Capturing the symptoms of malicious code in electronic documents by file's entropy signal combined with Machine learning.

Abstract-Email cyber-attacks based on malicious documents have become the popular techniques in today's sophisticated attacks. In the past, persistent efforts have been made to detect such attacks. But there are still some common defects in the existing methods including unable to capture unknown attacks, high overhead of resource and time, and just can be used to detect specific formats of documents. In this study, a new Framework named ESRMD (Entropy signal Reflects the Malicious document) is proposed, which can detect malicious document based on the entropy distribution of the file. In essence, ESRMD is a machine learning classifier. What makes it distinctive is that it extracts global and structural entropy features from the entropy of the malicious documents rather than the structural data or metadata of the file, enduing it the ability to deal with various document formats and against the parser-confusion and obfuscated attacks. In order to assess the validity of the model, we conducted extensive experiments on a collected dataset with 10381 samples in it, which contains malware (51.47%) and benign (48.53%) samples. The results show that our model can achieve a good performance on the true positive rate, precision and ROC with the value of 96.00%, 96.69% and 99.2% respectively. We also compared ESRMD with some leading antivirus engines and prevalent tools. The results showed that our framework can achieve a better performance compared with these engines and tools.