Metamorphic virus detection using feature selection techniques

In this article, a non-signature based statistical scanner for metamorphic malware detection, employing feature ranking methods like Term Frequency-Inverse Document Frequency-Class Frequency (TF-IDF-CF), Galavotti-Sebastiani-Simi Coefficient (GSS), Term Significance (TS) and Odds Ratio (OR) is proposed. Malware and benign models for classification are created by considering top ranked features obtained through each feature selection method. The proposed statistical detector was tested on synthetic and live specimens. Accuracy of 100% is attained with the synthetic malware dataset, whereas, accuracy above 92% is obtained for the live metamorphic samples involving complex obfuscation techniques. Further, relevance of feature ranking methods at varying feature length is evaluated using McNemar test. Thus, the non-signature based scanner designed by us could be used for the detection of sophisticated metamorphic malware.