Malgazer: An Automated Malware Classifier With Running Window Entropy And Machine Learning

摘要

Malware classification determines what type of behavior, function and family the malware exhibited. As detection efficacy continues to improve in practice, classification efficacy is a more complex, interesting, and richer problem that requires more research. This paper explores automated malware classification using running window entropy (RWE) as the feature set to several machine learning algorithms. An RWE-based malware classifier, Malgazer, is designed and developed in the research. Our final data set includes 60,000 malware samples from six malware classification groups: Backdoor, Worm, Trojan, Virus, PUA, and Ransom. Eight machine learning algorithms were studied during this research. Each machine learning algorithm was evaluated using the RWE and the GIST features. The highest accuracy model using the running window entropy comes from the Adaboost and random forest algorithms with window size 1,024 bytes and 1,024 data points. The testing and evaluation results show that the RWE-based classifier, Malgazer, is approximately 0.76% more accurate than a leading classifier, GIST, from prior literature on the same data sets. This research demonstrates that RWE could be used for malware classification, and if applied appropriately, could increase automated classification accuracy.