INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

Classification Of Malware Detection Using

Machine Learning Algorithms: A Survey
P HarshaLatha, R Mohanasundaram

Abstract: Malware is the one which frequently growing day by day and becomes major threats to the Internet Security. The are several methods for
classifying of new malware from the existing signatures or code. The traditional approaches are not much effective to compete the new arriving malware
samples. More antivirus softwares provides defense mechanism against malwares but still zero-day attack is not achieved. To enhance in mechanisms
machine learning algorithms are used and provide good experimental results accordingly. While the traditional signature approaches are also failed to
compete the new malwares. In this paper, we define malware and types of malware as an overview, as well we define the new mechanism of using
machine learning algorithms how effective and efficient in classification of malware detection and we presented the existing works related to malware
detection classification using machine learning algorithms and it is discussed about main important challenges that are facing in malware detection
classification.

Index Terms: Malware, Malware Analysis, Static Analysis, Dynamic Analysis, Classification, Machine learning, Data mining Techniques, Malicious Code.
——————————  ——————————

1 INTRODUCTION 2.1 Types of Malware Analysis

Malware word defines from Malicious Software. Malware is a There are basically three types of Malware Analysis in general
malicious code that affects the user system or computer and which are Static Malware Analysis, Dynamic Malware Analysis,
intently harms the computer by an attacker. Malware is variant and Memory Malware Analysis briefly in Fig. 1.
forms which are a virus, Trojan, backdoor, rootkits,
ransomware, worm, botnet, spyware, adware, keyloggers, 2.3 Static Malware Analysis
etc., and there is a wide range of their families are existing and The process of detecting or examining the malicious code
massively growing on the internet daily. According to the without executing it is defined as static malware analysis. It is
survey [1] conducted by AV-Test Institute, it registers that a signature-based malware analysis. In static malware
everyday 350,000 new malicious code and potentially analysis, static features such as Metadata strings, code, and
unwanted applications. Each malicious one is classified with import libraries are extracted and used in the feature selection
respect to their behavior and saved accordingly by this or feature extraction phase in the machine learning
institute and gives the malware statistics in 2018 is 847.34m classification. Most probably the input file type of static
malicious code is found and recorded and registered. Some of malware analysis is should be of the type exe, DLL,
the malware attacks in history are Melissa was a macro documents, Assembly code, byte code, etc., from these file
embedded with a word file. When the user opens it the macro types static features are extracted as output. The tools used
will execute and resend the virus to the first 50 people in the for static malware analysis are PEiD, ssdeep, pafish, Yara,
user's address book. It was designed by David L. Smith in strings, IDA Pro [2], OllyDbg [3], LordPE [4], OllyDump[5], etc.,
1999. Likewise, several malware attacks in history namely, My
Doom worm in 2004, Stuxnet in 2010, wannacry in 2017. In 2.4 Dynamic Malware Analysis
this paper, we presented the literature work of previously The process of detecting the behavior and functionality of
existing works of malware detection classification using malicious code while executing it is defined as a Malware
machine learning algorithms. Section 2 covers about malware Analysis. Dynamic features are system calls, file activities,
analysis and types of malware analysis. Section 3 is all about process activities, and network activities. The dynamic
literature of malware detection classification using machine malware analysis tools are used to extract the dynamic
learning algorithms. Section 4 is discussion section and features of malicious code, tools are CWSandbox [6],
followed by Section 5 for conclusion. Anubis[7], comodo automated analysis, ThreatTrack etc. The
monitoring tools for dynamic malware analysis are Process
Explorer [12], Process Monitor [13], Capture-BAT [14] (for
2 MALWARE ANALYSIS registry monitoring and file system monitoring), RegShot[15]
The analyzing behavior, functionality, and impact of malware (for detecting System change), Wireshark [16] (for network
samples on a user system defined as malware analysis. The monitoring), Process Hacker replace [17] etc.
analyzing of malware samples variants in different ways which
are signature-based, behavior-based and memory-based 2.5 Memory Malware Analysis
malware analysis. The process of examining the malicious code after executing it
is defined as memory malware analysis. The features for
————————————————
memory analysis are shared libraries, running processes,
• P HarshaLatha, Research Scholar, School of Computer Science hooking detection, network connections, rootkit connection,
and Engineering, Vellore Institute of Technology, Vellore, hidden artifacts, code injection, etc. The tools for memory
Tamilnadu, India. E-mail: harsha17latha@gmail.com analysis are volatility, pin tools, Valgrind, etc.
• Dr. R Mohanasundaram, Associate Professor, School of Computer
Science and Engineering, Vellore Institute of Technology, Vellore,
Tamilnadu, India. E-mail: mohanasundaramr@vit.ac.in

1796
IJSTR©2020
www.ijstr.org
 INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

accuracy is down by 12% when the Random Forest classifier

is applied for different datasets due to overfitting problem. For
this problem, they introduce the novel approach using Self
Organizing Feature Map (SOFM) is a classifier that is applying
the ANN approach. The experimental results are increased by
7% accuracy when compared to the previous model. Ab Razak
et al. 2016 [21] presents the works of bibliometric analysis
study of 4000 articles which are published from 2005 to 2015
from the ISI web of science database of records of the
countries North America, Asia, and other continents research
activities are discussed. With Search keywords of ―malware‖,
Fig. 1. Types of Malware Analysis they found 4546 records in a web of science database which
includes journals, books, book sections, patents among that
3 MALWARE DETECTION CLASSIFICATION 2158 records of un-English articles are excluded which are
USING MACHINE LEARNING ALGORITHMS KCI- Korean Journal Database, Derwent Innovation Index, and
Various Machine learning techniques are used for malware SCiELO Citation Index. The findings are collected from Impact
classification such as Support Vector Machine, Decision Tree, journals, highly- cited articles, research areas, productivity,
Naive Bayes, Random Forest, etc., and machine learning keywords frequency, institutions, and authors. They analyze
clustering techniques are used for clustering malware and concluded that North America is crucial one of the
samples. The existing literature is discussed below about publications of academic research in malware and Asia is in
machine learning approaches for malware analysis. Gupta et the second place of publishing malware articles. Ray et al.
al. 2018 [18] proposed architecture for malware detection. In 2016 [22] give a brief overview of malware and malware
this architecture, first prepares the dataset which contains 0.2 analysis. They overviewed about different types of malware
million of files in which has 0.05 million clean files and 0.15 such as worm, Trojan horses, viruses, spyware, backdoor, and
million malware samples these are collected from different rootkits. And they described types of malware analysis which
resources like VXheaven, Nothink, VirusShare, etc. After the are static malware analysis and dynamic malware analysis.
collection of malware samples, automated malware analysis is Without executing the malware comes under static analysis
performed on the collected dataset by using cuckoo sandbox and with the execution of malware comes under dynamic
which contains a series of python scripts to determine the analysis. Function call monitoring, function parameter analysis,
behavior of malware during their execution. The results are in information flow tracking, instruction tracing, etc., are the
the format of JavaScript Object Notation (JSON). The static various techniques carried out in dynamic malware analysis.
and dynamic features are extracted from the json reports using And some of the tools used for malware analysis are Norman
python in Apache Spark. After the feature extraction, the sandbox, Anubis, CWSandbox, etc. They stated that dynamic
classification models are applied to it with 10-fold cross- malware analysis is a better method for malware analysis.
validation. The classification models are applied to the dataset Ucci et al. 2017 [23] present a survey on malware analysis
and evaluate the performance using the parameters True through machine learning techniques. First, they present the
Positive Rate (TPR), False Positive Rate (FPR), Precision, review work of malware analysis objectives, features and
False Negative Rate (FNR) and Accuracy. The experimental machine learning algorithms to process malware analysis
results show Naïve Bayes(NB), Support Vector Machine features. Second, they discussed the issues regarding
(SVM), and Random Forest (RF) gives 89.13 %, SVM gives Malware Datasets and they visualize the literature work of
94.03% and Random Forest gives 98.88% of accuracy. datasets from different sources. Third, they present the work
Random Forest gives the best accuracy with minimum FPR regarding the novel approach of malware analysis economics,
and FNR. Cho et al. 2016 [19] propose a framework that which mainly focused on performance metrics like accuracy,
performs preprocessing the data and classification (Malware execution time and economic costs. AlAhmadi et al. 2018 [24]
Similarity). In the preprocessing step, the malware samples propose a novel approach to a malclassifier. It is a three-step
are reduced the amount in which it is categorized into malware process. In the first step, pre-processing and subsequent
families which is relevant to one another. In the classification extraction is performed malware variant families are the input
process, behavior monitor, sequence refining, sequence for this step which is from network traffic. These variant
alignment, and similarity calculation are to be addressed. 150 families are reassembled with network flow and then it goes to
malware samples are used in 10 different malware variant flow encoding, there subsequent extraction of the flow
families and the classification is repeated by 5 times and the encoding is taken as the input. In the second step, the profile
experimental result gives 87% of high accuracy. Burnap et al. extraction performed on the input of sequence extraction, here
2018 [20] present the novel approach in classification which the flow values are compared for similarity using binary
uses self-organizing maps are used to distinguish between the similarity, Levenshtein distance, cosine similarity, interflow
malicious and benign files and it reduces the overfitting distance after that malware family n-flow mining is performed
process when samples are training. Dataset is collected from on the similarities, from their network behavior profiles are
VirusTotal API. In this architecture, multiple classifiers are used extracted which is the outcome of second step. In the third
for classification and tested in different circumstances. step, training and building a model on profile extraction
Classifier models used in this approach are Random Forest, features. Machine learning algorithms KNN and Random
BayesNet, MLP, and Support Vector Machine. First, all the Forest are used in classification and training the model.
malware samples are tested under 10 fold cross-validation Finally, the malclassifier achieves 95.5% (F-measure) of the
and the classifier results will give the best result by Random high accuracy of malware family classification. Khan et al.
Forest with 98% accuracy and the same Random Forest 2017[25] introduce the framework for malware detecting
1797
IJSTR©2020
www.ijstr.org
 INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

(unwanted signatures). Both remote analysis and local network activity or behavior of malware. From the network
analysis of malware detection techniques are used in their traces (pcap file) behavior tree is generated and then features
framework. A file is checked whether it is malicious or benign are extracted from it and perform the classification using
with help of signatures. In the remote analysis, various different machine learning algorithms. Finally, it is found that
antivirus software’s is used to analyzing malicious executables the J48 classifier gives better accuracy results among different
and API. In the local analysis, Anti-virtual machine, anti- anti-virus program comparisons. Kosmidis et al. 2017 [34]
debugger, URL analysis, string analysis, and packing analysis provide an automated framework to classify the unknown
are used. Ronen et al. 2018 [26] provide a standard malware samples using neural networks. Feature engineering
benchmark dataset that was announced by Microsoft Malware used to extract features from the malimg dataset. Perceptron,
Classification Challenge which is cited by several malware decision tree, nearest centroid, stochastic gradient, multilayer
researchers, and it is serving in the Kaggle competition. The perceptron, random forest algorithms are used to classify the
dataset consists of 9 different malware families with 0.5 unknown malware. Random Forest gives better average
terabytes of huge data having more than 20,000 malware accuracy results and testing time also considered as a
samples in byte code cited by nearly 50 research papers. Ye et parameter. Gandotra et al. 2014 [35] provide the integrated
al. 2017 [27] presented a survey on malware detection using framework to classify the unknown malware using the
data mining techniques which is focused on intelligent integrated feature set from both static and dynamic features to
malware detection approaches. They illustrate two stages get a better classification of malware samples. The evaluation
which are feature extraction and classification/clustering as of feature extracted dataset and classification is done by using
important stages in malware analysis and detection. They the four classifiers which are Multilayer perceptron, IB1,
presented the research works from 2011 to 2016 and issues Decision Tree and random forest. In the experiment results,
and challenges in the malware detection using data mining Random Forest gives high accuracy results with 99.58% of
approaches. Wang et al. 2017 [28] introduce the detecting unknown malware and classification. Islam et al.
implementation and design of sandbox, feature extractor, and 2013 [36] introduced the framework earlier than Gandotra et
the classifier. There are mainly three stages in their work al. [35], it is similar to an integrated framework of static and
which are collector, extractor, and classifier. Collector contains dynamic features and performs classification using classifiers
static analysis program and dynamic execution with the to classify the unknown malware. Gandotra et al. 2014 [37]
module PinFWSandbox which records the dynamic surveyed the malware analysis basically on classification and
information and log file information and it passed to the usage of machine learning in malware analysis. Makandar et
extractor stage. Extractor performs both static feature al. 2015 [38] propose a classification of malware families using
extraction, dynamic instruction feature extraction and system artificial neural networks. The malware binaries are converted
called feature extraction. Finally, the classifier performs the to grayscale images and the images are resized. From the
action of combining all the classifier models such as single resized image sub-band filtering is applied to extract features
model classifier result, system call classifier result, dynamic and then feature vector is formed. To extract texture features
immediate classifier result and dynamic opcode classifier Gabor wavelet and GIST descriptor are used. To classify the
result to give the better result of the f1 score which gives extracted features feed-forward back propagation neural
nearly close to 96%. Pai et al. 2017 [29] present malware networks are applied and the experiment result gives 96.35 %
classification using clustering algorithms. Static features are accuracy of unknown malware classification. Kruczkowski et
extracted from the opcode sequences and with their scores. al. 2014 [39] used the Support Vector Machine (SVM) to
These static features are used for malware classification using classify the malware samples using three validation
the clustering algorithms K-means, Expectation-Maximization, techniques which are cross-validation, Leave – one- out and
and Hidden Markov Models. Among the clustering algorithms, Random Sampling (RS). Among the three validation
Expectation-Maximization gives better results of accuracy. This techniques, Random Sampling gives better results of accuracy
is the different approach for malware classification which 94. 98%.Nataraj et al. 2011 [40] presented a novel approach to
includes machine learning clustering algorithms. Gupta et al. classify the malware samples. Malware binaries are converted
2016 [30] present a framework using windows API call to an 8-bit vector and an 8-bit vector to a grayscale image.
sequences. Five malware classes are classified which are Image texture and feature vectors are used for classification.
Worm, Trojan-Downloader, Trojan-Spy, Trojan-Dropper and The Gabor wavelet and GIST descriptor are used in feature
Backdoor among 2000 malware samples using API call extraction. In the experimental results, 98% of accuracy is
sequence and fuzzy hashing based classification. Liu et al. obtained. Tian et al. 2009 [41] present malware classification
[31] provide an approach to evaluate and classify unknown using printable strings which are in malware executables in an
malware instances to cluster with respect to their families. To efficient way. Five classifiers are applied which are Naïve
classify the malware instances shared nearest neighbor Bayes, Support vector machine, IB1, Random forest and
clustering algorithm. The experimental result gives 98.9% Decision Tree on extracted features. The efficiency of all
accuracy for known malware instances and 86.7% of unknown classifiers is improved using the AdaBoostM1 meta-classifier.
malware is correctly classified of new malware instances. In the experimental results of WEKA, Random forest and IB1
Makandar et al. 2017 [32] give an overview of malware gives better results of the overall accuracy of 97%.Khammas
analysis and detection techniques with different types of et al. 2015 [42] give malware classification using the n-gram
malware families. Different methods or techniques are used to technique. For feature selection from dataset Principal
detect and analyze malware, one method is to visualize Component Analysis (PCA) is used for better real-time results.
malware in the form of an image, grayscale image, etc. Neural Network (NN), Decision Tree (J48), Support Vector
Different existing works related to visualization of malware Machine (SVM) and Naive Bayes (NB) classifiers are used for
families are given an overview of their work. Nari et al. 2013 classification. In the experimental results, 97% accuracy gives
[33] propose the automated malware classification based on by SVM. Devesa et al. 2010 [43] present automatic detection
1798
IJSTR©2020
www.ijstr.org
 INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

of malware using behavior logs. Using the sandbox time is ce

environment, Qemu for emulation and Wine for simulation for reduced proposed
from 91% system for
extracting features from behavior logs of malware samples. to 99% malware
The four classifiers Naive Bayes, Random Forest, J48 and samples
SMO applied to the extracted features to get better classificati
performance. Random forest classifier gives high accuracy of on and
96.2%.Lin et al. 2015 [44] proposed an approach for malware execution
classification using effective features of data using feature time.
Increasing
selection and feature extraction methods. Feature selection is Random Performan
the
performed on the dataset using the MG TF –IDF method Forest, ce
sample
precisely selected features of subsets of the dataset. These BN, MLP, increased
size and
Support by 7.24%
précised features are examined under the feature extraction Cuckoo Virus granularit
Vector to 25.68%
method PCA which gives accurate results by reducing the [20] Sandbo total y of data
Machine, when
x API. for other
dimensions of the dataset. Support Vector Machine classifier is Self compared
models
applied to the extracted features to get high accuracy and Organizing to the
will
better performance. Dhammi et al. 2015 [45] propose an Feature previous
perform
Map model
approach to classify malware samples and clustering them. better?
The data is collected from the cuckoo sandbox environment Findin
and the data pre-processing is performed using different g the past
10 years
classifiers in the WEKA tool. Among the five classifiers of of articles
machine learning, LMT classifier gives a better accuracy and
performance of 98.3%. The classified malware samples are analyze
clustered using k-means clustering algorithm and give better them with
results. Schultz et al. 2001 [46] were first introduced the the
North
keywords
method of detecting unknown malicious samples using data America
of
mining approaches. Static features are extracted from the PE producing
“Malware
Executables using LibBFD. The three data mining classifiers We more
Bibliom Analysis”,
VOS b of research
Naive Bayes, RIPPER, and Multi-Classifier System are applied [21] etric “Malware
viewer scienc articles
to the extracted features. The Multi-Naive Bayes Strings gives analysis detection”
e when
,
a high average accuracy of 97.76%.The following Table 1 compared
“algorithm
gives the existing literature in detailed as to what tools are to all other
”,
used for their work, what machine learning algorithm used, continents.
”security”
what are internet sources for dataset collection, what are the etc.,
parameter they considered to meet their goals and what are which are
the future works they suggested are listed in the Table 1. important
in
research
TABLE 1 related to
SURVEYED PAPERS EXISTING LITERATURE WORK malware.
Datas Identifying
Performan
Pape Tools Algorithms et Future CTU- the
Results ce is
r Used used Sourc Work 13, network
KNN, increased.
es Stratos behavioral
[24] ----- Random 95.5% of
Among the phere changes
Forest high
three IPS in
accuracy
classifiers project malware
achieved.
Apache Naive Supervise samples.
Spark, VX Bayes, d The static
Naive
MLlib, Heave Support Dimensio immediate It can
Bayes,
Cuckoo n, Vector nality feature, Vxhea The apply the
Random
Sandbo Nothin Machine, Reduction system ven.or merged sequence
[18] Forest,
x, k, and in a large call g, model feature or
Support PinFWS
Oracle VirusS Random data set [28] feature, malwr. increases function
Vector andbox
VM hare. Forest, the of dynamic com, the sequence
Machine
VirtualB Random malware immediate virusc percentag feature to
ox Forest samples. feature, an.org e to 96% get better
gives the dynamic results.
best opcode
accuracy Expectatio Apply the
The The pair n- same
average wise Collect Maximizati technique
accuracy sequence ed on with static
Cuckoo VX of all alignment Clustering from techniques features
Sequence [29] -----
[19] Sandbo Heave malware algorithm algorithms Malicia give a high using call
alignment
x n families is will websit accuracy graphs
87% and improve e of and other
overall the classificati measures
execution performan on using and also

1799
IJSTR©2020
www.ijstr.org
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

clustering apply for Vector ates) accuracy

algorithms extracted Machine VETZo and
. dynamic o improves
features. performan
VxVaul ce by 9%
t, accuracy.
http:// The
www.v feedforwar
xvault. d
net, backpropa
Five Feedforwa Dimensio
Vx gation
malware rd back Mahen nality
heave neural
classes Neural propagatio hur reduction
n, [38] network
are network n neural Datas of the
http:// Text gives
successful network et feature
www.v pattern 96.35% of
ly (ANN). vector.
Windows xheav matching accuracy
classified
API call en.org technique in
using
[30] ssdeep sequence Vir s are experimen
windows
and fuzzy usSign used to tal results.
API call
hashing. , classify N6
sequence
http:// the platfor
and fuzzy
www.vi malware m from Support
hashing Support
russig Resea Vector
based Vector
n.com rch Machine
classificati Machine,
Vir and random Classificat
on. cross-
usTota Acade sampling ion of a
[39] --- validation,
l. mic gives large
leave-one-
https:// Comp better dataset
out,
www.vi uter accuracy
random
rustota Netwo results of
sampling
l.com rk 94.98%
Gives (N
98.9% ASK)
Kingso accuracy Clustering
ft, of known of
Shared Text Using
ESET malware GIST malware
nearest editors KNN 98%
[31] --- NOD3 and 86.7% --- image samples
neighbour [40] and KNN accuracy
2, and of feature using
(SNN). Binary is
Anubis accuracy s image-
editors obtained.
. for based
unknown features.
malware. Ada
Comm Compariso Boost,
unicati n between IB1,
Overall
on different Random
CA’s classificati
Resea antivirus Forest,
[41] WEKA VET on ----
[33] WEKA J48, C4.5 rch programs ---- Support
zoo accuracy
Center gives Vector
is 97%.
Canad better Machine,
a accuracy DT, Naive
(CRC). results Bayes
Decision The
tree, combinatio
nearest n of
n-gram
centroid, feature
Random Support rule from
perceptron selection
Malim Forest Vector SNORT
, techniques
g gives Machine, VX signature
[34] ---- Stochastic --- and
datase better [42] WEKA NN, J48, Heave for better
gradient, Support
t. accuracy Naive n accuracy
Multilayer Vector
results. Bayes, using
Percep Machine
PCA machine
tron, classifier
learning.
Random gives 97%
Forest of
Random accuracy.
MLP, DT, Univer Forest CWSan Expandin
IB1, sity of gives high dbox, g features
[35] WEKA ---- Naive Random
Random Califor accuracy Qemu with
Bayes, VX Forest
Forest nia results of (emulati including
[43] Random Heave gives high
99.58% on) and static
Forest, n accuracy
Random CA’s Random Wine analysis
SMO, J48 of 96.2%
Forest, (Comp forest (simulati technique
[36] WEKA ----
IB1, DT, uter gives on) s.
Support Associ better [44] Sandbo Support Institut SVM ----

1800
IJSTR©2020
www.ijstr.org
 INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

x Vector e of classifier learning algorithms are very useful for the classification and
Machine, Inform with clustering of malware samples for small datasets and for large
PCA, MG ation feature
TF-IDF Industr selection
volumes of data.
y and
feature 6 REFERENCES
extraction
methods
[1] AV-TEST (2018, November 28). The Independent IT-
gives Security Institute, Malware Statistics [Online]. Available:
better https://www.av-test.org/en/statistics/malware/
performan [2] IDAPro. (2018, November 28). [Online]. Available:
ce and https://www.hex-
accuracy.
rays.com/products/ida/support/download_freeware.shtml
LMT
classifier [3] OllyDbg. (2018, November 28). [Online]. Available:
Expand http://www.ollydbg.de/
gives a
for large
LMT, high
datasets
[4] LordPE. (2018, November 28). [Online]. Available:
Support accuracy http://www.woodmann.com/collaborative/tools/index.php/Lor
and test
Vector of 98.28%. dPE
for a
Machine, Online clustering
[45] WEKA Ridor, source of
combinati [5] OllyDump. (2018, November 28). [Online]. Available:
on of http://www.woodmann.com/collaborative/tools/index.php/Olly
KNN, s malware
more Dump
Naive samples k-
classifiers
Bayes, K- means [6] Willems, C., Holz, T. and Freiling, F. (2007) Toward
to get
means gives Automated Dynamic Malware Analysis Using Cwsandbox.
better
better
performan
results. IEEE Security & Privacy, 5, 32-39.
ce http://dx.doi.org/10.1109/MSP.2007.45
Multi- [7] Anubis. (2018, November 28). [Online]. Available:
FTP Naive
Utilization
http://anubis.iseclab.org/
sites Bayes [8] Bayer, U., Kruegel, C. and Kirda, E. (2006) TTAnalyze: A
Naive of bye
at gives high Tool for Analyzing Malware. Proceedings of the 15th
Bayes, sequence
[46] --- Colum accuracy
RIPPER,
bia of 97.76%
to European Institute for Computer Antivirus Research Annual
MNB extending Conference.
Univer of
work.
sity classifying [9] Norman Sandbox. (2018, November 28). [Online]. Available:
malware http://sandbox.norman.no
[10] Dinaburg, A., Royal, P., Sharif, M. and Lee, W. (2008) Ether:
4 DISCUSSION Malware Analysis via Hardware Virtualization Extensions.
Previous existing literature works of malware detection prove Proceedings of the 15th ACM Conference on Computer and
that successfully classification is done with the help of Communications Security, CCS’08, Alexandria, 27-31
machine learning techniques but still there are some issues October 2008, 51-62.
have not resolved. Zero-day attacks are the one which the day [11] ThreatExpert. (2018, November 28). [Online]. Available:
having no new malware will rise in future. It is the main aim of http://www.threatexpert.com/submit.aspx
all the malware researchers. Basing on the survey [1] by AV- [12] Process Explorer. (2014). [Online]. Available:
Test still, millions of new malware are rising day-by-day. Some http://technet.microsoft.com/en-
issues and challenges of malware detection are still there and us/sysinternals/bb896653.aspx
not yet resolved. One issue is to real verification or manual [13] Process Monitor. (2014). [Online]. Available:
verification of classification results becomes harder when it http://technet.microsoft.com/en-
comes to reality. Another issue is to improve the advancement us/sysinternals/bb896645.aspx
of techniques for more active learning. The more recent [14] Capture BAT. (2018, November 28). [Online]. Available:
advancements are expecting from the fields of machine https://www.honeynet.org/node/315
learning, ensemble learning, deep learning and more. The [15] Regshot. (2018, November 28). [Online]. Available:
most advanced techniques are needed to achieve Zero-day http://sourceforge.net/projects/regshot/
Attacks. Dealing with large datasets is also one of the issues. [16] Wireshark. (2018, November 28). [Online]. Available:
These advanced techniques are needed in dimensionality http://www.wireshark.org/
reduction. [17] Process Hacker replace. (2018, November 28). [Online].
Available: http://processhacker.sourceforge.net/
[18] Gupta, D., & Rani, R. (2018). Big Data Framework for Zero-
5 CONCLUSION Day Malware Detection. Cybernetics and Systems, 49(2),
This paper presents the survey about existing literature on
103-121.
malware analysis using different machine learning algorithms.
[19] Cho, I. K., Kim, T. G., Shim, Y. J., Ryu, M., & Im, E. G. (2016).
Table 1 defines the different literature of existing works with
Malware Analysis and Classification Using Sequence
what are the tools used in their work, what are the machine
Alignments. Intelligent Automation & Soft Computing, 22(3),
learning algorithms they used in their work, from what sources
371-377.
dataset is collected, what are parameters they consider to
[20] Burnap, P., French, R., Turner, F., & Jones, K. (2018).
reach their goal and the corresponding experimental results
Malware classification using self organising feature maps
and what are the future works are proposed all are listed in the
and machine activity data. computers & security, 73, 399-
table form. In the discussion, it clearly identifies that machine
1801
IJSTR©2020
www.ijstr.org
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 02, FEBRUARY 2020 ISSN 2277-8616

410. analysis and classification: A survey. Journal of Information

[21] Ab Razak, M. F., Anuar, N. B., Salleh, R., & Firdaus, A. Security, 5(02), 56.
(2016). The rise of ―malware‖: Bibliometric analysis of [38] Makandar, A., & Patrot, A. (2015, December). Malware
malware study. Journal of Network and Computer analysis and classification using Artificial Neural Network. In
Applications, 75, 58-76. Trends in Automation, Communications and Computing
[22] Ray, A., & Nath, A. (2016). Introduction to Malware and Technology (I-TACT-15), 2015 International Conference on
Malware Analysis: A brief overview. International (pp. 1-6). IEEE.
Journal, 4(10). [39] Kruczkowski, M., & Szynkiewicz, E. N. (2014, August).
[23] Ucci, D., Aniello, L., & Baldoni, R. (2017). Survey on the Support vector machine for malware analysis and
usage of machine learning techniques for malware classification. In Proceedings of the 2014 IEEE/WIC/ACM
analysis. arXiv preprint arXiv:1710.08189. International Joint Conferences on Web Intelligence (WI) and
[24] AlAhmadi, B. A., & Martinovic, I. (2018, May). MalClassifier: Intelligent Agent Technologies (IAT)-Volume 02 (pp. 415-
Malware family classification using network flow sequence 420). IEEE Computer Society.
behaviour. In APWG Symposium on Electronic Crime [40] Nataraj, L., Karthikeyan, S., Jacob, G., & Manjunath, B. S.
Research (eCrime), 2018 (pp. 1-13). IEEE. (2011, July). Malware images: visualization and automatic
[25] Khan, M. H., & Khan, I. R. (2017). Malware Detection and classification. In Proceedings of the 8th international
Analysis. International Journal of Advanced Research in symposium on visualization for cyber security (p. 4). ACM.
Computer Science, 8(5). [41] Tian, R., Batten, L., Islam, R., & Versteeg, S. (2009,
[26] Ronen, R., Radu, M., Feuerstein, C., Yom-Tov, E., & Ahmadi, October). An automated classification system based on the
M. (2018). Microsoft Malware Classification Challenge. arXiv strings of trojan and virus families. In Malicious and
preprint arXiv:1802.10135. Unwanted Software (MALWARE), 2009 4th International
[27] Ye, Y., Li, T., Adjeroh, D., & Iyengar, S. S. (2017). A survey on Conference on (pp. 23-30). IEEE.
malware detection using data mining techniques. ACM [42] Khammas, B. M., Monemi, A., Bassi, J. S., Ismail, I., Nor, S.
Computing Surveys (CSUR), 50(3), 41. M., & Marsono, M. N. (2015). Feature selection and machine
[28] Wang, C., Ding, J., Guo, T., & Cui, B. (2017, November). A learning classification for malware detection. Jurnal
Malware Detection Method Based on Sandbox, Binary Teknologi, 77(1).
Instrumentation and Multidimensional Feature Extraction. [43] Devesa, J., Santos, I., Cantero, X., Penya, Y. K., & Bringas,
In International Conference on Broadband and Wireless P. G. (2010). Automatic Behaviour-based Analysis and
Computing, Communication and Applications (pp. 427-438). Classification System for Malware Detection. ICEIS (2), 2,
Springer, Cham. 395-399.
[29] Pai, S., Di Troia, F., Visaggio, C. A., Austin, T. H., & Stamp, M. [44] Lin, C. T., Wang, N. J., Xiao, H., & Eckert, C. (2015). Feature
(2017). Clustering for malware classification. Journal of Selection and Extraction for Malware Classification. J. Inf.
Computer Virology and Hacking Techniques, 13(2), 95-107. Sci. Eng., 31(3), 965-992.
[30] Gupta, S., Sharma, H., & Kaur, S. (2016, December). [45] Dhammi, A., & Singh, M. (2015, August). Behavior analysis
Malware Characterization Using Windows API Call of malware using machine learning. In Contemporary
Sequences. In International Conference on Security, Privacy, Computing (IC3), 2015 Eighth International Conference on
and Applied Cryptography Engineering (pp. 271-280). (pp. 481-486). IEEE.
Springer, Cham. [46] Schultz, M. G., Eskin, E., Zadok, F., & Stolfo, S. J. (2001).
[31] Liu, L., Wang, B. S., Yu, B., & Zhong, Q. X. (2017). Automatic Data mining methods for detection of new malicious
malware classification and new malware detection using executables. In Security and Privacy, 2001. S&P 2001.
machine learning. Frontiers of Information Technology & Proceedings. 2001 IEEE Symposium on (pp. 38-49). IEEE.
Electronic Engineering, 18(9), 1336-1347.
[32] Makandar, A., & Patrot, A. (2015). Overview of malware
analysis and detection. In IJCA proceedings on national
conference on knowledge, innovation in technology and
engineering, NCKITE (Vol. 1, pp. 35-40).
[33] Nari, S., & Ghorbani, A. A. (2013, January). Automated
malware classification based on network behavior. In 2013
International Conference on Computing, Networking and
Communications (ICNC) (pp. 642-647). IEEE.
[34] Kosmidis, K., & Kalloniatis, C. (2017, September). Machine
Learning and Images for Malware Detection and
Classification. In Proceedings of the 21st Pan-Hellenic
Conference on Informatics (p. 5). ACM.
[35] Gandotra, E., Bansal, D., & Sofat, S. (2014, September).
Integrated framework for classification of malwares.
In Proceedings of the 7th International Conference on
Security of Information and Networks (p. 417). ACM.
[36] Islam, R., Tian, R., Batten, L. M., & Versteeg, S. (2013).
Classification of malware based on integrated static and
dynamic features. Journal of Network and Computer
Applications, 36(2), 646-656.
[37] Gandotra, E., Bansal, D., & Sofat, S. (2014). Malware
1802
IJSTR©2020
www.ijstr.org