Adobe Malware Classifier – Perform quick, easy classification of binaries for malware analysis.

Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users’ systems are vulnerable.Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs.

The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary

Features : 

  • malware classification

# Adobe(R) Malware Classifier
# Contributor: Karthik Raman, Adobe Systems Incorporated
# Dependencies: Python pefile, Python argparse
# Program to classify unknown Win32 binaries (EXEs or DLLs)  into
# 0 = CLEAN
# 1 = DIRTY
“”” Results on dataset of ~130000 dirty, ~ 16000 clean files:
(False Positives, True Negatives, True Positives, rates
J48     FP      TN      TP      FN      TP Rate FP Rate Accuracy
7683    37171   130302  3451    0.97419871      0.171289071     0.937662018

J48Graft FP      TN      TP      FN      TP Rate FP Rate Accuracy
6780    38074   129087  4666    0.965114801     0.151157087     0.935915166

PART    FP      TN      TP      FN      TP Rate FP Rate Accuracy
7074    36492   125060  9412    0.930007734     0.162374329     0.907401791

Ridor   FP      TN      TP      FN      TP Rate FP Rate Accuracy
7390    37935   114194  20930   0.845105237     0.163044677     0.843058149

usage: [-h] [-f filename] [-n model] [-v [verbose]]

Classify an unknown binary as MALWARE or CLEAN.

optional arguments:
-h, –help    show this help message and exit
-f filename   The name of the input file
-n model      The ordinal for model classifier: 0=all (default) | 1=J48 |
2=J48Graft | 3=PART | 4=Ridor
-v [verbose]  Dump the PE data being processed

Download latest version : (31.0 kB) 
Find other version |
Read more in here :