Static and Dynamic Machine Learning Based Malware Detection Methods for Windows Programs

Table of Contents

1 Introduction

1.1 Initial situation

1.2 Problem description

2 Scope of the thesis

3 Theory

3.1 Malware

3.1.1 Definition

3.1.2 Malware Evolution

3.1.3 Types of malware

3.2 Program architecture in Microsoft Windows (MW)

3.2.1 The Portable Executable file format

3.2.2 Relevant insights for malware analysis

3.3 Malware Detection

3.3.1 Methodologies

3.3.2 Evading detection by Obfuscation

3.4 Machine Learning (ML)

3.4.1 Definition

3.4.2 Features

3.4.3 ML-Workflow

3.4.4 ML-Paradigms

3.4.5 ML-Algorithms

3.4.6 Model accuracy and metrics

4 Literature Review: ML Approaches in Research

4.1 Review outline

4.1.1 Structure

4.1.2 Literature overview

4.1.3 Evaluation criteria

4.2 Malware Feature Taxonomy

4.3 Static ML approaches

4.3.1 Quantitative evaluation

4.3.2 Qualitative evaluation

4.4 Dynamic ML approaches

4.4.1 Quantitative evaluation

4.4.2 Qualitative evaluation

4.5 Hybrid ML approaches

4.5.1 Quantitative evaluation

4.5.2 Qualitative evaluation

4.6 Conclusive learning from literature

5 Practical Review: Implementing a Static ML-Based Malware Detector

5.1 Safety measures and disclaimer

5.2 Requirements and resources

5.2.1 Test-environment: Guest OS and host OS

5.2.2 PE file repository: VirusShare and EMBER

5.2.3 Feature extraction: Python PEpper

5.2.4 Model training and validation: WEKA

5.3 Implementation

5.3.1 Phase 1: Data gathering

5.3.2 Phase 2: Data preparation

5.3.3 Phase 3: Model training

5.3.4 Phase 4: Model validation

5.4 Conclusive learning from practical implementation

6 Conclusion and Outlook

6.1 Conclusion

6.2 Outlook

Objectives and Topics

The main objective of this thesis is to evaluate and compare static, dynamic, and hybrid machine learning approaches for detecting malware on Windows systems. The work bridges the gap in current research where these methods are rarely compared comprehensively, ultimately demonstrating the practical implementation of a static malware detector using common machine learning workflows.

• Theoretical foundation of malware and its evolutionary evasion techniques.
• Taxonomy of features used in static, dynamic, and hybrid malware detection.
• Comparative analysis of machine learning methodologies based on quantitative and qualitative metrics.
• Hands-on implementation of a static malware detector using Python and the WEKA environment.
• Validation of detection models against unknown malware, including obfuscated and encrypted samples.

Excerpt from the Book

Summary of Chapters

1 Introduction: This chapter introduces the ongoing conflict between security experts and malware developers, highlighting the limitations of traditional signature-based detection and the growing significance of machine learning.

2 Scope of the thesis: This section defines the primary goal of evaluating static, dynamic, and hybrid approaches and outlines the three core research questions guiding the analysis and practical implementation.

3 Theory: This chapter establishes the fundamental terminology regarding malware evolution, Windows file structures, detection methodologies (static, dynamic, hybrid), and foundational machine learning concepts.

4 Literature Review: ML Approaches in Research: This section provides a comprehensive, criteria-based evaluation of 35 diverse research papers, classifying them by methodology and analyzing their performance through quantitative and qualitative metrics.

5 Practical Review: Implementing a Static ML-Based Malware Detector: This chapter details the hands-on process of building a static detector, covering environment setup, feature extraction with Python, and model training/validation using WEKA.

6 Conclusion and Outlook: This final chapter synthesizes the main findings from the literature review and the practical implementation, providing insights into future developments for malware detection.

Keywords

Malware Detection, Machine Learning, Static Analysis, Dynamic Analysis, Hybrid Analysis, Windows Executables (PE), Feature Engineering, Malware Evolution, Obfuscation, Model Accuracy, WEKA, Classification, Cybersecurity, Neural Networks, Endpoint Protection

Frequently Asked Questions

What is the primary focus of this thesis?

This thesis examines the effectiveness and common characteristics of different machine learning-based malware detection methods on the Windows platform, specifically focusing on static, dynamic, and hybrid approaches.

What are the three main methodological fields analyzed?

The research is categorized into static analysis (analyzing files without execution), dynamic analysis (monitoring behavior at runtime), and hybrid analysis (combining both methods).

What is the central research question?

The work addresses how these three methodological domains differ in terms of quantitative and qualitative evaluation criteria and how a static detection model can be practically implemented using established ML workflows.

Which scientific method is used for the literature review?

The thesis utilizes the framework for literature reviewing developed by Brocke et al., which involves defined selection cycles and key performance indicators to ensure a representative and rigorous overview of existing research.

What does the practical section of the thesis cover?

The practical section describes the end-to-end development of a static malware detector, including data gathering from repositories like VirusShare and EMBER, feature extraction using Python, and model validation with the WEKA tool.

Which keywords best characterize the work?

The most important terms include Malware Detection, Machine Learning, Static Analysis, Dynamic Analysis, Hybrid Analysis, Malware Evolution, and Feature Engineering.

Why are hybrid approaches considered complex?

Hybrid approaches are complex because they require the integration of feature vectors from two distinct sources (static and dynamic), necessitating expert knowledge in feature fusion and additional effort during the feature extraction phase.

Did the practical test confirm the findings from the literature review?

Yes, the implementation confirmed that static models generally struggle to correctly classify obfuscated or encrypted malware samples, a limitation that was repeatedly noted in the surveyed research literature.

What is the significance of the "Feature Graph" developed in this work?

The custom feature graph, developed using the tool Gephi, visualizes the relationships between different methodology classes and applied features, providing a clearer understanding of how these elements relate to each other across different studies.