A comparison of static, dynamic, and hybrid analysis for malware detection

  • Anusha Damodaran
  • Fabio Di Troia
  • Corrado Aaron Visaggio
  • Thomas H. Austin
  • Mark Stamp
Original Paper


In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.


Receiver Operating Characteristic Curve Hide Markov Model Control Flow Graph Precision Recall Curve Signature Base Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ahmed, F. et al: Using spatio-temporal information in API calls with machine learning algorithms for malware detection, ACM Workshop on Security and Artificial Intelligence (2009)Google Scholar
  2. 2.
    Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar
  3. 3.
    Annachhatre, C., Austin, T.H., Stamp, M.: Hidden Markov models for malware classification. J. Comput. Virol. Hack. Tech. 11(2), 59–73 (2014)CrossRefGoogle Scholar
  4. 4.
    Attaluri, S., McGhee, S., Stamp, M.: Profile Hidden Markov Models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRefGoogle Scholar
  5. 5.
    Aycock, J.: Computer Viruses and Malware. Springer-Verlag, New York (2006)Google Scholar
  6. 6.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hack. Tech. 9(4), 179–192 (2013)CrossRefGoogle Scholar
  7. 7.
    Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)CrossRefGoogle Scholar
  8. 8.
    Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recogn. 30(7), 1145–1159 (1997)CrossRefGoogle Scholar
  9. 9.
    Buster Sandbox Analyser. Accessed 20 Dec 2015
  10. 10.
    Choi, Y.H. et al.: Toward extracting malware features for classification using static and dynamic analysis. Computing and Networking Technology (ICCNT), Gueongju, South Korea, pp. 126–129Google Scholar
  11. 11.
    Christodorescu,M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceeding of USENIX Security Symposium. Bellevue, WA, pp. 169–186.
  12. 12.
    Dai, J., Guha, R., Lee, J.: Efficient virus detection using dynamic instruction sequences. J. Comput. 4(5), 405–414 (2009)CrossRefGoogle Scholar
  13. 13.
    Damodaran, A.: Combining dynamic and static analysis for malware detection, Master’s report, Department of Computer Science, San Jose State University, 2015.
  14. 14.
    Davis, J., Goadrich, M.: The relationship between precision-recall and ROC curves,
  15. 15.
    Deshpande, P.: Metamorphic detection using function call graph analysis, Master’s report, Department of Computer Science, San Jose State University, 2013,
  16. 16.
    Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hack. Techn. 10(1), 53–65 (2014)CrossRefGoogle Scholar
  17. 17.
    Dinaburg, A., Royal, P., Sharif, M. and Lee, W.: Ether: Malware analysis via hardware virtualization extensions, CCS 08, October 27–31, 2008, Alexandria, Virginia.
  18. 18.
    Egele, M., Scholte, T., Kirda, E. and Kruegel, C.: A survey on automated dynamic malware analysis techniques and tools. J. ACM Comput. Surv. 44(2):Article 6, (2012)Google Scholar
  19. 19.
    Eskandari, M., Hashemi, S.: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)CrossRefGoogle Scholar
  20. 20.
    Eskandari, M., Khorshidpour, Z., Hashemi, S.: HDM-Analyser: A hybrid analysis approach based on data mining techniques for malware detection. J. Comput. Virol. Hack. Techn. 9(2), 77–93 (2013)CrossRefGoogle Scholar
  21. 21.
    Eskandari, M., Khorshidpur, Z. and Hashemi, S.: To incorporate sequential dynamic features in malware detection engines, Intelligence and Security Informatics Conference (EISIC), pp. 46–52 (2012)Google Scholar
  22. 22.
    Fawcett. T.: An introduction to ROC analysis.
  23. 23.
    Ghahramani, Z.: An introduction to hidden Markov models and Bayesian networks. Int. J. Pattern Recognit. Artif. Intell. 15(1), 9–42 (2001)CrossRefGoogle Scholar
  24. 24.
  25. 25.
    Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)CrossRefGoogle Scholar
  26. 26.
    Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hack. Techn 11(4), 203–216 (2015)CrossRefGoogle Scholar
  27. 27.
    Kolbitsch, C. et al.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th conference on USENIX security symposium, pp. 351–366. Montreal Canada.
  28. 28.
    Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw 10(2), 124–136 (2015)CrossRefGoogle Scholar
  29. 29.
    Nappa, A., Rafique, M.Z. and Caballero, J.: Driving in the cloud: An analysis of drive-by download operations and abuse reporting, Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, July (2013)Google Scholar
  30. 30.
    Park, Y., Reeves, D., Mulukutla, V. and Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research (2010)Google Scholar
  31. 31.
    Park, Y., Reeves, D. and Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39(B):419–430 (2013)Google Scholar
  32. 32.
    Qiao, Y., He, J., Yang, Y., Ji, L.: Analyzing malware by abstracting the frequent itemsets in API call sequences, pp. 265–270. Trust, Security and Privacy in Computing and Communications (TrustCom) (2013)Google Scholar
  33. 33.
    Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. Recent Adv. Intrusion Detect. Lect. Notes Comput. Sci. 6307, 178–197 (2010)Google Scholar
  34. 34.
    Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc IEEE 77(2):257–286 (1989).
  35. 35.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRefGoogle Scholar
  36. 36.
  37. 37.
  38. 38.
    Shankarapani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. J. Comput. Virol. 2(7), 107–119 (2011)CrossRefGoogle Scholar
  39. 39.
    Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Techn. 9(3), 159–170 (2013)CrossRefGoogle Scholar
  40. 40.
    Singh, T.: Support Vector Machines and metamorphic malware detection, Master’s report, Department of Computer Science, San Jose State University (2015).
  41. 41.
  42. 42.
    Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)MathSciNetCrossRefGoogle Scholar
  43. 43.
    Stamp, M.: A revealing introduction to hidden Markov models (2012).
  44. 44.
    Symantec White Paper, Internet Security Report, vol 20, (2015).
  45. 45.
    Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Techn. 9(1), 1–14 (2013)CrossRefGoogle Scholar
  46. 46.
  47. 47.
  48. 48.
  49. 49.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  50. 50.
    Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2015

Authors and Affiliations

  • Anusha Damodaran
    • 1
  • Fabio Di Troia
    • 2
  • Corrado Aaron Visaggio
    • 2
  • Thomas H. Austin
    • 1
  • Mark Stamp
    • 1
  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA
  2. 2.Department of EngineeringUniversità degli Studi del SannioBeneventoItaly

Personalised recommendations