Skip to content

Adithya1209/pe-header-malware-classifier

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malware Detection via PE Header Analysis

This project is a machine learning system designed to identify malicious Windows executables through Static Analysis. Instead of running a suspicious file (which is dangerous), this system inspects the file's internal structure—specifically the Portable Executable (PE) header—to determine if it is malware.

🔍 How It Works

The detection process follows a three-stage pipeline:

1. Static Feature Extraction

When a file (.exe or .dll) is uploaded, the system uses the pefile library to parse its header. It extracts critical metadata that characterizes the file's behavior and origin, such as:

  • Machine Type: The architecture the file is intended for.
  • Characteristics: Flags indicating if the file is a system file, a DLL, etc.
  • Address of Entry Point: Where execution begins (often manipulated by malware).
  • Subsystem: Whether it's a GUI, Console, or Native application.
  • Section Alignment: How the file is structured in memory.

2. Intelligent Feature Selection

A standard PE header contains dozens of fields. To ensure high accuracy and speed, the project uses an ExtraTreesClassifier to rank feature importance. By selecting only the most "informative" headers (like MajorLinkerVersion or SizeOfStackReserve), the model filters out noise and focuses on the patterns most common in malware.

3. Classification via Random Forest

The core engine is a Random Forest Classifier. This model was chosen because it excels at handling the non-linear relationships found in malware data. It operates by constructing a multitude of decision trees during training and outputting the class that is the mode of the classes (1 for Malware, 0 for Legitimate) of the individual trees.

💻 The Web Interface

The project includes a Flask-based web dashboard. It provides a simple "Upload and Analyze" workflow:

  1. Upload: User submits an executable.
  2. Analyze: The server extracts headers and runs them through the trained model.
  3. Report: The UI displays a clear "Malware" or "Legitimate" verdict based on the model's confidence.

🚀 Quick Start

  1. Install Dependencies: pip install -r requirements.txt
  2. Train (Optional): Run python model_training.py with your dataset.
  3. Run App: python app.py and visit http://127.0.0.1:5000.

About

Static malware analysis tool using Machine Learning to classify executable files based on PE headers.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors