Please wait ...

MalFe Logo

Malware Feature Engineering

A one-stop hub for all security machine learning researchers.

About MalFe

The goal of this platform is to bring forth a new stronger data platform that can be used to generate custom datasets that can aid security researchers in building better machine learning models to combact malware. This platform relies on cuckoo reports of analysed malware samples and then gives security researchers the ability to use these reports to build their own datasets, add reports, add public datasets and even use it for private use.

Number of Public Datasets
Number of Public Reports
Number of Private Datasets
Number of Private Reports

How MalFe Works?

To use MalFe is relatively easy, but requires you to have a knowledge of machine learning and security. The functionality and workflow is presented in the video below:

Popular Datasets

Ransomware_Detection_Using_PE_Imports
A dataset of the function names of PE imports and the DLL the functions are called from.


function_name dll category label SHA256
0 SysFreeString oleaut32.dll Ransomware M 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 SysReAllocStringLen oleaut32.dll Ransomware M 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
... ... ... ... ... ...
140259 VariantClear oleaut32.dll Ransomware M eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
140260 VariantInit oleaut32.dll Ransomware M eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

140261 rows × 5 columns

Created by: Tanatswa Dendere
Downloaded 5 times
April 26, 2023, 9:22 a.m.
Crypt API Statistics of Ransomware
This dataset explores the API calls that utilize Crypt functionality as outlined by the study S. H. Kok, A. Abdullah, and N. Z. Jhanjhi, “Early detection of crypto-ransomware using pre-encryption detection algorithm,” Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 5, pp. 1984–1999, May 2022, doi: 10.1016/j.jksuci.2020.06.012.


category label NtWriteVirtualMemory UuidCreate NtDelayExecution NtSetInformationFile NtWriteFile CreateThread NtReadVirtualMemory VirtualFreeEx CreateDirectoryW VirtualProtectEx SetFilePointer SHA256
0 Ransomware M 0 0 0 0 0 0 0 0 0 0 51 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 Ransomware M 0 0 0 0 0 0 0 0 2 0 0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
11428 Ransomware M 0 0 0 0 0 0 0 0 0 0 1 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
11429 Ransomware M 0 0 0 0 0 0 0 0 0 0 1 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

11430 rows × 14 columns

Created by: Avinash
Downloaded 4 times
June 19, 2023, 11:36 a.m.
Ransomware_Detection_Using_Features_of_PE_Imports
A dataset of features of the imports of portable executables (PE Imports). The features extracted are: a ratio of the number of functions utilized per DLL imported, the number of functions that have additional (non-alphabetic) characters, the number of 'blacklisted functions' utilized by that PE file, the number of 'whitelisted' functions, whether all Register keys opened/ created are deleted at the end of the application, the number of native functions utilized, and how many times a function is accessed from Python.


label ave_functions_utilised_from_dlls_imported bogus_functions num_blacklisted_functions num_whitelisted_functions persistent_reg_key num_of_native_functions num_of_accesses_from_python SHA256
0 M 1.115312 37 0.133333 0.333333 1 0 0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 M 24.500000 0 0.066667 0.000000 0 0 0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
... ... ... ... ... ... ... ... ... ...
1829 M 2.950617 2 0.200000 0.000000 0 0 0 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
1830 M 0.813333 0 0.000000 0.333333 0 0 0 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

1831 rows × 9 columns

Created by: Tanatswa Dendere
Downloaded 4 times
Sept. 19, 2023, 8:34 p.m.
Ransomware_Detection_Using_Features_of_PE_Imports_2
A dataset of Portable Executable files and the features extracted from their imports (PE Imports). The following are the features extracted: 1. The number of functions utilized per DLL imported as a ratio, 2. The number of 'bogus' functions, that is functions that are made-up and typically have additional (non-alphabetic) characters in the name, 3. The number of functions utilized by that PE file that are blacklisted as functions typically imported by ransomware files, 4. The number of functions utilized by that PE file that are typically imported and used exclusively by good-ware files 'whitelisted' functions, 5. The difference of the number of register keys opened/ created and those deleted by the end of the application, and 6. The number of native functions utilized by the PE file.


label ave_functions_utilised_from_dlls_imported bogus_functions num_blacklisted_functions num_whitelisted_functions persistent_reg_key num_native_functions SHA256
0 M 1.115312 37 2 1 -1 0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 M 24.500000 0 1 0 0 0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
... ... ... ... ... ... ... ... ...
1829 M 2.950617 2 3 0 0 0 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
1830 M 0.813333 0 0 1 0 0 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

1831 rows × 8 columns

Created by: Tanatswa Dendere
Downloaded 4 times
Sept. 27, 2023, 10:28 p.m.

Contact Us

Department of Computer Science, University of Pretoria

Loading
Your message has been sent. Thank you!