An investigation of malware type classification

Authors

Thomas E. Dube, Air Force Institute of Technology
Richard A. Raines, Air Force Institute of Technology
Gilbert L. Peterson, Air Force Institute of Technology
Kenneth W. Bauer, Air Force Institute of Technology
Steven K. Rogers, Air Force Institute of Technology

Document Type

Conference Proceeding

Publication Date

9-8-2011

Abstract

The increasing cybercrime trend places increased pressures on struggling organizations to defend themselves from an influx of custom malware attacks. These customized 'cyber weapons' are undetectable to antivirus signature-based scanners and difficult to detect with heuristic-based scanners. Governments and many organizations simply cannot wait for commercial malware detection solutions, because researchers likely will never receive a targeted malware artifact-it may be the only instance in existence-unless the customer first finds it themselves and submits it for review. Unbeknownst to many antivirus customers, who mistakenly think they are watching the malware game from the safety and security of the sidelines, wily cyber criminals have quietly begun targeting them as the weakest players on the field. While several critical malware problems remain the focus of intense research, this research paper investigates methods of automatically identifying disparities between malware types using machine learning techniques. The results from these experiments can help all interested entities to better identify and classify specific artifacts that they discover possibly even enabling more expedient recovery procedures. Other applications of these methods include automatically classifying malware types for large malware repositories or assisting antivirus researcher agreement on a specific universal malware type standard. Fostering agreement in the antivirus research community on a universal type standard benefits both the research community and antivirus customers, because standards allow for effective and appropriate response and recovery procedures. These standards also allow academic research efforts to effectively leverage the expertise of the antivirus researcher community. Preliminary results on relatively small datasets demonstrate reasonable confidence in classification accuracy for three different malware types based on partial and full agreement between three major antivirus company products. This methodology serves as a quick look classification for identification and prioritization of work for appropriate information technology personnel. Increasing the number of samples, applying a variety of machine learning techniques, and incorporating other software types to this research will increase the significance of these results and help to define the essence of various software classes.

Comments

Co-author T. Dube was completing an AFIT PhD program at the time of this conference. (AFIT-DCE-ENG-11-07, September 2011)

Source Publication

5th European Conference on Information Management and Evaluation, ECIME 2011

Recommended Citation

Dube, T. E., Raines, R. A., Peterson, G. L., Bauer, K. W., & Rogers, S. K. (2011). An investigation of malware type classification. 5th European Conference on Information Management and Evaluation, ECIME 2011, 398–406.