Malware Analysis By Combining Multiple Detectors and Observation Windows

Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This paper proposes an ensemble detector, which exploits the capabilities of the main analysis algorithms proposed in the literature designed to offer greater resilience to specific evasion techniques. In particular, the paper presents different methods to optimally combine both generic and specialized detectors during the analysis process, which can be used to increase the unpredictability of the detection strategy, as well as improve the detection rate in presence of unknown malware families and provide better detection performance in the absence of a constant re-training of detector needed to cope with the evolution of malware. The paper also presents an alpha-count mechanism that explores how the length of the observation time window can affect the detection accuracy and speed of different combinations of detectors during the malware analysis. An extended experimental campaign has been conducted on both an open-source sandbox and an Android smartphone with different malware datasets. A trade-off among performance, training time, and mean-time-to-detect is presented. Finally, a comparison with other ensemble detectors is also presented.