Expression of Malware Characteristics using API Sequence
AUTHORS
Jihun Kim,Daegu Gyeongbuk Institute of Science and Technology, 333, Techno jungang-daero, Hyeonpung-eup, Dalseong-gun, Daegu, Republic of Korea
SungWon Lee,Dept. Of Computer Engineering, Yeungnam Univ., 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
JongHee Youn,Dept. Of Computer Engineering, Yeungnam Univ., 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
ABSTRACT
In the present age, the amount of malware is growing very rapidly, and the kinds and behaviors of malware are becoming very diverse. This poses social security threats such as data loss, leakage of personal and financial information, system damage, and the destruction of IT infrastructures. Unlike existing malicious codes, modified or new types of malicious codes are being identified, and it is very inefficient for analysts to manually analyze one by one from the beginning. Malware analysts to solve these problems are analyzed and studied effective way to reduce the time and cost of analysis. In this paper, we propose a way to express the characteristics by using the API Sequence for malware detection and classification. It compares and analyzes several existing expression methods and verifies the efficiency through actual malicious code samples. Using the expression method proposed in the paper, we detected four malicious behaviors: DLL Injection, Downloader, Key Logger, and Anti debugging. As a result, it was detected more than the conventional detection method, and it can be seen that the more complex the malicious behavior, the higher the detection efficiency. In addition, although static analysis was adopted as the main method, the flow of malicious behavior can be analyzed because it searches for execution condensation.
KEYWORDS
Malware analysis, API Sequence, Malware classification
REFERENCES
[1] S. COOK, “Malware statistics and facts for 2020,” Comparitech, Nov., (2020)
[2] I. Santos, Y. K. Penya, J. Devesa, and P. G. Bringas, “N-grams-based file signatures for malware detection,” ICEIS, vol.9, no.2, (2009)
[3] R. Moskovitch, C. Feher, N. Tzachar, E. Berger, M. Gitelman, S. Dolev, and Y. Elovici, “Unknown malcode detection using opcode representation,” Intelligence and Security Informatics, Springer, Berlin, Heidelberg, pp.204-215, (2008)
[4] Y. H. Choi, B. J. Han, B. C. Bae, H. G. Oh, and K. W. Sohn, “Toward extracting malware features for classification using static and dynamic analysis,” Computing and Networking Technology (ICCNT), 2012 8th International Conference on. IEEE, pp.126-129, (2012)
[5] M. Zhang, Y. Duan, H. Yin, and Z. Zhao, “Semantics-aware android malware classification using weighted contextual api dependency graphs,” Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, (2014)
[6] M. Alazab, S. Venkataraman, and P. Watters, “Towards understanding malware behavior by the extraction of API calls,” Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second. IEEE, pp.52-59, (2010)
[7] M. Rajagopalan, M. A. Hiltunen, T. Jim, and R.D. Schlichting, “System call monitoring using authenticated system calls,” IEEE Transactions on Dependable and Secure Computing, vol.3, no.3, pp.216-229, (2006)
[8] M. Alazab, S. Venkatraman, P. Watters, and M. Alazab, “Zero-day malware detection based on supervised learning algorithms of API call signatures,” Proceedings of the Ninth Australasian Data Mining Conference-Volume 121. Australian Computer Society, Inc., (2011)
[9] I. Firdausi, A. Erwin, and A.S. Nugroho, “Analysis of machine learning techniques used in behavior-based malware detection,” Advances in Computing, Control and Telecommunication Technologies (ACT), 2010 Second International Conference on. IEEE, (2010)
[10] J. J. Blount, D. R. Tauritz, and S. A. Mulder, “Adaptive rule-based malware detection employing learning classifier systems: A proof of concept,” Computer Software and Applications Conference Workshops (COMPSACW),2011 IEEE 35th Annual. IEEE, pp.110-115, (2011)
[11] O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach, “Dynamic malware analysis in the modern era—A state of the art survey,” ACM Computing Surveys (CSUR), (2019)
[12] M. Ijaz, M. H. Durad, and M. Ismail, “Static and dynamic malware analysis using machine learning,” 2019 16소 international bhurban conference on applied sciences and technology (IBCAST). IEEE, (2019)
[13] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,” ACM computing surveys (CSUR), vol.44, no.2, (2012)