Malware family classification via efficient Huffman features

Stephen O'Shaughnessy, Frank Breitinger

Research output: Contribution to journalArticlepeer-review

Abstract

As malware evolves and becomes more complex, researchers strive to develop detection and classification schemes that abstract away from the internal intricacies of binary code to represent malware without the need for architectural knowledge or invasive analysis procedures. Such approaches can reduce the complexities of feature generation and simplify the analysis process. In this paper, we present efficient Huffman features (eHf), a novel compression-based approach to feature construction, based on Huffman encoding, where malware features are represented in a compact format, without the need for intrusive reverse-engineering or dynamic analysis processes. We demonstrate the viability of eHf as a solution for classifying malware into their respective families on a large malware corpus of 15 k samples, indicative of the current threat landscape. We evaluate eHf against current compression-based alternatives and show that our method is comparable or superior for classification accuracy, while exhibiting considerably greater runtime efficiency. Finally we demonstrate that eHf is resilient against code reordering obfuscation.

Original languageEnglish
Article number301192
JournalForensic Science International: Digital Investigation
Volume37
DOIs
Publication statusPublished - Jul 2021

Keywords

  • Compression
  • Feature construction
  • Huffman encoding
  • Machine learning
  • Malware abstraction
  • Malware classification

Fingerprint

Dive into the research topics of 'Malware family classification via efficient Huffman features'. Together they form a unique fingerprint.

Cite this