Open AccessMalware detection method based on the control‐flow construct feature of software
Author(s) -
Zhao Zongqu,
Wang Junfeng,
Bai Jinrong
Publication year - 2014
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/iet-ifs.2012.0289
Subject(s) - malware , computer science , opcode , data mining , software , feature selection , artificial intelligence , construct (python library) , classifier (uml) , feature vector , machine learning , pattern recognition (psychology) , computer security , operating system , programming language
The existing anti‐virus methods extract signatures of software by manual analysis. It is inefficient when they deal with a large number of malware. Meanwhile, the limitation of unknown malware detection often is found in them too. By the research on software structure, it has been found that the control flow of software can be divided into many basic blocks by the interior cross‐references, and a feature‐selection approach based on this phenomenon is proposed. It can extract opcode sequences from the disassembled program, and translate them into features by vector space model. The algorithms of data mining are employed to find the classify rules from the software features, and then the rules can be applied to the malware detection. Experimental results illustrate that the proposed method can achieve the 97.0% malware detection accuracy and 3.2% false positive rate with the Random Forest classifier. Furthermore, as high as 94.5% overall accuracy can be achieved when only 5% experimental data are used as training data.