Static Analysis of the Executable File Structure to Detect and Cluster Unknown Malware

One of the most popular ways to detect malware is to find a match for malware file signature pattern in the malware signature database. The malware signature database is pre-extracted and is constantly updated. Checking the similarity of input data using the stored signatures causes storage problems and increases the calculation costs. In addition, the detection based on adapting the malware signature pattern fails when changing the malware code in polymorphic malware. In this paper, by combining the static analysis of executable file structure and the machine learning algorithms, an effective method for malware detection is presented. The data set for training and evaluation of the proposed method includes 36,567 samples of malware and 17295 benign files, and the malware is clustered in 7 families. The results show that the presented method is able to detect and cluster malware from benign files with an accuracy of more than 99% and a false positive rate less than 0.4%. The proposed method has very low processing overheads compared to similar methods and the average scanning time of executable files is 0.244 second.