SGSI support throught malware's classification using a pattern analysis

Abstract

Nowadays, there are significant amounts of malware codes that are created every day. However, the majority of these samples (malware) are variations of other malware that have been already identified. Therefore, most of the analyzed malware have similar structure among them. In this investigation, we will present a technic to extract features throughout different abstraction levels in order to classify malware codes. This analysis is based on three factors: the position where the malware is detected, the functions' calls from each Dynamic Link Libraries (DLL) and the ten most frequently visited hexadecimals per each malware sample. Once those characteristics are obtained, a descriptive vector of each malware is built. This vector works as a training to different learning machines types (SVM, IBL, and Decision Tree) and as a classification of the variations of malware codes (Virus, Backdoor, Trojan, and Adware). The result in the precision of the classification was 78.38% average where 3 types of learning machines were combined. The classified type as virus and algorithm IB1 (Instance Based Learning, IBL) were considered more accurate. These results are a fundamental support to the management system in information security by combining traditional and new classification and detention techniques of malware codes.

Nowadays, there are significant amounts of malware codes that are created every day. However, the majority of these samples (malware) are variations of other malware that have been already identified. Therefore, most of the analyzed malware have similar structure among them. In this investigation, we will present a technic to extract features throughout different abstraction levels in order to classify malware codes. This analysis is based on three factors: the position where the malware is detected, the functions' calls from each Dynamic Link Libraries (DLL) and the ten most frequently visited hexadecimals per each malware sample. Once those characteristics are obtained, a descriptive vector of each malware is built. This vector works as a training to different learning machines types (SVM, IBL, and Decision Tree) and as a classification of the variations of malware codes (Virus, Backdoor, Trojan, and Adware). The result in the precision of the classification was 78.38% average where 3 types of learning machines were combined. The classified type as virus and algorithm IB1 (Instance Based Learning, IBL) were considered more accurate. These results are a fundamental support to the management system in information security by combining traditional and new classification and detention techniques of malware codes.