This project is a machine learning system designed to identify malicious Windows executables through Static Analysis. Instead of running a suspicious file (which is dangerous), this system inspects the file's internal structure—specifically the Portable Executable (PE) header—to determine if it is malware.
The detection process follows a three-stage pipeline:
When a file (.exe or .dll) is uploaded, the system uses the pefile library to parse its header. It extracts critical metadata that characterizes the file's behavior and origin, such as:
- Machine Type: The architecture the file is intended for.
- Characteristics: Flags indicating if the file is a system file, a DLL, etc.
- Address of Entry Point: Where execution begins (often manipulated by malware).
- Subsystem: Whether it's a GUI, Console, or Native application.
- Section Alignment: How the file is structured in memory.
A standard PE header contains dozens of fields. To ensure high accuracy and speed, the project uses an ExtraTreesClassifier to rank feature importance. By selecting only the most "informative" headers (like MajorLinkerVersion or SizeOfStackReserve), the model filters out noise and focuses on the patterns most common in malware.
The core engine is a Random Forest Classifier. This model was chosen because it excels at handling the non-linear relationships found in malware data. It operates by constructing a multitude of decision trees during training and outputting the class that is the mode of the classes (1 for Malware, 0 for Legitimate) of the individual trees.
The project includes a Flask-based web dashboard. It provides a simple "Upload and Analyze" workflow:
- Upload: User submits an executable.
- Analyze: The server extracts headers and runs them through the trained model.
- Report: The UI displays a clear "Malware" or "Legitimate" verdict based on the model's confidence.
- Install Dependencies:
pip install -r requirements.txt - Train (Optional): Run
python model_training.pywith your dataset. - Run App:
python app.pyand visithttp://127.0.0.1:5000.