Differentiating Malware from cleanware based on behavioural analysis

Ronghua Tian, MD Rafiqul Islam, Lynn Batten, Steve Versteeg

Research output: Book chapter/Published conference paperConference paperpeer-review

162 Citations (Scopus)


This paper proposes a scalable approach for distinguishing malicious files from clean files by investigating the behavioural features using logs of various API calls. We also propose, as an alternative to the traditional method of manually identifying malware files, an automated classification system using runtime features of malware files. For both projects, we use an automated tool running in a virtual environment to extract API call features from executables and apply pattern recognition algorithms and statistical methods to differentiate between files. Our experimental results, based on a dataset of 1368 malware and 456 cleanware files, provide an accuracy of over 97% in distinguishing malware from cleanware. Our techniques provide a similar accuracy for classifying malware into families. In both cases, our results outperform comparable previously published techniques.
Original languageEnglish
Title of host publicationMalware 2010
Subtitle of host publication5th proceedings
Place of PublicationPiscataway, NJ
PublisherInstitute of Electrical and Electronics Engineers
Number of pages8
ISBN (Electronic)9781424493562
Publication statusPublished - 2010
EventIEEE International Conference on Malicious and Unwanted Software - Nancy, Lorraine, France, France
Duration: 19 Oct 201020 Oct 2010


ConferenceIEEE International Conference on Malicious and Unwanted Software


Dive into the research topics of 'Differentiating Malware from cleanware based on behavioural analysis'. Together they form a unique fingerprint.

Cite this