Clasificación de malware con características estáticas mediante algoritmos de aprendizaje automático

The exponential growth of modern malware and the sophistication of its evasion techniques demand automated and scalable detection methods. This Master's thesis presents a malware family classification system based on static analysis and supervised learning (XGBoost). Using a real dataset of...

Descripción completa

Detalles Bibliográficos
Autor: Chamorro Alvarado, Verónica Lucía
Tipo de recurso: tesis de maestría
Fecha de publicación:2026
País:España
Institución:Universitat Oberta de Catalunya (UOC)
Repositorio:O2, repositorio institucional de la UOC
OAI Identifier:oai:openaccess.uoc.edu:10609/154346
Acceso en línea:https://hdl.handle.net/10609/154346
Access Level:acceso abierto
Palabra clave:malware
clasificación de malware
random forest
machine learning
XGBoost
Computer security -- TFM
Seguretat informàtica -- TFM
Descripción
Sumario:The exponential growth of modern malware and the sophistication of its evasion techniques demand automated and scalable detection methods. This Master's thesis presents a malware family classification system based on static analysis and supervised learning (XGBoost). Using a real dataset of 65,000 samples collected from VirusShare and enriched with the VirusTotal API, a hybrid feature vector was constructed that combines structural (entropy, sections) and behavioral (API Imports) metrics. The results demonstrate the model's effectiveness in identifying unobfuscated native Windows malware, achieving over 95\% accuracy in traditional families. However, the study reveals a critical limitation of static analysis: its inability to correctly classify tightly packed samples or non-Windows architectures (IoT), where the detection rate drops drastically. Additionally, a label noise problem was identified, stemming from inconsistencies between antivirus engines. This work concludes that, while static machine learning is an efficient first line of defense, it requires dynamic unpacking mechanisms to deal with modern obfuscated threats.