Intelligent Windows Malware Type Detection based on Multiple Sources of Dynamic Characteristics

  • Thilo Denzer
  • Andrii Shalaginov
  • Geir Olav Dyrkolbotn

Abstract

Malware analysts face novel challenges related to increasing number of malware variants
emerging every year. With new emerging malware types, families and variants, conventional
classification of binaries into benign and malicious became inefficient and needs refinement
when it comes to detecting similar functionality. Microsoft Windows is considered
to be one of the most targeted OS by malware developers through the development of PE32
files that look similar to system files. Static files analysis for malware detection is losing
efficiency due to extensive utilization of obfuscation, encryption and polymorphic when an
anti-virus is no longer able to detect the malware. Thus, it is important to explore sources
of multiple dynamic characteristics that can substantially improve similarity-based malware
detection through indicators of compromise from disk, network and memory artefacts.
This paper suggests an approach for the reliable multifamily malware classification using
dynamic characteristics from community-accepted Cuckoo Sandbox. The best-achieved
classification results using Random Forest was 87.5% for 10 malware families using information
about modified and opened registry keys, created and modified files, loaded DLLs
and the resolved hosts. This result, however, can be further improved by adding more
dynamic features or combine in combination with selected static features in the future.

Published
2019-11-19