A hybrid-multi filter-wrapper framework to identify run-time behavior for fast malware detection

Malicious software (malware) constitute one of the most pressing cyber threats intended to cripple critical infrastructure, render infected systems unusable, permanently erase data from storage systems. The number of malware has skyrocketed through the use of enormous malware development toolkit. Run-time analysis has recently been used to overcome the limitations of current detection engines due to code obfuscation techniques such as polymorphism and metamorphism. However run-time approaches face a critical challenge of processing a large number of run-time malware features which may fail to provide real time protection. In this paper, we propose a hybrid framework by using more than one complementary filters and a wrapper feature selection approach to identify the most significant run-time behavioural characteristics of malware. The novelty of the proposed framework is that it exploits the complementary characteristics of within-filters and between wrapper-filters by hybridizing discriminant, minimum redundant, and maximum relevant filters with the wrapper approach to integrate the knowledge from the intrinsic characteristics of the run-time behaviour of malware obtained by the filters into the wrapper selection process. We have verified the performance of the proposed approach through extensive experiments using large real malware datasets. The results of the experiments show that the proposed framework finds the most significant run-time characteristics of malware. When these are used in the detection engine, the computational performances and detection accuracies are also improved up to 99.499% compared to any existing techniques.