Malware classification using filesystem footprints

Abstract

Automated analysis is useful in anti-malware research because it helps deal with large collections of samples and reduces the human effort. This paper describes an automated system that performs dynamic analysis by running new samples in a controlled environment and analyzing the operations they perform on the filesystem. These operations are used to train a Support Vector Machine classifier that can proactively detect new malware samples. The experimental evaluation showed that our automated system provides good results in terms of classification quality and in terms of performance. Being able to automatically decide if a file is clean or infected is very important in the antivirus industry, because based on this the file can be automatically blacklisted.