A Survey on the Detection of Windows Desktops Malware

  • Sanjay K. SahayEmail author
  • Ashu Sharma
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 904)


An important feature of malware is that it can self-replicate. It is not known who created the first self-replicating program in the world, but it is clear that the first malware/virus (Creeper) was created by the Bible Broadcasting Network engineer Robert (Bob) H. Thomas, probably around 1970, and since then malware are evolving continuously to evade the known detection techniques from early-day signature-based to the date machine learning methods. The complexity of the malware is continuously growing using sophisticated obfuscation techniques not only to attack individual computational devices but also for the military espionage, to disrupt industries, ransomware, etc. Thus researchers are motivated to find an effective anti-malware to detect the known as well as new or previously unseen malware. Hence, time-to-time to defend the attacks/threats from the advanced malware, a number of static and dynamic methods are proposed by the researchers. Therefore, in order to understand various techniques proposed/used for the detection of new or previously unseen Windows Desktops malware in this paper, we present the survey conducted by us on the work done by the researchers in this field.


Security Windows OS Malware Metamorphic Signature matching Machine learning 


  1. 1.
    Lehtinen, R., Gangemi, G.T.: Computer Security Basics: Computer Security. O’Reilly Media (2006)Google Scholar
  2. 2.
    Sharma, A., Sahay, S.K.: Evolution and detection of polymorphic and metamorphic malwares: a survey. Int. J. Comput. Appl. 90(2), 7–11 (2014)Google Scholar
  3. 3.
    Stone, R.: A call to cyber arms. Science 339(6123), 1026–1027 (2013)CrossRefGoogle Scholar
  4. 4.
    Aimoto, S., AlKhatib, T., Coogan, P., Corpin, M., DiMaggio, J.: Internet security threat report. Technical report, Symantec (2014)Google Scholar
  5. 5.
    Daly, M.K.: Advanced persistent threat. Usenix, Nov, 4, 2009Google Scholar
  6. 6.
    Aimoto, S., AlKhatib, T., Coogan, P., Corpin, M., DiMaggio, J.: Internet security threat report. Technical report, Symantec Corporation, April 2012Google Scholar
  7. 7.
    The need for speed: 2013 incident response survey. Technical report, FireEye (2013)Google Scholar
  8. 8.
    Quick heal quarterly threat report q2: Technical report, p. 2015. Quick Heal, Feb. 2015Google Scholar
  9. 9.
    Aimoto, S., AlKhatib, T., Coogan, P., Corpin, M., DiMaggio, J.: Internet security threat report 2016. Technical report, Symentec (2016)Google Scholar
  10. 10.
    Beek, C., Frosst, D., Greve, P., Gund, Y., Moreno, F.: Mcafee labs threats report. Technical report, McAfee (2015)Google Scholar
  11. 11.
    Aimoto, S., AlKhatib, T., Coogan, P., Corpin, M., DiMaggio, J.: Internet security threat report. Technical report, Symantec Corporation, 2015Google Scholar
  12. 12.
    Beek, C., Frosst, D., Greve, P., Gund, Y., Moreno, F.: Mcafee labs threats report. Technical report, McAfee (2014)Google Scholar
  13. 13.
    Aimoto, S., AlKhatib, T., Coogan, P., Corpin, M., DiMaggio, J.: Internet security threat report. Technical report, Symantec Corporation (2017)Google Scholar
  14. 14.
    Ladkat, A., Zure, D., Mathew, L., More, P., Moon, P., Dhasade, P., Kadam, S., Khedkar, S., Girme, T., Chaudhari, L., Sudame, P., Temgire, S., Borse, S., Pharate, S.: Quick heal quarterly threat report | q1 2017. Technical report, Quick Heal (2017)Google Scholar
  15. 15.
    Richardson, R.: 14th annual csi/fbi computer crime and security survey-2009. Technical report (2019)Google Scholar
  16. 16.
    Shah, A.: Approximate Disassembly using Dynamic Programming. Ph.D. thesis, Citeseer (2010)Google Scholar
  17. 17.
    Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)Google Scholar
  18. 18.
    Szor, P., Ferrie, P:. Hunting for metamorphic. In: Virus Bulletin Conference, pp. 123–144 (2001)Google Scholar
  19. 19.
    Szor, P.: The Art of Computer Virus Research and Defense. Pearson Education (2005)Google Scholar
  20. 20.
    Kolter, J.Z., Maloof, M.A..: Learning to detect malicious executables in the wild. In: Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 470–478. ACM (2004)Google Scholar
  21. 21.
    Henchiri, O., Japkowicz, N.: A feature selection and evaluation scheme for computer virus detection. In: Sixth International Conference on Data Mining, 2006. ICDM’06, pp. 891–895. IEEE (2006)Google Scholar
  22. 22.
    Liangboonprakong, C., Sornil, O.: Classification of malware families based on n-grams sequential pattern features. In: 2013 8th IEEE Conference on Industrial Electronics and Applications (ICIEA), pp. 777–782. IEEE (2013)Google Scholar
  23. 23.
    Salehi, Z., Sami, A., Ghiasi, M.: Using feature generation from api calls for malware detection. Comput. Fraud Secur. 9, 9–18 (2014)CrossRefGoogle Scholar
  24. 24.
    Ravi, C., Manoharan, R.: Malware detection using windows api sequence and machine learning. Int. J. Comput. Appl. 43(17), 12–16 (2012)Google Scholar
  25. 25.
    Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: 2001 IEEE Symposium on Security and Privacy, 2001. S&P 2001. Proceedings, pp. 38–49. IEEE (2001)Google Scholar
  26. 26.
    Fürnkranz, J., Gamberger, D., Lavrač, N.: Rule learning in a nutshell. In: Foundations of Rule Learning, pp. 19–55. Springer (2012)Google Scholar
  27. 27.
    Karim, MdE, Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. J. Comput. Virol. 1(1–2), 13–23 (2005)CrossRefGoogle Scholar
  28. 28.
    Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)CrossRefGoogle Scholar
  29. 29.
    Moskovitch, R., Elovici, Y., Rokach, L.: Detection of unknown computer worms based on behavioral classification of the host. Comput. Stat. Data Anal. 52(9), 4544–4566 (2008)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Moskovitch, R., Feher, C., Tzachar, N., Berger, E., Gitelman, M., Dolev, S., Elovici, Y.: Unknown malcode detection using opcode representation. In: Intelligence and Security Informatics, pp. 204–215. Springer (2008)Google Scholar
  31. 31.
    Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent pe-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)CrossRefGoogle Scholar
  32. 32.
    Tian, R., Batten, L.M., Versteeg, S.C.: Function length as a tool for malware classification. In: 3rd International Conference on Malicious and Unwanted Software, 2008. MALWARE 2008, pp. 69–76. IEEE (2008)Google Scholar
  33. 33.
    Siddiqui, M., Wang, M.C., Lee, J.: Detecting internet worms using data mining techniques. J. System. Cybern. Inform. 6(6), 48–53 (2008)Google Scholar
  34. 34.
    Tabish, S.M., Shafiq, M.Z., Farooq, M.: Malware detection using statistical analysis of byte-level file content. In: Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, pp. 23–31. ACM (2009)Google Scholar
  35. 35.
    Mehdi, S.B., Tanwani, A.K., Farooq, M.: Imad: in-execution malware analysis and detection. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 1553–1560. ACM (2009)Google Scholar
  36. 36.
    Mehdi, B., Ahmed, F., Khayyam, S.A., Farooq, M.: Towards a theory of generalizing system call representation for in-execution malware detection. In: 2010 IEEE International Conference on Communications (ICC), pp. 1–5. IEEE (2010)Google Scholar
  37. 37.
    Santos, I., Nieves, J., Bringas, P.G.: Semi-supervised learning for unknown malware detection. In: International Symposium on Distributed Computing and Artificial Intelligence, pp. 415–422. Springer (2011)Google Scholar
  38. 38. Viruses don’t harm, ignorance does. (2017)
  39. 39.
    Santos, I., Brezo, F., Ugarte-Pedrero, X., Bringas, P.G.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inform. Sci. 231, 64–82 (2013)MathSciNetCrossRefGoogle Scholar
  40. 40.
    Kuriakose, J., Vinod, P.: Unknown metamorphic malware detection: modelling with fewer relevant features and robust feature selection techniques. IAENG Int. J. Comput. Sci. 42(2), 139–151 (2015)Google Scholar
  41. 41.
    Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 183–194. ACM (2016)Google Scholar
  42. 42.
    Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1–20. Springer (2013)Google Scholar
  43. 43.
    Sharma, A., Sahay, S.K.: An investigation of the classifiers to detect android malicious apps. In: Proceedings of ICICT 2016 Information and Communication Technology, vol. 625, pp. 207–217. Springer (2017)Google Scholar
  44. 44.
    Sharma, A., Sahay, S.K., Kumar, A.: Improving the detection accuracy of unknown malware by partitioning the executables in groups. In: Advanced Computing and Communication Technologies, pp. 421–431. Springer (2016)Google Scholar
  45. 45.
    Sahay, S.K., Sharma, A.: Grouping the executables to detect malwares with high accuracy. Procedia Comput. Sci. 78, 667–674 (2016)CrossRefGoogle Scholar
  46. 46.
    Xu, Z., Ray, S., Subramanyan, P., Malik, S.: Malware detection using machine learning based analysis of virtual memory access patterns. In: 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 169–174. IEEE (2017)Google Scholar
  47. 47.
    Xing, X., Giles, C.L., Zhang, K., Ororbia, A.G., Liu, X.: Adversary resistant deep neural networks with an application to malware detection. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining INeural Networks with an Application to Malware Detection, pp. 1145–1153. ACM (2018)Google Scholar
  48. 48.
    Kotov, V., Wojnowicz, M.: Towards generic deobfuscation of windows api calls. arXiv preprint arXiv:1802.04466 (2018)
  49. 49.
    Burnap, P., French, R., Turner, F., Jones, K.: Malware classification using self organising feature maps and machine activity data. Comput. Secur. 73, 399–410 (2018)CrossRefGoogle Scholar
  50. 50.
    Li, Z.-q., Qiao, Y.-c., Hasan, T., Jiang, Q.-s.: A similar module extraction approach for android malware. DEStech Trans. Comput. Sci. Eng. (mso) (2018)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Department of CS & ISBITS, PilaniSancoaleIndia
  2. 2.C3i, CSE, IIT KanpurKanpurIndia

Personalised recommendations