ELF-Miner: Using Structural Knowledge and Data Mining for Detecting Linux Malicious Executables

Linux malware can pose a significant threat - its (Linux) penetration is exponentially increasing - because little is known or understood about its vulnerabilities. The authors believe that now is the right time to devise non-signature based zero-day (previously unknown) malware detection strategies before Linux intruders take them by surprise. Therefore, in this paper, they first do a forensic analysis of Linux Executable and Linkable Format (ELF) files. As a result, they can select a features' set of 383 features that are extracted from an ELF header. Their forensic analysis provides insight into different features that have the potential to discriminate malware executables from benign ones.