Research Article
A Malware Detection Scheme Based on Mining Format Information
Table 4
The mean values of selected features.
| | Name of feature | Mean values | | Features selected by CfsSubsetEval | Features selected by WrapperSubsetEval | Malware | Benign software |
| | SizeOfDebugData | SizeOfDebugData | 0.982 | 22.6 | | ImageBase | ImageBase | 1.7 × 107 | 7.6 × 108 | | SizeOfCertificateTable | SizeOfCertificateTable | 8.87 | 2.8 × 103 | | DllCharacteristics | DllCharacteristics | 29.8 | 3.6 × 103 | | .reloc.characteristics | .reloc.characteristics | 7.4 × 108 | 9.3 × 108 | | SizeOfLoadConfigurationTable | — | 1.0 × 105 | 22.7 | | NumberOfVERSION | NumberOfVERSION | 0.408 | 0.95 | | Characteristics | Characteristics | 1.5 × 104 | 7.1 × 103 | | — | GetModuleHandle | 0.001 | 0.23 | | AddressOfDebugData | — | 3 × 103 | 1.4 × 105 | | lstrlenW | — | 0.005 | 0.296 | | DisableThreadLibraryCall | — | 0.003 | 0.253 | | .rsrc.characteristics | — | 1.4 × 109 | 1.0 × 109 | | — | CreateFileW | 0.002 | 0.204 | | — | _initterm | 0.036 | 0.416 | | — | RegDeleteKey | 0 | 0.1 | |
__adjust_fdiv | — | 0.035 | 0.415 | | mscoree.dll | mscoree.dll | 0.002 | 0.189 | | NumberOfGROUP ICON | — | 0.879 | 1.204 | | — | BaseOfCode | 7.3 × 104 | 7.8 × 103 | | wsock32.dll | wsock32.dll | 0.259 | 0.016 | | — | .text.Characteristics | 1.4 × 109 | 1.5 × 109 | | — | .rdata.Characteristics | 6.2 × 108 | 3.5 × 108 | | NumberOfMESSAGE TABLE | — | 0.002 | 0.057 | | NumberofAPIs | NumberofAPIs | 65.1 | 97.1 | | SizeOfHeapReserve | — | 1.5 × 106 | 1.0 × 106 | | — | imm32.dll | 0.001 | 0.013 | | — | NumberOfSymbols | 3.1 × 106 | 15.9 | | — | Numberofsections | 4.8 | 4.1 |
|
|
