MalSensor: Fast and Robust Windows Malware Classification

Abstract

Driven by the substantial profits, the evolution of Portable Executable (PE) malware has posed persistent threats. PE malware classification has been an important research field, and numerous classification methods have been proposed. With the development of machine learning, learning-based static classification methods achieve excellent performance. However, most existing methods cannot meet the requirements of industrial applications due to the limited resource consumption and concept drift. In this paper, we propose a fast, high-accuracy, and robust FCG-based PE malware classification method. We first extract precise function call relationships through code and data cross-referencing analysis. Then we normalize function names to construct a concise and accurate function call graph. Furthermore, we perform topological analysis of the function call graph using social network analysis techniques, thereby enhancing the program function call features. Finally, we use a series of machine learning algorithms for classification. We implement a prototype system named MalSensor and compare it with nine state-of-the-art static PE malware classification methods. The experimental results show that MalSensor is capable of classifying a malicious file in 0.7 seconds on average with up to 98.35% accuracy, which represents a significant advantage over existing methods.