Malware Target Recognition via Static Heuristics
I
T. Dube
a,∗
, R. Raines
a
, G. Peterson
a
, K. Bauer
a
, M. Grimaila
a
, S. Rogers
b
a
Air Force Institute of Technology, Wright-Patterson AFB, OH, USA, 45433-7765
b
Sensors and Information Directorates, Air Force Research Laboratory, Wright-Patterson
AFB, OH, USA, 45433-7321
Abstract
Organizations increasingly rely on the confidentiality, integrity and availabil-
ity of their information and communications technologies to conduct effective
business operations while maintaining their competitive edge. Exploitation
of these networks via the introduction of undetected malware ultimately de-
grades their competitive edge, while taking advantage of limited network vis-
ibility and the high cost of analyzing massive numbers of programs. This ar-
ticle introduces the novel Malware Target Recognition (MaTR) system which
combines the decision tree machine learning algorithm with static heuristic
features for malware detection. By focusing on contextually important static
heuristic features, this research demonstrates superior detection results. Ex-
perimental results on large sample datasets demonstrate near ideal malware
detection performance (99.9+% accuracy) with low false positive (8.73e-4)
and false negative rates (8.03e-4) at the same point on the performance curve.
Test results against a set of publicly unknown malware, including potential
advanced competitor tools, show MaTR’s superior detection rate (99%) ver-
sus the union of detections from three commercial antivirus products (60%).
The resulting model is a fine granularity sensor with potential to dramatically
augment cyberspace situation awareness.
Keywords: malware detection, information assurance, decision trees
I
Patent pending.
∗
Corresponding author, phone (937) 255-3636 x4690, FAX (937) 904-7979,
e-mail: thomas.dube@afit.edu
Preprint submitted to Computers & Security September 30, 2011
