Empirical study on features recommended by LSVC in classifying unknown Windows malware

Abstract

Modern malware has greatly evolved and become sophisticated with the capability to evade existing detection techniques. To defend against an advanced class of malware, behaviour-based malware detection technique has emerged as an essential complement. The major challenging task in this technique is to identify significant features from the original features’ set. The main objective of this work was to explore the effectiveness of the linear support vector classification (LSVC) in choosing prominent features from an original feature set derived from the Cuckoo sandbox generated behaviour reports. In this work, the proposed malware detection system (MDS) utilizes the Cuckoo sandbox to obtain runtime behaviour report of the Windows executable file to be examined. From the report, features are extracted, and then LSVC is applied onto the extracted features to recognize crucial features, which boost the detection ability of the MDS. The efficiency of the proposed MDS was evaluated using real-world malware samples with tenfold cross-validation tests. The experimental results demonstrated that the proposed MDS is proficient in accurately detecting malware and benign executable files by attaining a detection accuracy of 98.429% with the sequential minimal optimization (SMO) classifier. © Springer Nature Singapore Pte Ltd. 2019