Experiments on Recognition of Malware Based on Static Opcode Occurrence Distribution

This paper discusses a static method for recognizing malicious code samples by comparing opcode distributions created through a novel approach. Distributions are created by aggregating the number of operations between consecutive calls of an opcode. Creating these distributions for each file and comparing them to ground truth distributions representing benign and malicious code samples creates a set of input values that can lead to an accurate method of malicious code detection. This paper also provides a dataset of distributions and describes the methods used to create these distributions.