes). Results demonstrate that the feature selection strategy, incorporating mutual information and other methods, enhances classifier performance for all tasks. Notably, selecting only 25\% and 50\% of input features using Mutual Information and then employing the Random Forest classifier yields the best results. Our findings reinforce the importance of feature selection for malware classification and provide valuable insights for identifying appropriate approaches. By advancing the effectiveness and privacy of malware classification systems, this research contributes to safeguarding against security threats posed by malicious software.