Detection of obfuscation in java']java malware

Code obfuscation was introduced as a viable technique to prevent reverse engineering of software applications. Obfuscation protects an application's key algorithms and data structures from theft by hackers. However, malware authors use the same techniques to create a malware or insert malicious logic into a legitimate application. This paper proposes an analysis system to detect lexical and string obfuscation in Java malware. We identify a set of eleven features that characterizes obfuscated code, and use it to train a machine learning classifier to distinguish between obfuscated and non-obfuscated malware. The features are extracted using a static analyzer that examines bytecode. Our experimental results based on a dataset of 375 malware samples containing 182927 strings and 12721 Java classes provide an accuracy of 99%. The proposed features are effective even when a dictionary is employed for lexical obfuscation. We evaluated the robustness of our features by calculating chi-squared statistic for each feature. (C) 2016 The Authors. Published by Elsevier B.V.