Classification of Malware Based on Integrated Static and Dynamic Features

MD Rafiqul Islam, Ronghua Tian, Lynn M, Batten, Steve Versteeg

Research output: Contribution to journalArticlepeer-review

225 Citations (Scopus)
7 Downloads (Pure)


Collection of dynamic information requires that malware be executed in a controlled environment; the malware unpacks itself as a preliminary to the execution process. On the other hand, while execution of malware is not needed in order to collect static information, the file must first be unpacked manually. None-the-less, if a file has been executed, it is possible to use both static and dynamic information in designing a single classification method.In this paper, we present the first classification method integrating static and dynamic features into a single test. Our approach improves on previous results based on individual features and reduces by half the time needed to test such features separately.Robustness to changes in malware development is tested by comparing results on two sets of malware, the first collected between 2003 and 2007, and the second collected between 2009 and 2010. When classifying the older set as compared to the entire data set, our integrated test demonstrates significantly more robustness than previous methods by losing just 2.7% in accuracy as opposed to a drop of 7%. We conclude that to achieve acceptable accuracy in classifying the latest malware, some older malware should be included in the set of data.
Original languageEnglish
Pages (from-to)646-656
Number of pages11
JournalJournal of Network and Computer Applications
Issue number2
Publication statusPublished - Mar 2013


Dive into the research topics of 'Classification of Malware Based on Integrated Static and Dynamic Features'. Together they form a unique fingerprint.

Cite this