Machine-Learning-Based Malware Detection for Virtual Machine by Analyzing Opcode Sequence

With the rapid development of cloud computing, cloud security is increasingly an important issue. Virtual machine (VM) is the main form to provide cloud service. To protect VMs against malware attack, a cloud needs to have the ability to react not only to known malware, but also to the new emerged ones. Virtual Machine Introspection (VMI) is a good solution for VM monitoring, which can obtain the raw memory state of the VM at Virtual Machine Monitor (VMM) level. Through analyzing the memory dumps, the significant features of malware can be obtained. In our research, we propose a novel static analysis method for unknown malware detection based on the feature of opcode n-gram of the executable files. Different feature sizes ranging from 2-gram to 4-gram are implemented with the feature length of 100, 200, 300 respectively. The feature selection criterion of Term Frequency (TF)-Inverse Document Frequency (IDF) and Information Gain (IG) are leveraged to extract the top features for classifier training. Different classifiers are trained with the preprocessed dataset. The experimental results show that the weighted integrated classifier with opcode 4-gram of 300 features has the optimal accuracy of 98.2%.