CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences

  • Yong Qiao
  • Yuexiang Yang
  • Jie He
  • Chuan Tang
  • Zhixue Liu
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 214)


Classic static code analysis for malware is ineffective when challenged by diverse variants. As a result, dynamic analysis based on malware behavior is becoming thriving in malware research. Most current dynamic analysis systems are provided as online services for common users. However, it is inconvenient and ineffective to use online services for the analysis of a big malware dataset. In this paper, we propose a framework named CBM enabling tailored construction of an automated system for malware analysis. In CBM, API call sequences are extracted as malware behavior reports by dynamic behavior analysis tool, and then API calls will be transformed to byte-based sequential data for further analysis by a novel malware behavior representation called BBIS. The peculiar characteristic of CBM is that it can be customized freely, contrary to current online systems, which supports local deployment and runs mass malware analysis automatically. Experiments were carried out on a large-scale malware dataset, which have demonstrated that CBM is more efficient in reducing storage size and computation cost while keeping a high precision for malware clustering.


Automatic malware analysis Open-source API-call sequences Clustering API-Hook  



This work was supported by NSFC under grants No. 61170286 and No.61202486.


  1. 1.
    Willems C, Holz T, Freiling F (2007) Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy, IEEE Computer Society, pp 32–39 Google Scholar
  2. 2.
    Bayer U, Moser A, Kruegel C, Kirda E (2006) Dynamic analysis of malicious code. J Comp Virol, Springer, 2(1): 67–77Google Scholar
  3. 3.
    Rieck K, Trinius P, Willems C, Holz T (2011) Automatic analysis of malware behavior using machine learning. J Comp Virol, IOS Press, 19(4): 639–668 Google Scholar
  4. 4.
    Lo RW, Levitt KN, Olsson RA (1995) MCF: A malicious code filter. Computers and Security, Elsevier, 14(6): 541–566Google Scholar
  5. 5.
    Christodorescu M, Jha S (2006) Static analysis of executables to detect malicious patterns. DTIC DocumentGoogle Scholar
  6. 6.
    Preda MD, Christodorescu M, Jha S, Debray S (2007) A semantics-based approach to malware detection. ACM SIGPLAN Notices, ACM, vol 24. pp 377–388Google Scholar
  7. 7.
    Popov IV, Debray SK, Andrews GR (2007) Binary obfuscation using signals. Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, USENIX Association, pp 19 Google Scholar
  8. 8.
    Ferrie P (2009) Anti-unpacker tricks 2 part seven. JuneGoogle Scholar
  9. 9.
    Martignoni L, Christodorescu M, Jha S (2007) Omniunpack: Fast, generic, and safe unpacking of malware. Computer Security Application Conference, 2007. ACSAC 2007. Twenty-Third Annual, IEEE, pp 431–441Google Scholar
  10. 10.
    Sharif M, Lanzi A, Giffin J, Lee W (2009) Automatic reverse engineering of malwar emulators. Security and Privacy, 2009 30th IEE Symposium on, IEEE, pp 94–109Google Scholar
  11. 11.
    Song, D, Brumley D, Yin H, Caballero J, Jager I, Kang M, Liang Z, Newsome J, Poosankam P, Saxena P (2008) BitBlaze: A new approach to compute security via binary analysis. Information Systems Security, Springer, pp 1–25Google Scholar
  12. 12.
    Trinius P, Willems C, Holz T, Rieck K (2009) A malware instruction set for behavior-based analysis. Technical Report TR-2009-005, University of Mannheim Google Scholar
  13. 13.
    Alazab M, Venkataraman S, Watters P (2010) Towards understanding malware behaviour by the extraction of API calls. Second cybercrime and trustworthy computing workshop, pp 52–59Google Scholar
  14. 14.
    Dong X, Zhao Y, Yu X (2012) A Bot Detection Method Based on Analysis of API Invocation. Recent Advances in Computer Science and Information Engineering, Springer, pp 603–608Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Yong Qiao
    • 1
  • Yuexiang Yang
    • 1
  • Jie He
    • 1
  • Chuan Tang
    • 1
  • Zhixue Liu
    • 2
  1. 1.National University of Defense TechnologyChangshaChina
  2. 2.China Navy Equipment AcademyBeijingChina

Personalised recommendations