Automatic Malware Classification via PRICoLBP

作     者：YAN Hanbing ZHOU Hao ZHANG Honggang 

作者机构：National Computer Network Emergency Response Technical Team/Coordination Center of China Beijing University of Posts and Telecommunications 

出 版 物：《Chinese Journal of Electronics》 (电子学报(英文))

年 卷 期：2018年第27卷第4期

页      面：852-859页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 081201[工学-计算机系统结构] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：supported by the National Natural Science Foundation of China(No.U1736218) 

主　　题：Malware classification Pairwise rotation invariant co-occurrence local binary pattern Term frequency-inverse document frequency Texture classification Resilience to obfuscation 

摘      要：Creating effective features is a critical issue in malware analysis. It requires a proper tradeoff between discriminative power and invariance. Previous studies have shown that it is fairly effective to design features based on the binary code. However, the current existing binary-based features seldom take into consideration the problem of obfuscation, such as relocated sections, incomplete code and redundant operations. In this paper, we propose a novel Pairwise rotation invariant co-occurrence local binary pattern(PRICo LBP) feature, and further extend it to incorporate the Term frequency-inverse document frequency(TFIDF) transform. Different from other static analysis techniques, our method not only achieves better linear separability, but also appears to be more resilient to obfuscation. In addition, we evaluate PRICo LBPTFIDF comprehensively on three datasets from different perspectives, e.g., classification performance, classifier selection and performance against obfuscation. What’s more,we compare our PRICoLBP-TFIDF method with other techniques, and demonstrate that PRICo LBP-TFIDF is quite an efficient and effective tradeoff between discriminative power and invariance.