Discovering Malware with Time Series Shapelets

Abstract

Malicious software (‘malware’) detection systems are usually signature-based and cannot stop attacks by malicious files they have never encountered. To stop these attacks, we need statistical learning approaches to identify root patterns behind execution of malware. We propose a machine learning approach for detection of malware from portable executable (PE) files. We create an ‘entropy time series’ representation of the content of each file, and then apply a unique time series classification method (called ‘shapelets’) for identifying malware. The shapelet-based approach picks up local discriminative features from the entropy signals. Our approach is file format agnostic, can deal with varying lengths in input instances, and provides fast classification. We evaluate our method on an industrial dataset containing thousands of executable files, and comparison with state-of-the-art methods illustrates the performance of our approach. This work is the first to use time series shapelets for malware detection and information security applications.