Authors: Sergii Banin, Geir Olav Dyrkolbotn (NTNU)
DFRWS USA 2018
Abstract
Because malicious software or (”malware”) is so frequently used in cybercrime, malware detection and relevant research became a serious issue in the information security landscape. However, in order to have an appropriate defense and post-attack response, however, malware must not only be detected but also categorized according to its functionality. It comes as no surprise that more and more malware is now made with the intent to avoid detection and research mechanisms. Despite sophisticated obfuscation, encryption, and anti-debug techniques, it is impossible to avoid execution on hardware, so hardware (“low-level”) activity is a promising source of features. In this paper, we study the applicability of low-level features for multinomial malware classification. This research is a logical continuation of a previously published paper (Banin et al., 2016) where it was proved that memory access patterns can be successfully used for malware detection. In this research, we use memory access patterns to distinguish between 10 malware families and 10 malware types. In the results, we show that our method works better for classifying malware into families than into types, and analyze our achievements in detail. With satisfying classification accuracy, we show that a thorough feature selection can reduce data dimensionality by a magnitude of 3 without significant loss in classification performance.