Malware Classification Based on Dynamic Behavior

Abstract

Automated file analysis is important in malware research for identifying malicious files in large collection of samples. This paper describes an automatic system that can classify a file as infected based on the dynamic behavior of the file observed inside a controlled monitored environment. Based on features revealed at runtime, we train a Support Vector Machine classifier that can be further used to identify malicious files. The paper analyses the classifier performance based on several types of features, from raw runtime information to heuristics generated by expert systems and provides guidelines for the features selection process when dealing with this type of data. We show that by enlarging the features domain, our classifier gains proactivity and is able to detect previously unseen samples, even if they belong to different malware families.