2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)
Integrated Malware Analysis Using
Machine Learning
Akash Kumar Singh
Birla Institute Of technology, Mesra
Ranchi,India-835215
akashsingh.mtis@gmail.com
Abstract— Detection of malwares using unprecedented
zero-day vulnerabilities is a challenging task and needs
advanced analysis techniques for their classification and
identification. Malware developers employ various anti-
analysis techniques to evade detection and disrupt the
analysis. Most malware analysts use Static and Dynamic
analysis techniques to analyze malwares. However, there
are Pros and Cons of using these analysis techniques. Our
work proposes a solution where we have extracted selected
features from the static and dynamic analysis techniques.
Using the selected features, an integrated approach has
been developed so that the classification and detection rate
may improve compared to static and dynamic approach.
We have analyzed malwares equipped with anti-analysis
features for better classification and detection result. Our
result shows an accuracy of 73.47% using the integrated
approach, 69.72% using static and 63.30% using dynamic
analysis. Comparing the static and dynamic approach, the
integrated approach provides better accuracy.
Keywords: Static Analysis, Dynamic Analysis, Integrated
Approach, Anti-Analysis techniques, Machine Learning,
Classification.
I. INTRODUCTION
Malwares are malicious software which are developed to
perform harmful activities on a targeted network or a system.
Depending on the behavior, infections, spreading and evasion
techniques, malwares can be categorized into various classes
such as Spyware, Adware, Rootkit, Worm, Backdoor, Botnet,
etc. However, this classification is not unique which means a
class of malware can exhibit the properties of malware
belonging to other classes. The main reasons that lead to the
development of the malwares varies according to the needs and
intentions of the malware
Developer. Obtaining monetary benefits, collecting confidential
Aruna Jain
Birla Institute of Technology, Mesra
Ranchi,India-835215 ,arunajain@bitmesra.ac.in
information, self-promotion and destruction are some of the
heinous tasks performed by the malware analysts. Sometimes the
developers use malwares as a tool to launch an attack and spread
different malwares belonging to other class and spams.
Malwares can also be used for Cyber warfare. The most recent
use of such malware was Stuxnet [1].It was designed to target
IRAN’S nuclear program and SCADA systems .It used four
zero-day vulnerabilities which came into notice when a customer
noticed that the machine is rebooting over and over again. Many
security Researchers claimed that the malicious code was
launched by a joint operation of the US and ISRAEL.
Every year when various cybersecurity organizations and
antivirus companies released their security threat reports, we get
to see a significant rise of targeted attack using thousands of
malwares. These malwares mainly use unprecedented zero-days
attacks which are very difficult to detect. Also, the malware
developers are aware of various analysis tools and techniques
used by the malware analyst to analyze malwares. They employ
various anti-analysis techniques so that their malware can evade
detections. In the 2016 annual security threat report, Symantec
[2] reported that they have seen a whopping 430 million increase
in new malware variants in the year 2015.It also reported 54 new
Zero-day attacks which was a massive 125 percent increase as
compared to a year before. This shows how malware developers
and cybercriminals are developing new evading techniques and
anti-analysis tricks to be one step ahead in their attempt to
prevent detection. Figure 1 shows, how there is a massive growth
in the detection of zero-day vulnerabilities as compared to the
years before. Similarly, Intel security also reported that on an
average a company detects more than 17 data loss incidents per
day due to unknown malware attacks in their security reports of
2016 September.
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)
Fig. 1. Number of zero-days vulnerabilities found in Symantec annual report
2016.
Detecting and analyzing malwares are very crucial job especially
when there are many evasion techniques available against them.
For analysis of malwares mainly two techniques can be used:
Static analysis and Dynamic analysis [3] of malware. Static
analysis analyze the malware without actually running the
malware. Dynamic analysis allows to extract information about
the malware when the malware is executed in a safe
environment.
In static analysis techniques [4], the analyst uses antivirus
programs, hashes to identify the binary file, capture the string
information & header sections of the file. The main benefit of
using dynamic analysis technique is that it analyze the runtime
behavior of the executables which means it keeps a track of any
changes in the registry of the system and any suspicious
activities in the network.
However, to prevent the analysis of malware successfully,
the malware developers mainly use four mechanisms:
• Anti-VM: The technique used for detecting the virtual
machine. Since the malware is analyzed in a safe
environment, mainly VM’S and Sandbox, the malware
either kill itself or hinder its operations on detecting
such environment.
• Anti-Debugging: The technique used by the malware to
compromise the operation of scrubbers or debugging
process making it difficult to reverse engineer.
• Obfuscation: The techniques used by the malwares to
scramble their source code into a non-readable format
so that analyst can’t analyze its source code.
• Packer: Generally used as a measure to prevent
software cracking. However, it is used as a tool to
evade detection.
The above anti-analysis techniques can be detected using
advanced static analysis techniques. Both static and dynamic
analysis have advantages as well as disadvantages. Static
analysis works well for analyzing the malware’s internal
structures and dynamic analysis works well for behavioral
analysis during malware’s execution.
So there is a need for an approach which can improve the
capacity and speed of malware classification by including the
features extracted from the static and dynamic analysis
techniques along with the use of machine learning. The resultant
feature will not only help us to detect the malware types which
use anti-analysis techniques but also those which use
unprecedented zero-day vulnerabilities.
II. RELATED WORK
In this section, we will discuss the existing works and the idea
behind static and dynamic analysis for malware classification.
Z.Salehi et al. [5] proposed the idea of detecting and analyzing
malwares based on API calls. The study proposed that malwares
having similar behavior will call the same set of API’S and the
same set of arguments. The approach was to extract feature
vectors using dynamic analysis technique. To reduce the number
of features, various feature selection algorithms are employed.
Authors used the WINAPIoverride32 tool in a VMware-based
virtual machine for the interception of API calls. For
classification, the authors used Weka Classifiers [10].
Zane Markel et al. [6] proposed the idea of analysis the malwares
using the metadata, mostly the headers section, and the import
file section of the windows Portable Executable (PE) file format
[7]. The authors mainly focused on the idea that the metadata of
the malicious executable files differs from the clean executables.
Various features of PE32 headers are analyzed and only those
features are selected which are most suitable for classification.
Schultz et al. [8] introduced the detection of malwares
using machine learning. The authors extracted mainly three static
features using the static analysis approach which are Portable
executable (PE), byte-sequence n-grams approach, and string
information. Inside the 32-bit executable, there are dynamic link
libraries (dll’s) from where the features are extracted. To achieve
higher detection rate, the n-gram approach is used where the
sequence of n-bytes of string information are extracted. The
string information provides all the text strings that are encoded
in the executables. The authors found that their detection rates
are much higher using machine learning as compared to
traditional signature-based techniques.
Tian et al. [9] used the concept of feature extraction on the basis
of a number of bytes present in the source code of malicious
executable. Using this method, they obtained various functions
from malicious executables and the frequency of their occurrence
using dynamic analysis and then use it to extract various
attributes to detect the malicious file. For obfuscated files, the
executable’s codes were hidden. For classification, machine
learning algorithms present in WEKA are applied.
Kotler et al. [11] also used the concept of n-grams approach
provided better classification results. The authors dealt with
multiple classification algorithms and decision tree based
algorithm provided better detection rate.
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)

Ahmed et al. [12] extracted features using dynamic analysis
combining both spatial and temporal information available in run
time windows Application Programming Interface (API).
According to the authors, analyzing both spatial and temporal
features in parallel can improve the detection rate of the
malwares.
Islam et al. [13] worked on the integration of static and dynamic
analysis of malwares. Function length frequency and printable
string information (PSI) vectors are extracted using static
analysis. Dynamic feature vectors are extracted from the log files
of dynamic analysis tools such as HOOKAPI etc. consisting of
API functions and its parameters. Overall the author collected the
feature vectors obtained from dynamic and static analysis and
combined them to form the feature vector for the integrated
approach. The results show the accuracy using integrated
approach is better compared to static and dynamic approach.
Dhammi et al. [3] extracted dynamic features from the CSV file
generated from the cuckoo sandbox. The authors also gave
importance to registry changes, network analysis, mutexes, and
file details rather focusing just on API calls.
Though every author tried to enhance the detection rate and
classification of the malware but still there is need for further
improvement in the analysis approach. In the later section, we
will discuss the limitations of reviewed literature and our
motivation to adapt new approach for malware analysis.
analysis, we are using a lesser known sandboxing environment
called NORIBEN [14]. NORIBEN is a lightweight virtual
environment which will take lesser time than most commonly
used sandbox such as CUCKOO.
The main objectives of our work are:
• To extract anti-analysis features using enhanced static
analysis.
• To extract behavioral features of malware using
dynamic analysis.
• To create an integrated feature vector using selective
features of static and dynamic analysis approach.
• To validate and verify whether classification result of
the integrated approach is better than the static and
dynamic counterparts or not.
A. ARCHITECTURE OF THE PROPOSED METHOD
We have developed a framework for static and dynamic
analysis of executables. Static analysis is performed by
extracting the feature vectors from six modules: Suspicious;
Anti-Vm; Anti-Debugging; Url Analysis; String extraction;
Packer Analysis. Dynamic analysis is carried out by extracting
the function calls and API’S from the CSV file of the NORIBEN
tool.
An overview of the proposed architecture is shown in figure 2.

III. PROBLEM STATEMENT AND PROPOSED

METHODOLGY

The growing rate of zero-day vulnerabilities and the sudden

increase in the volume of malwares demands an efficient and
accurate detection of malwares. For this, the need of the hour is
machine learning classification. The main problem faced by most
of the malware analysts are the anti-analysis techniques
employed by the malware developers to disrupt analysis and
evade detection.
None of the reviewed papers mentioned about detecting those
malwares which use anti-analysis techniques. Static analysis thus
fails in detecting new malicious executables for which it is
difficult to find a predefined signature or identity. Reviewing
only PE32 headers will not give enough information about the
executable. The Printable String Information (PSI) and function
length frequency feature extraction must be combined with Fig. 2. Architecture of the proposed approach
various features of anti-analysis. There must be a definite rule to
select the threshold for each PSI above which the file is classified B. DATA SET
as malware. Thus, we propose to work on a solution where we
will include the features of anti-analysis techniques during our The data set used in our research are windows based Portable
static analysis phase. Executable file (PE-32) format which includes malware samples
of various classes mainly consists of Adware, Spywares, Packed
Dynamic analysis of malware is quite a time taking approach. malwares, and Remote administration Trojans. The main reason
Apart from this, the virtual environment and tools employed for for selecting the malware of these classes is due to the fact that
dynamic feature extraction can easily be detected by the most of the anti-analysis techniques are generally found on these
malwares which can disrupt their analysis work. For dynamic malware types. The total binary executables we have used is 109
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)
containing 25 benign file and 84 malware samples. The benign
files are collected from our system directories, Download.com
and the malware samples are collected from various online
sources [15] [16] [17].
IV. MALWARE ANALYSIS APPROACH
In this section, we will discuss the ways for extracting anti-
analysis features using static analysis.
A. SUSPICIOUS MODULE
Before we describe the method to intercept the suspicious API’S
and function calls, let us first discuss the Portable Executable
(PE) format which is used by the windows based executable
files.PE contains various Information in its header section.
Field & Information revealed using portable executables format
• Imports: external Library function used by the malware
• Sections: Names of sections in the file and their sizes
on disk and in memory
• Resources: Strings, icons, menus, and other information
included in the file.
• Time Date Stamp: Time and date of the first
compilation of the malware.
• Exports: Functions within the malware called by other
programs or libraries
• Subsystem: Indicates whether the program is a
command-line or GUI application
Using these Informations, we parsed the executables using an
external module available in python called PEFILE. After
parsing, we obtained the imports used by the executables. For
extracting suspicious functions and API’S we have already used
latest predefined signatures. For example, if a program imports
the function CreateRemoteThread, it is quite clear that it is trying
to start a new thread in a remote process which can be used by
the malware to start a new process within the existing process.
The Executable is checked against a list of predefined suspicious
API’S, if the list matches with the import table of executable, we
select the API or function for feature vector. Figure 3 shows lists
of suspicious function and API’S extracted from a malware
sample.
Fig. 3. Lists of suspicious function
B. ANTI-VM MODULE
Malware developers are well aware of the fact that most of the
malware analysis are done in a virtual environment. As malware
can infect the main machine during their analysis so malware
analysts use virtual machines. Knowing this fact, the malware
developers use Anti-Vm techniques to detect the presence of
virtual machines. If the malware detects a virtual machine, it will
either simply not run or destroy itself in order to disrupt analysis
or detection.
Joanna Rutkowska [18] introduced the concept called RED PILL
Anti-Vm technique. This is based on the concept that each
operating system (the host and the virtual machine) will have
their unique Interrupt Descriptor Table register (IDTR). Now to
avoid the conflict of placing both the IDTR in the same memory
location, the virtual machine moves its IDTR to a different
memory location. To read the memory location of the IDTR’S,
an x86 instruction called SIDT is used and hence can clearly
differentiate the presence of host machine or virtual machine.
Figure 4 shows the Anti-Vm technique detection of a sample.
Facts and observations
• If the IDT is typically located at 0xffXXXXXX, then it
is on VMware guest machine.
• If it is located at 0xe8XXXXXX, then it is on VirtualPC
guests machine
• On host operating systems, it is located lower than that,
typically around 0x80ffffff (Windows) and 0xc0ffffff
(Linux)
• If it’s greater than 0xd0, you've got a virtual machine
• If it is less than or equal to 0xd0, you are on a real
machine
Fig. 4. Anti-Vm technique detection
C. ANTI-DEBUGGING MODULE
Generally, malware analysts use debuggers for analyzing the
malicious binaries. Malware developers use Anti-debugging
techniques to disrupt the analysis. When a malware detects that it
is being executed on a debugger, then it either crashes the
debugger by modifying its code or it modifies the normal
execution of the malware.
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)

We are using windows API based debugger detection. The

technique manually searches for debugging artifacts in the
memory structure. The windows API provides various functions
which can determine whether the program is being debugged or
not. Some of the Anti-Debugging functions are:
IsDebuggerPresent; CheckRemoteDebuggerpresent;
OutputDebugString etc.

D. PACKER DETECTION MODULE

Packers are generally used as a software protector to prevent
crackers from cracking the proprietor softwares. However,
packers are used by the malware developers these days to pack
their malicious files to avoid antivirus detection. Whenever the
malware analyst open a packed malware, he has access only to
the packer, in order to unpack the malicious program the analyst
must undo the methods performed by packers to pack the
program, which is quite difficult to perform.
In our work, we have used PEiD [19] to detect the type of packer
used by the malware to avoid detection, PEiD parse the
executables into various headers and code sections which helps
in analyzing the packed file in much easier way. The PEiD
program consists of userdb database which consists of the
database of various packers which have been found till date. The
python program uses regular expression to match with the
packers residing in userdb. Figure 5 shows packer detection of a
malware sample.
Fig. 6. URL Analysis
F. STATIC FEATURE VECTOR CREATION
We have extracted suspicious functions and API’s in the
suspicious modules which are used as training data. In total 32
suspicious functions are used as attributes. Other attributes in the
training data consist of the feature extracted from Anti-Vm, Anti-
debugging, packer analysis, URL analysis modules. Table I
shows a sample static feature vector created using static analysis.
We have used binary notations to depict the presence of feature
where 1 means the feature is present and 0 means absent.
Table I. Static Feature Vector

Fig. 5. Packer detection

E. URL ANALYSIS MODULE

Malwares sometimes connects to certain websites and servers to

send information about the compromised system. URL analysis
analyzes which function and API’S used in the executable is
establishing a connection. This is achieved using URLLIB
module of python and PEFILE format to extract the
executable.URL analysis involves analysis of suspicious
connection with Dll’s; Strings; &Functions. It also parses the
executables using Pefile to get the suspected URLconnection,
strings and file information.
Figure 6 shows an ADWARE is connecting to a website called
Flickerfree.com and making the system a host for its AdSense
advertisement.
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)

Table II. Dynamic Feature Vector
Extracting functions executed during Run time such as
LoadLibrary, modifying registry and network setting are well
suited for dynamic analysis.
Table III depicts the approach of feature selection for the
proposed integrated approach.
After combing the selected features, the sample integrated
feature vector is shown in table IV.

Table III. Approach for integrated feature selection

G. DYNAMIC ANALYSIS
We performed dynamic analysis using NORIBEN sandboxing
tool for extracting API calls intercepted from the executable file
in execution. NORIBEN is preferred over other sandboxing tools
as it is lightweight and takes less time to generate the log files
containing analysis report. NORIBEN is comparatively new and
hence there is less possibility of it being detected by malwares.
The log files contain intercepted API during the execution of the Table IV. Integrated Feature Vector
malware, modification in the registry keys including creation and
deletion of keys, network activities and other important
Information such as currently running processes, process ID etc.
Table II shows some a sample dynamic feature vector created
using dynamic analysis.

H. THE INTEGRATED APPROACH

After extracting the static and dynamic features, our next

objective is to combine the selected feature vectors obtained
from the static and the dynamic analysis. The main motivation
behind using the integrated approach is to prevent the malware
developers from disrupting the analysis and detection of
malwares based on a single anti-analysis technique. For example:
suppose if the malware developer has employed Anti-Vm
technique, then it may disrupt the static analysis of the malware
but it cannot disrupt the analysis done using dynamic and
integrated approach. The malware developers cannot
simultaneously employ anti-analysis technique for all the three
approach i.e. static, dynamic and integrated.
We have selected features for the integrated approach based on
features extraction well suited for static and dynamic analysis
individually. For example suspicious functions like
GetProcAddress, Anti-Vm, Anti-Debugging, Packer analysis are
features which are best suited to be extracted from static analysis.
I. CLASSIFICATION AND LEARNING USING WEKA
We created the feature vector in excel format which is converted
to CSV format recognized by WEKA which is a free machine
learning tool developed at University Of Waikato, New Zealand.
The tool consists of various classification algorithms for analysis.
We performed classification on static analysis data set, dynamic
analysis data set and integrated data set individually to compare
the detection rate at a later stage. We referred various online
resources [20] [21] to choose the best classifier according to our
data set and expected detection rate. For instance, Naïve Bayes is
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)

best suitable for small data set. Random forest classifier is Table V. Static Analysis Classification
generally used when the data set is divided into various classes.
Support Vector Machine (SVM) is used for text-based ClassifierTPR FPR Precision Recall Accuracy
classification. Since our data set is small, consists of various Naïve
classes of malware and suspicious API’S as a string information, Bayes 67.9 8.4 68.19 68.20 68.2315
we have used Naive Bayes, Random Forest and Support vector SVM 63.3 8.0 71.04 71.04 71.0131
machines as classifiers to classify the malware classes. For Random
estimation, we have used 10-fold cross validation technique. In Forest 69.7 7.6 68.1 69.7 69.72
this technique, the data size is divided into 10 equal parts in size,
from which 9 parts are used for validation and 1 part is used for Table VI. Dynamic Analysis Classification
testing. This process is repeated 10 times so that each part can be
used as a test data. The result for every class is averaged to prove Classifier TPR FPR Precision Recall Accuracy
the efficiency of the classification algorithms for the entire data Naïve Bayes 54.1 10.7 57.2 54.1 54.12
set. SVM 60.6 9.3 59.4 60.6 60.55
Random Forest 63.3 9.5 59.01 63.3 63.302
V. RESULTS AND DISCUSSION
Table VII. Integrated Approach Classification
Dataset obtained in CSV format is applied to three different
classifiers namely Naïve Bayes, Random Forest and Support Classifier TPR FPR Precision Recall Accuracy
Vector machine (SVM). The detection rate is calculated on the Naïve Bayes 70.6 6.8 69.5 70.6 70.642
basis of five metrics which include True Positive Rate (TPR), SVM 66.1 7.8 64.7 66.1 60.055
False Positive Rate (FPR), Precision, Recall and Accuracy. Random Forest 73.3 7.4 73.1 73.5 73.47
On applying the classification algorithms on the static data set,
dynamic data set and integrated data set separately, we noted the VI. CONCLUSION AND FUTURE SCOPE
value of all five metrics mentioned above and plotted a column
chart for the better comparison of the analysis approaches. In this work, we have presented a framework to extract the anti-
The classification result of the static analysis is shown in table analysis features used by the malware developers and an
V, where it can be observed that the detection rate is better using integrated approach which uses the selected features of static and
Random Forest classifiers with an accuracy of 69.72% closely dynamic analysis techniques. We have attained better detection
followed by Naïve Bayes classifiers with an accuracy of 68.23%. rate for integrated approach compared to static and dynamic
However, when we observe the classification results of dynamic analysis technique for all the three classification algorithms we
analysis shown table VI, the detection rate of dynamic analysis have used. The results also shows that Random forest
using Random forest classifiers provides 63.3% accuracy closely classification algorithm is better for classification of the malware
followed by Support Vector Machines (SVM) with an accuracy data set we have collected as it provides better accuracy
of 60.55% which is lower as compared to static analysis. This is compared to other classifiers.
due to the fact that we have used additional features (the anti- In future, we plan to expand our data set and look for some
analysis features) for static data extraction. more static and dynamic features for higher accuracy and
The classification results using integrated approach shown in detection. We also expect to work on advanced malwares such as
table VII, clearly depicts that the detection rate is better than metamorphic and polymorphic malwares so that the detection
static and dynamic analysis for all three classifiers we used in our and classification of these malware types take lesser time
work. The accuracy using Random Forest classifier for static compared to what it takes today.
REFERENCES
analysis, dynamic analysis, and the integrated approach are
69.72%, 63.30% & 73.47% respectively. [1] Paul Mueller, Babak Yadegari. The Stuxnet Worm
However, most of the papers we reviewed concluded Support [online].Accessed2017.Available:https://www2.cs.arizona.edu/~collberg/Teachin
g/466-566/2012/Resources/presentations/2012/topic9-final/report.pdf
Vector machines as best classifiers for their respective data sets.
[2] Symantec threat research [online]. Accessed April
E. Venkatesh et al. [22] used N-gram approach for malware 2017.Available:https://resource.elq.symantec.com/e/f2/
classification. They used 100 sample data set which is close to [3] A. Dhammi and M. Singh, "Behavior analysis of malware using machine
the number of samples we have used. They calculated 54% learning," 2015 Eighth International Conference on Contemporary Computing
(IC3), Noida, 2015, pp. 481-486.doi: 10.1109/IC3.2015.7346730
accuracy using Naïve Bayes and 72 % accuracy using SVM. [4] Nath H.V., Mehtre B.M. Static Malware Analysis Using Machine Learning
Compared to their result, our detection rate is much better. Methods. Recent Trends in Computer Networks and Distributed Systems
Security. VOL.420, PP.440-450, 2014.
 2017 2nd International Conference on Telecommunication and Networks (TEL-NET 2017)

[5] Z. Salehi, M. Ghiasi, and A. Sami. A miner for malware detection based on
API function calls and their arguments. 16th CSI International Symposium on
Artificial Intelligence and Signal Processing (AISP), pp. 563-568, May 2012.
[6] Z. Markel and M. Bilzor, "Building a machine learning classifier for malware
detection," 2014 Second Workshop on Anti-malware Testing Research
(WATeR), Canterbury, pp.1-4.doi: 10.1109/WATeR.2014.7015757, 2014.
[7] E. Carrera. Pefile python module, 2014[online].Accessed September
2016.Available: https://pypi.python.org/pypi/pefile/
[8] Schultz MG, Eskin E, Zadok E, Stolfo SJ. Data mining methods for detection
of new malicious executables. In: Proceedings of the 2001 IEEE symposium on
security and privacy. Washington, DC, USA; IEEE Computer Society; pp. 38–49,
2014.
[9] Tian, R., Batten, L. and Versteeg, S. (2008) “Function Length as a Tool for
Malware Classification”. Proceedings of the 3rd International Conference on
Malicious and Unwanted Software, Fairfax, pp.57-64, 7-8 October 2008,
[10] WEKA version 3.8.1, the University of Waikato, Available
at:http://www.cs.waikato.ac.nz/ml/weka/(Accessed: February, 2017).
[11] Kolter, J. and Maloof, M. “Learning to Detect Malicious Executables in the
Wild”. Proceedings of the 10th ACMSIGKDD International Conference on
Knowledge Discovery and Data Mining, pp 470-478, 2004.
[12] Ahmed F, Hameed H, Shafiq MZ, Farooq M. Using spatio-temporal
information in API calls with machine learning algorithms for malware detection.
In: AISec ‘09: proceedings of the 2nd ACM workshop on Security and artificial
intelligence. New York, NY, USA: ACM; P. 55–62, 2009.
[13] R. Islam, R. Tian, L. M. Batten, and S. Versteeg. Classification of malware
based on integrated static and dynamic features. Journal of Network and
Computer Applications. vol. 36, pp. 646-656, 2013.
[14] Noriben malware analysis sandbox [online].Accessed
January2017.available:https://github.com/Rurik/Noriben
[15] Malware data set. [Online]Accessed: October, 2016.Available:
www.kernelmode.info
[16] Malware data set. [Online]Accessed: October, 2016.Available:
http://dasmalwerk.eu/
[17] Malware data set. [Online]Accessed: October, 2016.Available:
http://virusshare.com/
[18] Joanna rutwoska, Redpill technique for Vm detection [online].Accessed:
October 2016.Available:https://blog.invisiblethings.org/
[19] PEID [online] Accessed: November, 2016. Available: http://peid.info/
[20] Choosing Machine Learning Classifier, [online]. Accessed: March, 2017.
Available:http://blog.echen.me/2011/04/27/choosing-a-machine-learning-
classifier/
[21]How to choose algorithms for Microsoft Azure Machine
learning,[online].Accessed:March,2017. vailable:https://docs.microsoft.com/en-
us/azure/machine-learning/machine-learning-algorithm-choice
[22] Venkatesh, E., and G. Srinivasulu. "Malware Classification by Using
WEKATOOL” International Journal of Engineering Science and Computing,
IJESC. DOI 10.4010/2014.237, July 2014.