MalSensor: Fast and Robust Windows Malware Classification

Driven by the substantial profits, the evolution of Portable Executable (PE) malware has posed persistent threats. PE malware classification has been an important research field, and numerous classification methods have been proposed. With the development of machine learning, learning-based static c...

Full description

Saved in:
Bibliographic Details
Published in:ACM transactions on software engineering and methodology 2025-01, Vol.34 (1), p.1-28
Main Authors: Zhao, Haojun, Wu, Yueming, Zou, Deqing, Liu, Yang, Jin, Hai
Format: Article
Language:English
Subjects:
Malware and its mitigation
Security and privacy
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Driven by the substantial profits, the evolution of Portable Executable (PE) malware has posed persistent threats. PE malware classification has been an important research field, and numerous classification methods have been proposed. With the development of machine learning, learning-based static classification methods achieve excellent performance. However, most existing methods cannot meet the requirements of industrial applications due to the limited resource consumption and concept drift. In this paper, we propose a fast, high-accuracy, and robust FCG-based PE malware classification method. We first extract precise function call relationships through code and data cross-referencing analysis. Then we normalize function names to construct a concise and accurate function call graph. Furthermore, we perform topological analysis of the function call graph using social network analysis techniques, thereby enhancing the program function call features. Finally, we use a series of machine learning algorithms for classification. We implement a prototype system named MalSensor and compare it with nine state-of-the-art static PE malware classification methods. The experimental results show that MalSensor is capable of classifying a malicious file in 0.7 seconds on average with up to 98.35% accuracy, which represents a significant advantage over existing methods.
ISSN:1049-331X
1557-7392
DOI:10.1145/3688833