Pruned feature space for metamorphic malware detection using Markov Blanket

The proposed non-signature based system creates a meta feature space for the detection of metamorphic malware samples where three sets of features are extracted from the files: (a) branch opcodes (b) unigrams (c) bigrams. The feature space is initially pruned using Naïve Bayes method. After the rare feature elimination process, the relevant opcodes that are highly contributing towards the target class are selected, thereby forming a relevant feature set. Next phase is to remove the redundant features that are present in the relevant feature set using the Markov Blanket approach. Prominent features extracted are used for generating the training models and unseen instances are tested using the optimal models. Proposed system is capable of detecting the NGVCK viruses and MWORM with an accuracy of 100% using the meta opcode space of 25 features. A promising F1-score of 1.0 was gained and the results demonstrate the efficiency of the proposed metamorphic malware detector.