Relevant hex patterns for malcode detection

Abstract

Malware poses a big threat to computer systems now a days. Malware authors often use encryption/compression methods to conceal their malicious executables data and code. These methods that transform some or all of the original bytes into a series of random looking data bytes appear in 80 to 90% of malware samples. This fact creates special challenges for anti-virus scanners who use static and dynamic methods to analyze large malware collections. In this paper we propose a method to identify malware executables by reading initial 2500 byte patterns of the sample. Our method reduces overall scanner execution time by considering 2500 bytes instead of whole file. Experimental results are evaluated using different classification algorithms (Random Forest, Ada-Boost, IBK, J48, Naïve-Bayes) followed by a feature selection method.