A Scalable Malware Classification Based on Integrated Static and Dynamic Features

  • Tewfik Bounouh
  • Zakaria Brahimi
  • Ameer Al-Nemrat
  • Chafika Benzaid
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 630)


This paper presents a malware classification approach which aims to improve precision and support scalability. To this end, a hybrid approach combining both static and dynamic features is adopted. The hybrid approach has the advantage of being a complete and robust solution to evasion techniques used by malware writers.

The proposed methodology allowed achieving a very promising accuracy of 99.41% in classifying malware into families while considerably reducing the feature space compared to competing approaches in the literature.


Malware classification Static features Dynamic features Coarse-grained modeling 


  1. 1.
  2. 2.
  3. 3.
    Hexcorn Ltd. HexDive. www.hexacorn.com
  4. 4.
    Vxheaven. www.vxheaven.org
  5. 5.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74320-0_10 CrossRefGoogle Scholar
  6. 6.
    Bayer, U., Comparetti, P.M., Hlauscheck, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of the 16th Symposium on Network and Distributed System Security (NDSS 2009), February 2009Google Scholar
  7. 7.
    Canzanese, R., Mancoridis, S., Kam, M.: Run-time classification of malicious processes using system call analysis. In: Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE 2015), pp. 21–28. IEEE, October 2015Google Scholar
  8. 8.
    Cesare, S., Xiang, Y., Zhou, W.: Malwise-an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62(6), 1193–1206 (2013)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Chandramohan, M., Tan, H.B.K., Shar, L.K.: Scalable malware clustering through coarse-grained behavior modeling. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering (FSE 2012), pp. 27:1–27:4. ACM, November 2012Google Scholar
  10. 10.
    Gandotra, E., Bansal, D., Sofat, S.: Integrated framework for classification of malwares. In: Proceedings of the 7th International Conference on Security of Information Networks (SIN 2014), pp. 417:417–417:422. ACM (2014)Google Scholar
  11. 11.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)CrossRefGoogle Scholar
  12. 12.
    Islam, R., Tian, R., Batten, L., Versteeg, S.: Classification of malware based on string and function feature selection. In: Proceedings of 2nd Cybercrime and Trustworthy Computing Workshop (CTC 2010), pp. 9–17. IEEE, July 2010Google Scholar
  13. 13.
    Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on intergrated static and dynamic features. J. Netw. Comput. Appl. 36, 646–656 (2013)CrossRefGoogle Scholar
  14. 14.
    Kolter, J., Maloof, M.: Learning to detect malicious executables in the wild. In: Proceedings of the 10th ACM International Conferernce on Knowledge Discovery and Data Mining (SIGKDD 2004), pp. 470–478. ACM, August 2004Google Scholar
  15. 15.
    Lee, T., Mody, J.J.: Behavioral classification. In: Proceedings of the 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR 2006), April 2006Google Scholar
  16. 16.
    Mekky, H., Mohaisen, A., Zhang, Z.-L.: Separation of benign and malicious network events for accurate malware family classification. In: Proceedings of the IEEE Conference on Communications and Network Security (CNS 2015), pp. 125–133. IEEE, September 2015Google Scholar
  17. 17.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE, December 2007Google Scholar
  18. 18.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70542-0_6 CrossRefGoogle Scholar
  19. 19.
    Santos, I., Brezo, F., Nieves, J., Penya, Y.K., Sanz, B., Laorden, C., Bringas, P.G.: Idea: opcode-sequence-based malware detection. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 35–43. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-11747-3_3 CrossRefGoogle Scholar
  20. 20.
    Santos, I., Devesa, J., Brezo, F., Nieves, J., Bringas, P.G.: OPEM: a static-dynamic approach for machine learning based malware detection. In: Herrero, Á. (ed.) International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions. AISC, vol. 189, pp. 271–280. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  21. 21.
    Schultz, M., Eskin, M., Zadok, E., Stolfo, F.: Data mining methods for detection of new malicious executables. In: Proceedings of the 22nd IEEE Symposium on Security and Privacy (S&P 2001), pp. 38–49. IEEE, May 2001Google Scholar
  22. 22.
    Siddiqui, M., Wang, M.C., Lee, J.: Data mining methods for malware detection using instruction sequences. In: Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications (AIA 2008), pp. 358–368, February 2008Google Scholar
  23. 23.
    Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, 1st edn. No Starch Press, San Francisco (2012)Google Scholar
  24. 24.
    Stolfo, S., Wang, K., Li, W.-J.: Towards stealthy malware detection. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, pp. 231–249. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Tian, R., Batten, L., Islam, R., Versteeg, S.: An automated classification system based on the strings of trojan and virus families. In: Proceedings of 4th International Conference on Malicious and Unwanted Software (MALWARE 2009), pp. 23–30. IEEE, October 2009Google Scholar
  26. 26.
    Tian, R., Batten, L.M., Versteeg, S.C.: Function length as a tool for malware classification. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008), pp. 69–76. IEEE, October 2008
Google Scholar
  27. 27.
    Tian, R., Islam, R., Batten, L., Versteeg, S.: Differentiating malware from cleanware using behavioural analysis. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE 2010), pp. 23–30. IEEE, October 2010Google Scholar
  28. 28.
    Wang, C., Pang, J., Zhao, R., Liu, X.: Using API sequence and Bayes algorithm to detect suspicious behavior. In: Proceedings of the International Conference on Communication Software and Networks (ICCSN 2009), pp. 544–548. IEEE, February 2009Google Scholar
  29. 29.
    Ye, Y., Li, T., Chen, Y., Jiang, Q.: Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD 2016), pp. 95–104. ACM, July 2010Google Scholar
  30. 30.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 116–127. ACM (2007)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Tewfik Bounouh
    • 1
  • Zakaria Brahimi
    • 1
  • Ameer Al-Nemrat
    • 2
  • Chafika Benzaid
    • 3
  1. 1.Department of Computer ScienceUSTHBBab EzzouarAlgeria
  2. 2.Architecture, Computing, and Engineering SchoolUELLondonUK
  3. 3.Division Sécurité InformatiqueCERISTBen AknounAlgeria

Personalised recommendations