An automated classification system based on the strings of trojan and virus families

Author

Tian, Ronghua ; Batten, Lynn ; Islam, Rafiqul ; Versteeg, Steve

Author_Institution

Sch. of IT, Deakin Univ., Melbourne, VIC, Australia

fYear

2009

fDate

13-14 Oct. 2009

Firstpage

23

Lastpage

30

Abstract

Classifying malware correctly is an important research issue for anti-malware software producers. This paper presents an effective and efficient malware classification technique based on string information using several well-known classification algorithms. In our testing we extracted the printable strings from 1367 samples, including unpacked trojans and viruses and clean files. Information describing the printable strings contained in each sample was input to various classification algorithms, including tree-based classifiers, a nearest neighbour algorithm, statistical algorithms and AdaBoost. Using k-fold cross validation on the unpacked malware and clean files, we achieved a classification accuracy of 97%. Our results reveal that strings from library code (rather than malicious code itself) can be utilised to distinguish different malware families.

Keywords

invasive software; learning (artificial intelligence); pattern classification; statistics; AdaBoost algorithm; k-fold cross validation; malware classification; nearest neighbour algorithm; statistical algorithm; tree-based classifiers; trojan family; virus family; Bayesian methods; Classification algorithms; Classification tree analysis; Databases; Decision trees; Radio frequency; Support vector machine classification; Support vector machines; Testing; Viruses (medical); Malware; classification; strings;

fLanguage

English

Publisher

ieee

Conference_Titel

Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on

Conference_Location

Montreal, QC

Print_ISBN

978-1-4244-5786-1

Type

conf

DOI

10.1109/MALWARE.2009.5403021

Filename

5403021