Kernel Machines for Malware Classification and Similarity Analysis

In this paper we present a method of functionally classifying malicious code that might lead to automated attacks and intrusions using kernel machines. We study the performance of kernel methods in the context of robustness and generalization capabilities of malware classification. Current static detection and scanning techniques for malicious code and malware have serious limitations; on the other hand, sandbox testing fails to provide a complete satisfactory solution either due to time constraints (e. g., time bombs cannot be detected before its preset time expires). Results show that malware analysis based on the Windows API calling sequence that reflects the behavior of a particular piece of code gives good accuracy to classify malware. We also show that classification accuracy varies with the kernel type and the parameter values; thus, with appropriately chosen parameter values, intrusions can be detected by SVMs with higher accuracy and lower rates of false alarms.