1
Static Malware Analysis Using Multiple
Machine Learning Algorithm for Malware Detection
Abhinav Parkash Sharma Mayank Ranjan
BTech III Year BTech III Year
Vellore Institute of Technology, Vellore Institute of Technology,
Chennai, India Chennai, India
abhinavparkash.2016@gmail.com mayank.ranjan2016@vitstudent.ac.in
Abstract— The aim of malware analysis is to detect
whether a file is infected or not in order to avoid any kind of
system intrusion. The goal of this research is to find the
optimal machine learning algorithm to predict whether a file is
malicious or not by using different machine learning models on
a given dataset. For the above purpose the implementation and
accuracy comparisons are done with the help of python
libraries and then summary analysis will be then used to
suggest the best machine learning model for the detection of
the malware infected files this can then be used as a layer in a
bigger neural network for dynamic malware analysis and
attack detection and prevention.
Keywords— malware, machine learning, malware analysis,
Decision Tree, Support Vector Machines, Random Forest, Linear
Regression
I. INTRODUCTION
The use of Internet and its wide spread resources
has been on an exponential increasing trend in the past few
decades. This trend has led to multiple services being made
available to the user over secure connections, these services
include banking, purchases and even data exchange. This is
one of the main reason due to most of the hackers to export
different kind of malwares to naïve users. When the
malware infects an particular computing device be it a
mobile device or a desktop each and every transactions in
which that particular device is involved becomes
compromised. Mostly malwares are spywares or viruses that
are intended for the basic purpose of stealing confidential
information or money in any form. These malwares then
empower hackers to commit various cyber-crimes like fake
e-payments, denial of service attack, illegal hacking etc.
Despite of so many antimalware measures there have been
so many practical attacks that have occurred in the past. Due
to the ever-changing internet and new technologies coming
in which have increased the ease of network and computer
penetration, the task of keeping the users safe has become
really difficult for companies that provide the world with
anti-malware solutions. To avoid attacks and to provide the
users with security updates in the limited period of time is
another challenge that such companies face.
Malware protection and removal once infected, is one of the
main tasks of any anti-malware companies, as even a single
attack could lead to loss of confidential data, money and the
systems privacy. Recent advancements in computer science
and hardware have made it possible for machine learning
algorithms and models to effectively and efficiently be
Udai Agarwal
BTech III Year
Vellore Institute of Technology,
Chennai, India
udai.agarwal2016@vitstudent.ac.in
applied to extract useful information from large datasets.
This has made it possible to analyze the data extracted from
the attributes of malicious portable executables.
A. Detection Methods
Static Analysis:
It is done by analyzing the program in the form of
software code of malware and gain knowledge how the
malware works. Reverse engineering is used in the form of
decompile tool, disassemble tool for understanding the
structure of the malware[7]. It includes the various
techniques:
1. String Extraction (error messages)
2. Fingerprinting (in the form of hash and detect
hardcoded username, files)
3. File Metadata (PE headers)
Dynamic Analysis:
When we execute a file, its behavior is being noted along
with the other information related to the file as well as its
properties and intentions of the creator for those executable
files. It is faster as compared to static analysis of the
malware.
B. Why Machine Learning?
In order to detect a polymorphic malware that
change its signatures, as well as new malware, for which
signatures have not been created yet. Due to the inaccuracy
of the heuristic based detectors while detecting the malware
we need to switch ourselves to machine learning algorithms
combined with heuristic approach to offer high accuracy
rate. When relying on heuristics-based approach, there has
to be a positive threshold for malware triggers, defining
the quantity of heuristics wished for the software to be
called malicious. For example, we can outline a set of
suspicious features, such as “registry key changed”,
“connection established”, “permission changed”, etc.
Any software that shows at least five features from that set
can will be termed as malicious. Although this approach
provides some stage of effectiveness, it is no
longer always accurate, considering that some features can
have greater “weight” than others, for example, “permission
changed” usually results in greater severe impact to
the device than “registry key changed”. In addition to that,
 2

some function combinations [8] may be extra suspicious than
features via themselves. To take these correlations into
account and provide more correct detection, machine
gaining knowledge of strategies can be used.
This research was conducted using a dataset with 4900
records of portable executable attributes of malicious files,
which is used to predict whether they the test files are
malicious or not by using different machine learning
algorithms. The models will be trained using this dataset and
the accuracy was the tested on another 100 records which
were extracted from a mix of malicious and non-malicious
II. RELATED WORK
Previously, static and dynamic analysis for
malware analysis was used by Distler [1. Meanwhile, Ari
[2] has also been doing malware analysis using reverse
engineering techniques and methodologies by bring in the
use of biscuit apt1 as a malware sample. Another malware
analysis research also doing by Flores [3] with
win32.Kryptic. In the meantime, Daoud [4] has research
regarding technique used by malware to avoid detection
from antivirus. Research conducted by Uppal [5] more focus
files. The dataset contains more than 50 attributes describing
file properties of different malicious files. Visualization’s
were then made on various attributes of this dataset and how
it affects in order to know whether a file is malicious or not.
The machine learning algorithm that were used for static
detection are Linear Regression, Decision Tree, Support
Vector Machines and Random Forest. On the basis of the
detection and prediction summary analysis conclusions of
which model is better over the other and which attribute is
the best for determining the malware were made.
on technique and tools used in malware analysis. Most of
the literature we came across during our research was either
focused on static analysis method or technique used for
analysis malware, there were only a few in which a
substantial comparison or conclusions were made upon the
best possible machine learning algorithm for prediction of
malicious files. Whereas our work tests four different
machine learning algorithms for malware analysis in depth
comparison, using static analysis of portable header
attributes to get more detail information for characteristics
of malware.

Analysis Type Purpose Tools

STATIC Use as many antivirus detection engines as Antivirus
possible to assist classification.
Search the body of the malware for strings. Strings (Microsoft, 2008c)
DYNAMIC File integrity check to record baseline Winalysis (Winalysis.com, 2008)
configuration.
File monitoring. Find which tools are Filemon (Microsoft, 2008c)
opening,
reading and writing files.
Process monitoring. Determine resources that Process explorer (Microsoft, 2008c)
are

Network monitoring. Uncover which ports are Fort (Found stone, 2008), tcpview
open, (Microsoft, 2008c), nessus (Tenable
collect network traffic and find vulnerabilities. Network Security, 2008), nmap
(Insecure.org, 2008), wireshark (Combs,
2008), and snort (Sourcefire, 2008).
Registry monitoring. Monitor registry Regmon (Microsoft, 2008c)
activities as
they occur.
CODE Disassembly, debugging IDA Pro
OllyDbg (Yuschuk, 2008)

Table I Summary of malware analysis tools showing analysis type purpose and name of commonly used tool name.

Serial No. Title Author Contribution

1. Survey on malware Vinod, Gaur The detection method is related to signature-based detection,
detection methods reverse engineering of complex code to detect malicious behavior
of the malware. [15]

2 A Threat to Cyber Brand, Valli, Paper displayed a threat to digital flexibility as a theoretical model
Resilience: A Woodward of a malware rebirthing botnet [16]
malware (2011)
Rebirthing Botnet.
 3

3 Lessons learned Brand, Valli, Examiner must comprehend the counter investigation procedure
from an Woodward that can be utilized and how to moderate them, the impediments of
Investigation into (2011) existing apparatuses and how to utilize a suitable examination
the system to reveal the purpose of malware. [17]
Analysis
Avoidance
Techniques of
Malicious
Software.

4 SPiKE: Vasudevan, Developed a new dynamic coarse grained binary

Engineering Yerraballi instrumentation framework codenamed SPiKE that aids in the
Malware Analysis construction of powerful malware analysis tools to combat
Tools using malware that are becoming increasingly hard to analyse. [13]
Unobtrusive
Binary-
Instrumentatio

5 The Malware Valli,

Analysis Brand Exhibited an establishment for a malware (MABOK) i.e, required to
Body of (2008 effectively forensically break down malware. [14]
Knowledge(MABO )
K)

6 Static analysis of Christodorescu,

executables to M Jha (2003) Presented an architecture for detecting malicious patterns in
detect executables that is resilient to common obfuscation transformations.
malicious patterns [11]

7 TT Analyze: A tool Bayer, Presented a tool TT analyzer for dynamically analyzing the
for Kruegel, behavior of windows executables [12]
analyzing malware. Kirda (2006)

Table II: Related work referred throughout the paper.

III. METHODOLOGY
For the malware analysis we are using python
libraries along with a python script in order to extract
the data for the given dataset. This script extracts all the
PE file values used in the dataset for classifying the
files as malicious or normal and appends it to a csv file
for analyzing.
techniques range from Support Vector Machines (SVM) to
Neural Networks to Classification Trees. In order to produce
more refined results as compared to the prior projects we
will try to refine our dataset by declining the unnecessary
results from the output.
Algorithms:
A. Logistic Regression

1. Gathering Malware Samples: Logistic Regression is used for categorical data.

The malware chooses for the analysis could be found at
https://github.com/urwithajit9/ClaMP/blob/master
/dataset/ClaMP_Raw-5184.arff. This dataset contains 54
attributes for various malicious and non-malicious files
(4385). We have used python through the jupyter notebook
interface in order to analyze this dataset.
Here in the given malware set class has binary input in the
form of 1 and 0 which represents malicious and normal
files. The logistic function also known as the sigmoid
function is an S-shaped curve that can take any real valued
function between 0 and 1, but never exactly at those limits.
1 / (1 + e^-value)

2. Literature Survey: Where the base of the natural logarithms is e. [18]

There have been a lot of past works regarding the B. Decision Tree
malware analysis on the different binary malware datasets
using various machine learning algorithms. These

Decision Tree algorithm can also be used for
classification of dataset. The decision tree algorithm uses
tree representation in which the internal node represents the
attribute while the leaf nodes represents the class label.
Here the attribute will be class and the leaf nodes will be
malicious and non-malicious depending on the other
attributes.
It also helps us to determine the most important attribute is
resulting in declaring a file as malicious or not.
Pseudocode:
While distributing the dataset into small subsets the entropy
changes which results in Information Gain that is measured
by change in entropy given by the below formulae:
Entropy (a, b) = - [instances of a*(log [instances of a])
+instances of b*(log [instances of b])]
This entropy is the measure of accuracy of the model on the
given dataset. [18]
C. Support Vector Machine
Another discriminative classification algorithm
formally defined a separating hyperplane, the algorithm
works by plotting the data in n-dimensional space.
Hyperplanes are then used in order to distinguish between
different cluster classes. Out of all the hyperplanes in the
given space the hyperplane e which is at the maximum
distance from both the clusters is choose. This is a
supervised learning model which outputs an optimal
hyperplane. [18]
D. Random Forest
Random Forest works on the fundamental that it is
basically a combination of many decision tree resulting in
the formation of a forest. It gives a more stable and accurate
results. Instead of searching for the most important feature
while splitting a node, it searches for the best feature among
a subset of features. [18]
E. Static characteristics of PE files
PE file format was introduced in Windows 3.1 as
PE32 and further evolved as PE32+ format for 64-bit
Windows Operating Systems. Common Object File Format
(COFF) header, standard COFF fields such as header, data
4
directories, section table, and Import Address Table (IAT)
are the main contents of PE file.
A finite set of quantitative (can be integer, real or binary
value), categorical and labelled numeral’s can be derived
from the different types of features. An example of the
numerical feature is CPU (in %) or RAM (in Megabytes)
usage, while nominal can be a file type (like ∗.dll or ∗.exe)
or Application Program Interface (API) function call (like
write () or read ()). [6]
On Windows NT operating systems, PE currently supports
the IA-32, IA-64, x86-64 (AMD64/Intel
64), ARM and ARM64 instruction set architectures(ISAs).
Prior to Windows 2000, Windows NT (and thus PE)
supported the MIPS, Alpha, and PowerPC ISAs. Because
PE is used on Windows CE, it continues to support several
variants of the MIPS, ARM (including Thumb),
and SuperH ISAs. [10]
IV. MODULES
The project implementation has six modules. They are
dataset collection, data pre-processing, Feature selection,
Model Selection, Classifier Model for predicting malicious
or normal file, Comparison of Accuracy on Logistic
regression, Decision Tree, Random Forest and Super Vector
Machine algorithms.
A. Dataset Collection
The collection of data is based on the different PE
header attributes of files present in the dataset as it is directly
proportional to the probability of malware’s involvement in
those files to a great extent. The dataset can be collected
from any online repository.
B. Data Pre-Processing
Pre-Processing can take a considerable amount of time
as it needs removal of NULL values in different attributes
along with the unreliable data present in the dataset. Data
pre-processing includes cleaning, normalization, and
transformation of attributes according to the criteria for the
analysis of malware. In order to perform the feature selection
on a particular test data, it must be run through a python
script that is used for the purpose of PE header extraction.

C. Feature Selection
In machine learning and statistics, feature selection,
also known as variable selection, feature reduction, attribute
selection or variable subset selection, is the technique of
selecting a subset of relevant features for building robust
learning models. Feature selection is a particularly important
step in analyzing the data from many experimental
techniques. The Feature selection decreases the time to
classify and also classify in efficient manner.
D. Model Selection
The model will be selected based on the accuracy and time
consumption of various machine learning algorithm in order
to predict whether a given set of data is malicious or not. In
this module the dataset will be tested on various machine
learning algorithms. The test dataset is used for analyzing the
efficiency of the models while the trained dataset is explicitly
used for measuring the accuracy of algorithms. The Models
used in this module is basically used for classification
techniques thus, helps in producing a binary output in the
form of 0 and 1 for absence and presence of malware
respectively in the files for a given binary dataset. The
algorithms used are: Logistic Regression, Decision Tree,
Random Forest, and Support Vector Machine.
E. Classifier Model
The data mining technique classification is done on the
dataset. Classification is done with purpose of identifying the
different set of attributes for a new observation on the basis
of a training dataset containing observation related to
particular properties of the data involved in the dataset.
These properties can be ordinal, continuous, categorical and
discrete. Some algorithms requires continuous function
presence while some other require discrete input for
classification and analysis. PCA python library is used in
order to reduce the total number of attributes from 54 to 40
by identifying that somehow the presence of 14 attributes
does not affect detection of malware in the given dataset.
Thus increasing the efficiency of a model by reducing the
processing time and do the binary classification of the model.
F. Accuracy Comparison (Performance Evaluation)
Classifier performance depends greatly on the
characteristics of the data to be classified. Various empirical
tests have been performed to compare classifier performance
and to find the characteristics of data that determine classifier
performance. In this module the comparison is done on the
accuracy of the models. In the project, the model’s
performance was increased by the use of PCA which
eliminates the unnecessary attributes from the dataset thus
producing the Random Forest Algorithm as the best model
for measuring the accuracy.
IV IMPLEMENTATION
A. Data Preprocessing
We selected the ClaMP_Raw-5184 dataset for
5
classification of PE Files and comparing the models. Further
we also developed a script using PEV for extracting the
header values for which the model was trained to further test
the models. The dataset had null values for the e_res and
e_res2 header value which needed to be removed. Dataset
was left with 54 features to train, the script was altered
accordingly to get the same 54 header values any
executable. Dataset was split into train (80% of total data)
and test (20% of total data) dataset. There was a total of
4386 records in the train data with equivalent number of
malicious and non-malicious records. The test data had 800
records of which had equal amount of malicious and non-
malicious file records.
B. Feature Selection
Feature selection is a significant part of analyzing
data, and achieving best results using minimum number of
features. This also helps to prevent overfitting of data.
Reducing the data being used can help the model to work
faster by lowering the dimensions. For this we calculated the
eigen values for the 54 features. The features with highest
eigen values were calculated, i.e. the features with eigen
values greater than 1. This came out to be 37. Further we
used PCA to reduce the number of components to 37 which
selects the features based on feature importance. The data
was then used to train all the models and compare the
accuracy [9].
C. Model Training
Classification models were chosen for this purpose. The
models were trained for binary classificaiton of files using
the portable executable file’s header values. The models
compared for accuracy on the given dataset are logistic
regression, decision tree classifier, SVM and random forest.
The models were compared with each other on the accuracy
achieved with the test data. SVM gave the least results
followed by logistic regression and decision trees and
random forest had almost similar score for the data.
Random forest was used for classification for its bagging
approach, it improves the results by splitting the data into
subsets to send them to the different nodes. The decision
tree models are trained on those subsets of features. Results
from those trees are then averaged to give a prediction from
all decision trees.
D. Classification of dataset
Malware detection in portable executable files is done
using classification techniques. Classification is a
datamining technique used to differentiate the objects in
various separable classes of objects already defined in the
dataset. For the purpose of malware detection in PE files,
the dataset has two classes 0(non-malicious) and
1(Malicious). Binary classificaiton is done on the data to
find whether the header values of that files indicate it to be a
malware or not. The values like image base and size of stack
reserve from the file header are used for classification of the
file as malicious or clean.
 6

E. Malware detection using ensemble learning Random Forest 1.00 0.978

The goal of using a bagging technique (ensemble model) Table IV gives the accuracy of various models on a
for classification is to combine the results of multiple predefined test dataset along with the actual dataset .This
models and get a combined result for better accuracy. gives the accuracy rate varying from 89% to 100% for the
Bagging technique uses bootstrapping for training multiple test dataset and 65% to 97.8% for the train dataset.
models and then from their collective result obtain the final
resulting model. Multiple subsets are created from the
original data with replacement. A base model is specified
and is then used for training each of these subsets
independently.
Random forest is one such model which uses bagging
technique for training a model for classification.
Bootstrapping is done to create the subsets from the data.
The base model used in the case of random forest is decision
trees which here, splits the records in two different
categories (clean and malicious) based on one feature,
which are which are further split into two based on the next
feature, selected in order of feature importance. The same is
continued till all the leaf nodes are classified (contain the
result malicious/non-malicious). These decision tree results
from the ones trained on different subsets are averaged to
finally produce the output. In this system all the malwares
are labelled as malicious while the rest are labelled as
normal files.

V. RESULTS AND COMPARISON

The classification of files as malicious or not using different

machine learning algorithms. The numbers of Correct and
Incorrect classification instances are counted and the
classification rate is measured for every model.

MACHINE CORRECTLY INCORRECTLY CLASSIFICATION

LEARNING CLASSIFIED CLASSIFIED RATE
MODEL
Logistic 3903 482 89%
Regression
Decision 4210 175 96%
Tree
Support 2850 1535 65%
Vector
Machine
Random 4289 96 97.8%
The best feature used to detect whether a file is malicious or
Forest not is IMAGEBASE as depicted by the above graph. The
graph also conveys that 14 attributes in the given dataset
Table III gives the classification rate for various files which does not affect the malicious nature of the files, thus their
varies from 65% to 97.8 %. The model which gives the best exclusion can help to increase the speed of the measurement
result is Random Forest Algorithm with classification rate of of accuracy of various models. Adding this feature
97.8%. extraction constraint helps to increase the accuracy of the
prediction for the given malware detection.
MACHINE TEST DATASET TRAIN
LEARNING ACCURACY DATASET The below graph shows the comparison of different
MODEL ACCURACY machine algorithm on the test and train dataset.
Logistic 0.89 0.89
Regression
Decision Tree 1.00 0.96
Support Vector M 1.00 0.65
 7

The graph gives the following predictions:

1. Random Forest>Decision Tree>Logistic

Regression>SVM
2. RANDOM FOREST ALGORITHM is the best as
compared to other algorithms. (97.9974968711%
accuracy).
Despite of using PCA in both the approaches of random
forest and decision tree algorithm we are able to identify
that even with less attributes random forest is a better
approach for analyzing due to its more accuracy. So
according to the outputs obtained the derived best
algorithm can now be implemented as a part of a bigger
neural network which can increase the prediction
accuracy of the neural network substantially.

The Random Forest hence obtained from the

experimentation is given below:

VI CONCLUSION

The project is based on malware detection and analysis of

accuracy of different machine learning models. Malware
analysis is a multi-step process providing insight into
malware structure and functionality. Behavior monitoring,
an important step in the analysis process, is used to observe
malware relations with respect to the system and is achieved
by employing dynamic coarse-grained binary-
instrumentation on the target system. For this project we
used logistic regression, decision tree, random forest and
support vector machine approaches to analyze which model
gives best detection rate for malwares of the given binary
dataset. Out of all the models the best machine learning
algorithm is Random Forest approach. The future work of REFERENCES
the project is implementing the models for a multi class
dataset, and to use other approaches similar to PCA in order [1] Distler, “Malware Analysis: An Introduction”, D. 2007.
to reduce the time due to calculation overload on various
models.

[2] Ari N, “Penerapan Analisa Malware Pada Biscuit apt1
Menggunakan Teknik Reverse Engineering”, Journal of
KNSI, February 2015.
[3] Flores, “Malware Reverse Engineering part1 of 2. Static
analysis”, Technical Report.
[4] Daoud, E. Al, Jebril, I. H., & Zaqaibeh, B. 2008.
Computer Virus Strategies and Detection Methods. Int. J.
Open Problems Compt. Math., Vol. 1, No. 2, September
2008.
[5] Uppal, D., Mehra, V., & Verma, “Basic survey on
Malware Analysis, Tools and Techniques”, International
Journal on Computational Sciences & Applications (IJCSA)
Vol.4, No.1, February 2014.
[6] Andrii Shalaginov, Sergii Banin, Ali Dehghantanha,
Katrin Franke, “Machine Learning Aided Static
MalwareAnalysis: A Survey and Tutorial”,
arXiv:1808.01201v1 [cs.CR] 3 Aug 2018.
[7] M. Schultz, E. Eskin, F. Zadok, and S. Stolfo,“Data
Mining Methods for Detection of New Malicious
Executables”, Proceedings of 2001 IEEE Symposium on
Security and Privacy.
[8] C. Bishop, “Pattern Recognition and Machine Learning”,
New York: Springer, 2006.
[9] T. Subbulakshmi and A. F. Afroze, "Multiple learning
based classifiers using layered approach and Feature
Selection for attack detection," 2013 IEEE International
Conference ON Emerging Trends in Computing,
Communication and Nanotechnology (ICECCN),
Tirunelveli, 2013, pp. 308-314. doi: 10.1109/ICE-
CCN.2013.6528514.
[10] Microsoft Documentations.
8
[11] Christodorescu M, Jha S., “Static analysis of
executables to detect malicious patterns”, Proceedings of
the 12th USENIX Security Symposium; 12–12; 2003.
[12] Bayer U, Kruegel C, Kirda E. TTAnalyze, “A tool for
analyzing malware”, Proceedings of EICAR; April 2006.
[13] Vasudevan and R. Yerraballi. Spike, “Engineering
malware analysis tools using unobtrusive binary-
instrumentation”, Proceedings of the 29th Australasian
Computer Science Conference, pages 311–320, 2006.
[14] Valli C, Brand M., “Malware Analysis Body of
Knowledge”, Paper presented at the 6th Australian
Digital Forensics Conference; Edith Cowan University;
Mount Lawley Campus; Western Australia; 2008.
[15] Vinod P, Laxmi V, Gaur M S., “Survey on
Malware Detection Methods”.
[16] Brand M, Valli C, Woodward A, “A Threat to cyber
resilience: A malware rebirthing Botnet”, The Proceedings
of the 2nd International Cyber Resilience Conference;
2011.
[17] Brand, M., “Analysis avoidance techniques of
malicious software”, [Online]. Available:
https://ro.ecu.edu.au/theses/138. [Accessed: 10- Oct- 2018]
[18] Business Analytics, ' Essentials of Machine Learning
Algorithms (with Python and R Codes) ‘,. [Online].
Available: https://www.analyticsvidhya.com/blog/2017/09/
common-machine-learning-algorithms/. [Accessed: 10- Oct-
2018]