A Hybrid Model to Detect Malicious Executables

The authors present a hybrid data mining approach to detect malicious executables. In this approach, they identify important features of the malicious and benign executables. These features are used by a classifier to learn a classification model that can distinguish between malicious and benign executables. They construct a novel combination of three different kinds of features: binary n-grams, assembly n-grams, and library function calls. Binary features are extracted from the binary executables, whereas assembly features are extracted from the disassembled executables. The function call features are extracted from the program headers. They also propose an efficient and scalable feature extraction technique.