A Study on Similarity Calculation Method for API Invocation Sequences
Malware variants have been developed and spread in the Internet, and the number of new malware variants is increases every year. Recently, malware is applied with obfuscation and mutation techniques to hide its existence, and malware variants are developed with various automatic tools that transform the properties of existing malware to avoid static analysis based malware detection systems. It is difficult to detect such obfuscated malware with static-based signatures, so we have designed a detection system based on dynamic analysis. In this paper, we propose a dynamic analysis based system that uses the API invocation sequences to compare behaviors of suspicious software with behaviors of existing malware.
KeywordsMalware detection API invocation sequence Dynamic analysis Similarity calculation method
This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (2011-0029923)
- 1.The Independent IT-Security Institute. http://www.av-test.org/en/
- 2.The site for providing information about computer viruses. http://vxheaven.org/
- 3.Cuckoo Sandbox. http://www.cuckoosandbox.org/
- 4.Wu, L., Ping, R., Ke, L., Hai-xin, D.: Behavior-based Malware analysis and detection. In: First International Workshop on Complexity and Data Mining, pp. 39–42. IEEE, Nanjing (2011)Google Scholar
- 5.Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: The 5th LCN Workshop on Security in Communications Networks, pp. 891–898. IEEE, Zurich (2009)Google Scholar
- 7.Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: 2010 Cybercrime and Trustworthy Computing Workshop, pp. 52–59. IEEE, Ballarat (2010)Google Scholar
- 8.Bayer, U., Habibi, I., Balzarotti, D.: A view on current malware behaviors. In: USENIX conference on Large-scale Exploits and Emergent Threats, p. 8. ACM, Boston (2009)Google Scholar
- 9.Xu, J.-Y., Sung, A.H., Chavez, P., Mukkzmala, S.: Polymorphic malicious executable scanner by API sequence analysis. In: Hybrid Intelligent Systems, pp. 378–383. IEEE, Kitakyushu (2004)Google Scholar
- 10.Natani, P., Vidyarthi, D.: Malware detection using API function frequency with ensemble based classifier. In: Security in Computing and Communications, pp. 379–388. IEEE, Mysore (2004)Google Scholar
- 11.Soo, H.K., Kyoung, K.I., Gyu, I.E.: Malware family classification method using API sequential characteristic. In: The International Conference on IT Convergence and Security, pp. 613–626. Springer, Huangshi (2011)Google Scholar
- 12.De Huang, H., Lee, C.-S., Kao, H.-Y., Tsai, Y.L., Chang, J.-G.: Malware behavioral analysis system: twman. In: Intelligent Agent, pp. 1–8. IEEE, Paris (2011)Google Scholar
- 14.Purui, S., Lingyun, Y., Dengguo, F.: Exploring malware behaviors based on environment constitution. In: Computational Intelligence and Security, pp. 320–325. IEEE, Suzhou (2008)Google Scholar
- 15.Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Security and Privacy, pp. 231–245. IEEE, Berkeley (2008)Google Scholar
- 16.Moser, A., Kruegel, C., Kirda, E.: Byte level nGram analysis for malware detection. In: 5th International Conference on Information Processing, pp. 51–59. Bangalore (2011)Google Scholar
- 17.Jian, L., Ning, Z., Ming, X., YongQing, S., JiouChuan, L.: Malware behavior extracting via maximal patterns. In: The 1st International Conference on Information Science and Engineering, pp. 1759–1764. IEEE, Nanjing (2009)Google Scholar
- 18.Moser, A., Kruegel, C., Kirda, E.: Analysis of machine learning techniques used in behavior-based malware detection. Advances in Computing. Control and Telecommunication Technologies, pp. 201–203. IEEE, Jakarta (2010)Google Scholar
Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (http://creativecommons.org/licenses/by-nc/2.5/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.