Similarity-Based Malware Classification Using Hidden Markov Model

The problem of malware classification has gained the attention of cyber security community due to the following facts: (1) thousands of new malware are generated every day (2) the global losses caused by malware are in billions of dollars every year. In this paper a novel malware classification scheme is proposed that is based on Hidden Markov Models (HMMs) and discriminative classifiers. Sequences of system calls generated by malware during execution are represented as observation sequences to train the HMMs. Individual malware samples are then evaluated against these models to generate similarity vectors, which are used to predict the class label for an unknown sample by training a discriminative classifier. Our novel combination of HMMs, dynamic program features and discriminative classifier has shown promising results in experiments performed using system call logs of real malware.