Skip to main content
SpringerLink
Log in

A Graph-Based Model for Discovering Host-Based Hook Attacks

  • Conference paper
  • First Online:
Smart Technologies in Data Science and Communication

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 558))

Abstract

Though computer malicious software can be referred with different names such as virus, worm, Trojan, spam, and botnet, their ultimate goal is to causing damage to the end-computer or end-user. The progression in computer technology allows a malware writer to integrate obfuscation technique to evade detection specifically API hooking in Windows. Unfortunately, signature-based detection approach such as anti-virus software at the end-computer is not effective against system call reordering. To overcome this shortcoming, many different behavior-based approaches have been offered. However, these approaches bear limitations such as false positive, detecting zero-day attacks, and improving detection accuracy rate from past experience. In this article, an application programming interface (API)-based call graph model is put forward which captures API system call during malicious rootkit execution in Windows platform. As graph model can be effectively applied to replica complicated relation between entities, we opt it to visualize malicious rootkit behavior activities by monitoring system API calls. This will help the defender to optimally find malicious system calls from benign calls. Our simulated experiment analysis proves that our method achieves higher detection rate and accuracy with less false positive compared to existing techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Current malware statistics. https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2018-2019.pdf. Accessed on 2018/12/11

  2. Bayer U, MilaniComparetti P, Hlauschek C, Kruegel C, Kirda E (2009) Scalable, behavior-based malware clustering. In: Proceedings of the NDSS, pp 8–11

    Google Scholar 

  3. Willems C, Holz T, Freiling F (2007) Toward automated dynamic malware analysis using CWSandbox. Secur Priv 2:32–39

    Google Scholar 

  4. Muthumanickam K, Ilavarasan E, Dwivedi SK (2013) A dynamic botnet detection model based on behavior analysis. Int J Recent Trends Eng Technol 1:104–111

    Google Scholar 

  5. Muthumanickam K, Ilavarasan E (2014) Enhancing malware detection accuracy through graph based model. Br J Math Comput Sci 4(15):2237–2250

    Google Scholar 

  6. Muthumanickam K, Ilavarasan E (2015) An effective method for protecting native API hook attacks in user-mode. Res J Appl Sci Eng Technol 9(1):33–39

    Google Scholar 

  7. Muthumanickam K, Ilavarasan E (2015) COPDA: concealed process and service discovery algorithm to reveal rootkit footprints. Malays J Comput Sci 28(1):1–15

    Google Scholar 

  8. Swiler LP, Phillips C, Ellis D, Chakerian S, Computer-attack graph generation tool. In: Proceedings of the DARPA information survivability conference, pp 307–321

    Google Scholar 

  9. Guo H, Pang J, Zhang Y, Yue F, Zhao R (2001) HERO: a novel malware detection framework based on binary translation. In: Proceedings of IEEE international conference ICIS, 2010, pp 411–415

    Google Scholar 

  10. Muthumanickam K, Ilavarasan E (2012) Automatic generation of P2P botnet network attack graph. In: Das VV (ed) Proceedings of the third international conference on advances in information on technology and engineering. Springer, New York, pp 288–293

    Google Scholar 

  11. Nath HV, Mehtre BM (2014) Static malware analysis using machine learning methods. In: Martínez Pérez G, Thampi SM, Ko R, Shu L (eds) Proceedings of recent trends in computer networks and distributed systems security: second international conference, SNDS 2014, Trivandrum, India. Springer, Berlin, 13–14 Mar 2014, pp 440–450

    Google Scholar 

  12. Oehmen CS, Peterson ES, Phillips AR, Curtis DS (2013) A biosequence-based approach to software characterization. In: Proceedings of the IEEE international conference on intelligence and security informatics, pp 330–332

    Google Scholar 

  13. Automated malware analysis—Cuckoo Sandbox. http://www.cuckoosandbox.org/. Accessed 2018/12/10

  14. Pirscoveanu RS, Hansen SS, Larsen TMT, Stevanovic M, Pedersen JM, Czech A (2015) Analysis of malware behavior: type classification using machine learning. In: Proceedings of the international conference on cyber situational awareness, data analytics and assessment (CyberSA), pp 1–7

    Google Scholar 

  15. Elhadi AAE, Maarof MA, Barry BIA, Hamza H (2014) Enhancing the detection of metamorphic malware using call graphs. Comput Secur 46:62–78

    Article  Google Scholar 

  16. Mehra V, Jain V, Uppal D (2015) DaCoMM: detection and classification of metamorphic malware. In: Proceedings of the fifth international conference on communication systems and network technologies, pp 668–673

    Google Scholar 

  17. Khodamoradi P, Fazlali M, Mardukhi F, Nosrati M (2016) Heuristic metamorphic malware detection based on statistics of assembly instructions using classification algorithm. In: Proceedings of the 18th CSI international symposium on computer architecture and digital systems (CADS)

    Google Scholar 

  18. Mosli R, Li, R, Yuan B, Pan Y (2016) Automated malware detection using artifacts in forensic memory images. In: Proceedings of the IEEE symposium on technologies for homeland security (HST), pp 1–6

    Google Scholar 

  19. Alabbas W, Al-Khateeb HM, Mansour A (2016) Arabic text classification methods: systematic literature review of primary studies. In: Proceedings of the 4th IEEE international colloquium on information science and technology (CiSt), Tangier, pp 361–367

    Google Scholar 

  20. O’kane P, Sezer S, McLaughlin K (2016) Detecting obfuscated malware using reduced Opcode set and optimised runtime trace. Secur Inform 5(2):2–10

    Google Scholar 

  21. Salehi Z, Sami A, Ghiasi M (2017) MAAR: robust features to detect malicious activity based on API calls, their arguments and return values. Int J Eng Appl Artif Intell 59(1):95–98

    Google Scholar 

  22. Bolton AD, Anderson-Cook CM (2017) APT malware static trace analysis through bigrams and graph edit distance. Stat Anal Data Min 10(3):182–193

    Google Scholar 

  23. Muthumanickam K, Ilavarasan E (2015) Optimization of rootkit revealing system resources—a game theoretic approach. J King Saud Univ Comput Inf Sci 27(4):386–392

    Google Scholar 

  24. Krishnan M, Egambaram L (2020) PAM: process authentication mechanism for protecting system services against malicious code attacks. Sådhanå 45(141):1–12

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, M.Kumarasamy College of Engineering, Karur, Tamil Nadu, 639113, India

    P. Pandiaraja

  2. Department of Information Technology, Kongunadu College of Engineering and Technology (Autonomous), Thottiyam, Tiruchirappalli, 621215, India

    K. Muthumanickam & R. Palani Kumar

Authors
  1. P. Pandiaraja
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. K. Muthumanickam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. R. Palani Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to P. Pandiaraja .

Editor information

Editors and Affiliations

  1. University of Johannesburg, Johannesburg, South Africa

    Kingsley A. Ogudo

  2. Department of Computer Science and Engineering, Jadavpur University, Kolkata, West Bengal, India

    Sanjoy Kumar Saha

  3. Department of Computer Science and Engineering, Koneru Lakshmaiah Education Foundation, Guntur, India

    Debnath Bhattacharyya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pandiaraja, P., Muthumanickam, K., Palani Kumar, R. (2023). A Graph-Based Model for Discovering Host-Based Hook Attacks. In: Ogudo, K.A., Saha, S.K., Bhattacharyya, D. (eds) Smart Technologies in Data Science and Communication. Lecture Notes in Networks and Systems, vol 558. Springer, Singapore. https://doi.org/10.1007/978-981-19-6880-8_1

Download citation

Publish with us

Policies and ethics

Search

Navigation