Portal de Periódicos da CAPES

Byte Level n–Gram Analysis for Malware Detection

2011; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-642-22786-8_6

1865-0937

Sachin Jain, Yogesh Kumar Meena,

Digital and Cyber Forensics

Advent of Internet and all legal transactions through it has made computer systems vulnerable. Malicious code writers launch illicit programs to the compromised systems to gain access to the resources, and confidential/intellectual information of the users. The primary reason for systems becoming vulnerable for attack is because of the ignorance of the Naïve users using the system over Internet without worrying about the extent of threats. Hence, malware detection is of prime importance for protecting systems and its resources. Most malware scanners employ signature based detection methods. These scanners fail to detect unseen and obfuscated malware samples. In this paper we propose a non–signature based approach for detecting malicious code. n–grams are extracted from Portable Executable (PE) of benign and malware samples which is considered as feature. n–grams ranging from 1 to 8 is extracted from raw byte patterns. Since the number of unique n– grams extracted from the sample are very large hence, Classwise document frequency is used for reducing feature space. Experiments have been conducted on 2138 Portable Executables (PE) samples and classification is performed using classifiers like Naïve Bayes, Instance Based Learner (IBK), J48 and AdaBoost1 supported by WEKA(a data mining tool). Experimental results are promising and shows that our proposed approach can be used to effectively classify executables (Malware and Benign) minimizing false alarms.