Detection of Malicious Portable Executables

Abstract

Malicious portable executables (PE) pose a significant threat to Microsoft Windows operating systems. State-of-the-art antivirus software detect the malicious PE files using signature-based approaches or manually generated heuristics. However, the size of signature database, the signature matching overhead and the cost of manual heuristic generation cannot scale with an exponential increase in the number of malicious PE files. In this work we present a data mining approach to automatically extract distinguishing features and classify unseen malicious PE files. The distinguishing features are extracted using the structural information provided in the standard PE file format for executables, DLLs and object files used in Microsoft Windows operating systems. The eventual classification is performed using well-known data mining algorithms. Our executable classification methodology is twofold; firstly we classify benign and malicious executables and secondly we classify malicious executables as a function of their payload. We evaluated PE-Miner on two malware collections, VX Heavens dataset and Malfease dataset, that contain 11 thousand and 5 thousand malicious PE files respectively. The results of our experiments show that PE-Miner achieves more than 99% detection rate with less than 0.5% false alarm rate for distinguishing between the benign and malicious executables. Furthermore, it achieves an average detection rate of 90% with an average false alarm rate of less than 5% for categorizing the malicious executables as a function of their payload. It is important to emphasize that PE-Miner has low processing overheads and takes only 0.244 seconds on the average to scan a given PE file.