Prachi Ahlawat,Namita Dabas,Prabha Sharma

DOI: https://doi.org/10.2139/ssrn.4295237

2022-01-01

SSRN Electronic Journal

Abstract:Malware is a serious cyber security threat that is extremely difficult to combat. Over the past few years, the frequency of malware attacks has increased manifold and is expected to grow further in the coming years. Many studies suggest API call sequences generated by a process can serve as an effective tool for malware detection. However, most of the existing works based on API call sequences suffer from high dimensional feature sets. This paper proposes a novel API call sequences based malware detection model, MalAnalyser, to address these issues. To reduce the computational overhead involved with the extensive original call sequences, MalAnalyser extracts frequent API call subsequences (patterns) as features for differentiating malware from benign processes, as they encompass the most representative and valuable behavioural information of a process. The model then uses Global Local Best Particle Swarm Optimization (GLBPSO) for identifying the discriminatory features with an objective of reducing computational overhead of the malware detection algorithm without jeopardizing the detection accuracy. Extensive experimentation performed on benign and malware samples exhibit that the proposed model delivers better performance in comparison to the current state-of-the-art models. Experiments conducted on the complete feature set as well as a set of randomly selected 60% features as input, exhibit a detection accuracy of up to 99.71% on both the sets with up to 50.52% and 74.46% reduction in size of feature set respectively. Another major contribution of this work is detection of rare or unseen malware behavior by generating new malware patterns from the existing patterns using Genetic Algorithm. MalAnalyser reported a significant performance gain with this enriched feature set and attained up to 100% accuracy with up to 70% reduced feature set. Further, effectiveness of MalAnalyser is evaluated for detecting a specific type of malware i.e. ransomware.

Bo Zhou,Hai Huang,Jun Xia,Donghai Tian

DOI: https://doi.org/10.1007/s11227-023-05556-x

IF: 3.3

2023-08-21

The Journal of Supercomputing

Abstract:Malware is becoming increasingly prevalent in recent years with the widespread deployment of the information system. Many malicious programs pose a great threat to information systems. In the past decade, various malware detection methods are proposed. Particularly, many studies rely on API features for identifying malware. However, the existing methods do not fully make use of the API features. To address these issues, we propose APInspector, a novel dynamic malware detection solution by carefully inspecting API invocations. This method first leverages a dynamic instrumentation tool to hook the target program for collecting the API sequence and argument features. Then, it exploits a HAN (Hierarchical Attention Network) model to analyze the API sequence features. For analyzing the API argument features, we apply an MLP (Multi-Layer Perceptron) model. To fully leverage the API sequence and argument features, we propose a hybrid model, which combines the HAN and MLP models. The evaluation shows that our approach can detect and classify malware effectively and it outperforms the single models.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Dima Rabadi,Sin G. Teo

DOI: https://doi.org/10.1145/3427228.3427242

2020-12-07

Abstract:Application Programming Interfaces (APIs) are still considered the standard accessible data source and core wok of the most widely adopted malware detection and classification techniques. API-based malware detectors highly rely on measuring API’s statistical features, such as calculating the frequency counter of calling specific API calls or finding their malicious sequence pattern (i.e., signature-based detectors). Using simple hooking tools, malware authors would help in failing such detectors by interrupting the sequence and shuffling the API calls or deleting/inserting irrelevant calls (i.e., changing the frequency counter). Moreover, relying on API calls (e.g., function names) alone without taking into account their function parameters is insufficient to understand the purpose of the program. For example, the same API call (e.g., writing on a file) would act in two ways if two different arguments are passed (e.g., writing on a system versus user file). However, because of the heterogeneous nature of API arguments, most of the available API-based malicious behavior detectors would consider only the API calls without taking into account their argument information (e.g., function parameters). Alternatively, other detectors try considering the API arguments in their techniques, but they acquire having proficient knowledge about the API arguments or powerful processors to extract them. Such requirements demand a prohibitive cost and complex operations to deal with the arguments. To overcome the above limitations, with the help of machine learning and without any expert knowledge of the arguments, we propose a light-weight API-based dynamic feature extraction technique, and we use it to implement a malware detection and type classification approach. To evaluate our approach, we use reasonable datasets of 7774 benign and 7105 malicious samples belonging to ten distinct malware types. Experimental results show that our type classification module could achieve an accuracy of , where our malware detection module could reach an accuracy of over , and outperforms many state-of-the-art API-based malware detectors.

Pei Yan,Shunquan Tan,Miaohui Wang,Jiwu Huang

DOI: https://doi.org/10.1109/lsp.2024.3475354

2024-10-19

IEEE Signal Processing Letters

Abstract:Malware detection is an effective way to prevent the intrusion of malware into computer systems, and the API-based dynamic analysis method can effectively detect obfuscated and packaged malware. However, existing methods still suffer from limited detection accuracy and weak generalization. To address this issue, this paper presents a gradient attack-based malware dynamic analysis method. Through exerting adversarial noise into the embedding layer, the malware detection model can learn more robust representations of API sequences during training, achieving broader coverage of sample representations. The strategy of normalizing attack noise and recovering attacked representation is designed, which controls the strength of the gradient attack within a reasonable range and prevents a negative impact on the model's detection performance. The proposed method can be applied to existing API-based malware detection models to enhance their detection performance, indicating the strong generality of the proposed method. Experimental results on two benchmark datasets (i.e., Aliyun and Catak) demonstrate the effectiveness of the proposed gradient attack method, which further improves the detection performance of the mainstream API-based models, with an average accuracy increase of 2.80% and 3.66% on these two datasets, respectively.

engineering, electrical & electronic

Feng-ping RONG,Yong FANG,Zheng ZUO,Liang LIU

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.05.022

2018-01-01

Abstract:Researchers give preference to dynamic analysis based malware detection methods with capability of nullifying the effects of polymorphism and obfuscation on malware and detecting new and unseen malwares.In this case,malware authors embed numerous anti-detection functions in to malware to evade the detection of existing dynamic malware detection methods.To solve this problem,a malware detection method MACSPMD based on malicious API call sequential pattern mining was proposed.Firstly,dynamic API call sequences of the files are gotten by real machine which simulates the actual running environment of the malware.Secondly,the malicious API call sequence patterns that can represent the potential malicious behavior patterns are mined by introducing the concept of objective-oriented association mining.Finally,the malicious API call sequences are used as abnormal behavior feature to detect malware.The experimental results based on real data set show that MACSPMD achieves 94.55％ and 97.73％ of detection accuracy on unknown and evasive malware respectively.Compared with other malware detection methods based on API call data,the detection accuracy of unknown and evasive malware is improved by 2.47％ and 2.66％ respectively,and the time consumed in the mining process is less.MACSPMD can effectively detect known and unknown malware,including escape type.

Youngjoon Ki,Eunjin Kim,Huy Kang Kim

DOI: https://doi.org/10.1155/2015/659101

IF: 1.938

2015-06-01

International Journal of Distributed Sensor Networks

Abstract:In the era of ubiquitous sensors and smart devices, detecting malware is becoming an endless battle between ever-evolving malware and antivirus programs that need to process ever-increasing security related data. For malware detection, various approaches have been proposed. Among them, dynamic analysis is known to be effective in terms of providing behavioral information. As malware authors increasingly use obfuscation techniques, it becomes more important to monitor how malware behaves for its detection. In this paper, we propose a novel approach for dynamic analysis of malware. We adopt DNA sequence alignment algorithms and extract common API call sequence patterns of malicious function from malware in different categories. We find that certain malicious functions are commonly included in malware even in different categories. From checking the existence of certain functions or API call sequence patterns matched, we can even detect new unknown malware. The result of our experiment shows high enough F-measure and accuracy. API call sequence can be extracted from most of the modern devices; therefore, we believe that our method can detect the malware for all types of the ubiquitous devices.

computer science, information systems,telecommunications

Xingyuan Wei,Ce Li,Qiujian Lv,Ning Li,Degang Sun,Yan Wang

2024-08-03

Abstract:In dynamic Windows malware detection, deep learning models are extensively deployed to analyze API sequences. Methods based on API sequences play a crucial role in malware prevention. However, due to the continuous updates of APIs and the changes in API sequence calls leading to the constant evolution of malware variants, the detection capability of API sequence-based malware detection models significantly diminishes over time. We observe that the API sequences of malware samples before and after evolution usually have similar malicious semantics. Specifically, compared to the original samples, evolved malware samples often use the API sequences of the pre-evolution samples to achieve similar malicious behaviors. For instance, they access similar sensitive system resources and extend new malicious functions based on the original functionalities. In this paper, we propose a frame(MME), a framework that can enhance existing API sequence-based malware detectors and mitigate the adverse effects of malware evolution. To help detection models capture the similar semantics of these post-evolution API sequences, our framework represents API sequences using API knowledge graphs and system resource encodings and applies contrastive learning to enhance the model's encoder. Results indicate that, compared to Regular Text-CNN, our framework can significantly reduce the false positive rate by 13.10% and improve the F1-Score by 8.47% on five years of data, achieving the best experimental results. Additionally, evaluations show that our framework can save on the human costs required for model maintenance. We only need 1% of the budget per month to reduce the false positive rate by 11.16% and improve the F1-Score by 6.44%.

Cryptography and Security

Shaojie Yang,Shanxi Li,Wenbo Chen,Yuhong Liu

DOI: https://doi.org/10.1109/access.2020.3038453

IF: 3.9

2020-01-01

IEEE Access

Abstract:The detection of malware have developed for many years, and the appearance of new machine learning and deep learning techniques have improved the effect of detectors. However, most of current researches have focused on the general features of malware and ignored the development of the malware themselves, so that the features could be useless with the time passed as well as the advance of malware techniques. Besides, the detection methods based on machine learning are mainly static detection and analysis, while the study of real-time detection of malware is relatively rare. In this article, we proposed a new model that could detect malware real-time in principle and learn new features adaptively. Firstly, a new data structure of API-Pair was adopted, and the constructed data was trained with Maximum Entropy model, which could satisfy the goal of weighting and adaptive learning. Then a clustering was practised to filter relatively unrelated and confusing features. Moreover, a detector based on Lont Short Term Memory Network (LSTM) was devised to achieve the goal of real-time detection. Finally, a series of experiments were designed to verify our method. The experimental results showed that our model could obtain the highest accuracy of 99.07% in general tests and keep the accuracies above 97% with the development of malware; the results also proved the feasibility of our model in real-time detection through the simulation experiment, and robustness against a typical adversarial attack.

LUO Wenshuang,CAO Tianjie

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017071835

2018-01-01

Abstract:Considering rapid growth of Android malware and poor capability of detecting malware,a static detection method based on non-user operation sequences was proposed.Firstly,the Application Programming Interface (API) call information of malware was extracted by reverse engineering analysis.Secondly,the malware's function-call graph was established by using breadth-first traversal algorithm;then,non-user operation sequence was extracted from the function-call graph to form malicious behavior database.Finally,the similarity of the detected sample and non-user operation sequence in the malicious behavior database was calculated by using the edit distance algorithm for malware identification.In the detection of 360 malicious samples and 300 normal samples,the proposed method could reach the recall rate of 90.8％ and the accuracy rate of 90.3％.Compared with the Android malware detection system Androguard,the recall rate of the proposed method increased by 30 percentage points in the detection of malicious samples;and compared with the FlowDroid method,the precision rate increased by 11 percentage points in the detection of normal sample and the recall rate increased by 4.4 percentage points in the detection of malicious samples.The experimental results show that the proposed method improves the recall rate of malware detection and promotes the detection effect of malware.

Zongqu Zhao,Junfeng Wang,Jinrong Bai

DOI: https://doi.org/10.1049/iet-ifs.2012.0289

2014-01-01

IET Information Security

Abstract:The existing anti-virus methods extract signatures of software by manual analysis. It is inefficient when they deal with a large number of malware. Meanwhile, the limitation of unknown malware detection often is found in them too. By the research on software structure, it has been found that the control flow of software can be divided into many basic blocks by the interior cross-references, and a feature-selection approach based on this phenomenon is proposed. It can extract opcode sequences from the disassembled program, and translate them into features by vector space model. The algorithms of data mining are employed to find the classify rules from the software features, and then the rules can be applied to the malware detection. Experimental results illustrate that the proposed method can achieve the 97.0% malware detection accuracy and 3.2% false positive rate with the Random Forest classifier. Furthermore, as high as 94.5% overall accuracy can be achieved when only 5% experimental data are used as training data.

Ye Yao,Yian Zhu,Yao Jia,Xianchen Shi,Lixiang Zhang,Dong Zhong,Junhua Duan

DOI: https://doi.org/10.3390/math12010020

IF: 2.4

2023-12-22

Mathematics

Abstract:With the development of the Internet, the types and quantities of malware have grown rapidly, and how to identify unknown malware is becoming a new challenge. The traditional malware detection method based on fixed features is becoming more and more difficult. In order to improve detection accuracy and efficiency for mobile terminals, this paper proposed a malware detection method for mobile terminals based on application programming interface (API) call sequence, which was characterized by the API call sequence and used a series of feature preprocessing techniques to remove redundant processing of the API call sequence. Finally, the recurrent neural network method (RNN) was used to build the model and perform detection and verification. Furthermore, this paper constructed a malware detection model based on a two-way recurrent neural network and used the two-way long short-term memory network model (LSTM) to train the data set containing 5986 malware samples and 5065 benign software samples to obtain the final detection model and its parameters. Finally, the feature vector of the APK file to be detected was passed into the model and obtained the detection results. The experimental results indicated that the detection accuracy of this method can reach 93.68%.

mathematics

Shanxi Li,Qingguo Zhou,Wei

DOI: https://doi.org/10.3837/tiis.2021.09.010

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malware is a severe threat to the computing system and there's a long history of the battle between malware detection and anti-detection. Most traditional detection methods are based on static analysis with signature matching and dynamic analysis methods that are focused on sensitive behaviors. However, the usual detections have only limited effect when meeting the development of malware, so that the manual update for feature sets is essential. Besides, most of these methods match target samples with the usual feature database, which ignored the characteristics of the sample itself. In this paper, we propose a new malware detection method that could combine the features of a single sample and the general features of malware. Firstly, a structure of Directed Cyclic Graph (DCG) is adopted to extract features from samples. Then the sensitivity of each API call is computed with Markov Chain. Afterward, the graph is merged with the chain to get the final features. Finally, the detectors based on machine learning or deep learning are devised for identification. To evaluate the effect and robustness of our approach, several experiments were adopted. The results showed that the proposed method had a good performance in most tests, and the approach also had stability with the development and growth of malware.

Xiaoqian Yun,Hongmei Zhang,Xiaoxiong Zhong,Xiaofang Deng

DOI: https://doi.org/10.1109/ICCT56141.2022.10073202

2022-11-11

Abstract:Due to the constant updates of malware and its variants and the continuous development of malware obfuscation techniques. Malware intrusions targeting Windows hosts are also on the rise. Traditional static analysis methods such as signature matching mechanisms have been difficult to adapt to the detection of new malware. Therefore, a novel visual detection method of malware is proposed for first-time to convert the Windows API call sequence with sequential nature into feature images based on the Gramian Angular Field (GAF) idea, and train a neural network to identify malware. The experimental results demonstrate the effectiveness of our proposed method. For the binary classification of malware, the GAF visualization image of the API call sequence is compared with its original sequence. After GAF visualization, the classification accuracy of the classic machine learning model MLP is improved by 9.64%, and the classification accuracy of the deep learning model CNN is improved by 4.82%. Furthermore, our experiments show that the proposed method is also feasible and effective for the multi-class classification of malware.

Computer Science

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Li Shanxi,Zhou Qingguo,Zhou Rui,Lv Qingquan

DOI: https://doi.org/10.1007/s11227-021-04020-y

IF: 3.3

2021-01-01

The Journal of Supercomputing

Abstract:Malware has seriously threatened the safety of computer systems for a long time. Due to the rapid development of anti-detection technology, traditional detection methods based on static analysis and dynamic analysis have limited effects. With its better predictive performance, AI-based malware detection has been increasingly used to deal with malware in recent years. However, due to the diversity of malware, it is difficult to extract feature from malware, which make malware detection not conductive to the application of AI technology. To solve the problem, a malware classifier based on graph convolutional network is designed to adapt to the difference of malware characteristics. The specific method is to firstly extract the API call sequence from the malware code and generate a directed cycle graph, then use the Markov chain and principal component analysis method to extract the feature map of the graph, and design a classifier based on graph convolutional network, and finally analyze and compare the performance of the method. The results show that the method has better performance in most detection, and the highest accuracy is 98.32 % , compared with existing methods, our model is superior to other methods in terms of FPR and accuracy. It is also stable to deal with the development and growth of malware.

FuYong Zhang,Deyu Qi,JingLin Hu

DOI: https://doi.org/10.3969/j.issn.1000-565X.2011.04.003

2011-01-01

Abstract:As the malware detection method based on API can only detect the malware running in user mode and is noneffective for the malware running in kernel mode and calling kernel APIs,a novel detection method of unknown malware is proposed based on IRP(I/O Request Packet).Then,the Nave Bayes,the Bayesian networks,the support vector machine,the C4.5 decision tree,the Boosting,the negative selection algorithm and an improved artificial immune system are used to classify IRP sequences for malware detection,and the detection rates of all the above-mentioned methods with different feature selection algorithms are compared.The results demonstrate that(1) the proposed method is effective in malware detection;(2) the Boosting decision tree with Fisher score feature selection algorithm outperforms other detection methods,with the highest detection rate of 98.3%;(3) the improved artificial immune system,which detects malware by selected IRP subsequences only existing in malware's IRP sequences,performs well,with a detection rate of 95.0% and a false detection rate of 0.

Jiayin Feng,Limin Shen,Zhen Chen,Yu Lei,Hui Li

DOI: https://doi.org/10.1016/j.aej.2024.11.068

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:The malicious infestations of Android malware caused huge economic losses to users over the past few years. Machine learning-based malware detection enhances the accuracy and partially mitigates these security threats. However, when the static or dynamic features cannot effectively represent software behavior, the accuracy of the model will be reduced. For this issue, a multi-features hybrid malware detection and category classification method HGDetector is proposed, this approach provides a more comprehensive representation of software behavior. HGDetector first extracts the software static function call graph and constructs the network behavior function call graph, then applies the dynamic network traffic features of the software to build the node interaction graph and edge-node graph; Subsequently, these features were fused and converted into a vector representation employing graph embedding method; Finally, combined with the proposed HGDetector, different classifiers were used to test the accuracy of malware detection and category classification. The experimental results demonstrate that the fusion of hybrid features can enhance malware detection accuracy by approximately 4 % when network traffic features effectively capture APP's behavior. Conversely, in cases where network traffic features alone are insufficient to represent software's network behavior, the application of hybrid features can improve malware detection accuracy by 21 %-26 %.

Ce Li,Qiujian Lv,Ning Li,Yan Wang,Degang Sun,Yuanyuan Qiao

DOI: https://doi.org/10.1016/j.cose.2022.102686

2022-05-01

Abstract:Dynamic malware detection executes the software in a secured virtual environment and monitors its run-time behavior. This technique widely uses API sequence analysis to identify whether the running software is malicious or not. However, existing solutions typically only consider the API name or frequency of API usage, and the feature mining of API sequence is not sufficient, which leads some malware to escape from being detected. In this paper, we propose a novel malware detection framework using deep learning models to capture and combine more meaningful features which are called intrinsic features of the API sequence. Specifically, we first apply embedding and convolutional layers to conduct a joint representation of multiple APIs to represent the software behavior. Secondly, we use the category, action, and operation object of the API to represent the semantic information of each API call. Finally, we use the Bi-LSTM module to mine the relationship information between APIs. Our proposed model achieves an accuracy of 0.9731 and an F1-score of 0.9724 on a large real dataset, which outperforms baselines significantly. We also conduct ablation studies to prove the effectiveness of our intrinsic features.

computer science, information systems

Eslam Amer,Ivan Zelinka

DOI: https://doi.org/10.1016/j.cose.2020.101760

2020-05-01

Abstract:Malware API call graph derived from API call sequences is considered as a representative technique to understand the malware behavioral characteristics. However, it is troublesome in practice to build a behavioral graph for each malware. To resolve this issue, we examine how to generate a simple behavioral graph that characterizes malware. In this paper, we introduce the use of word embedding to understand the contextual relationship that exists between API functions in malware call sequences. We also propose a method that segregating individual functions that have similar contextual traits into clusters. Our experimental results prove that there is a significant distinction between malware and goodware call sequences. Based on this distinction, we introduce a new method to detect and predict malware based on the Markov chain. Through modeling the behavior of malware and goodware API call sequences, we generate a semantic transition matrix which depicts the actual relation between API functions. Our models return an average detection precision of 0.990, with a false positive rate of 0.010. We also propose a prediction methodology that predicts whether an API call sequence is malicious or not from the initial API calling functions. Our model returns an average accuracy for the prediction of 0.997. Therefore, we propose an approach that can block malicious payloads instead of detecting them after their post-execution and avoid repairing the damage.

computer science, information systems

Sanfeng Zhang,Jiahao Wu,Mengzhe Zhang,Wang Yang

DOI: https://doi.org/10.3390/app13116526

2023-05-26

Applied Sciences

Abstract:The existing dynamic malware detection methods based on API call sequences ignore the semantic information of functions. Simply mapping API to numerical values does not reflect whether a function has performed a query or modification operation, whether it is related to network communication, the file system, or other factors. Additionally, the detection performance is limited when the size of the API call sequence is too large. To address this issue, we propose Mal-ASSF, a novel malware detection model that fuses the semantic and sequence features of the API calls. The API2Vec embedding method is used to obtain the dimensionality reduction representation of the API function. To capture the behavioral features of sequential segments, Balts is used to extract the features. To leverage the implicit semantic information of the API functions, the operation and the type of resource operated by the API functions are extracted. These semantic and sequential features are then fused and processed by the attention-related modules. In comparison with the existing methods, Mal-ASSF boasts superior capabilities in terms of semantic representation and recognition of critical sequences within API call sequences. According to the evaluation with a dataset of malware families, the experimental results show that Mal-ASSF outperforms existing solutions by 3% to 5% in detection accuracy.

materials science, multidisciplinary,engineering,chemistry,physics, applied