McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables

PDF
0.3MB

Roberto Perdisci
Damballa, Inc.
United States

Andrea Lanzi
Universita' degli Studi di Milano
Italy

Wenke Lee
Georgia Institute of Technology
United States

Abstract:
In this work, we propose Malware Collection Booster (McBoost), a
fast statistical malware detection tool that is intended to improve
the scalability of existing malware collection and analysis
approaches. Given a large collection of binaries that may contain
both hitherto unknown malware and benign executables, McBoost
reduces the overall time of analysis by classifying and filtering
out the least suspicious binaries and passing only the most
suspicious ones to a detailed binary analysis process for signature
extraction.

The McBoost framework consists of a classifier specialized in
detecting whether an executable is packed or not, a universal
unpacker based on dynamic binary analysis, and a classifier
specialized in distinguishing between malicious or benign code. We
developed a proof-of-concept version of McBoost and evaluated it on
5,586 malware and 2,258 benign programs. McBoost has an accuracy of
87.3%, and an Area Under the ROC curve (AUC) equal to 0.977. Our
evaluation also shows that McBoost reduces the overall time of
analysis to only a fraction (e.g., 13.4%) of the computation time
that would otherwise be required to analyze large sets of mixed
malicious and benign executables.