Lightweight and Robust Malware Detection Using Dictionaries of API Calls

Ammar Yahya Daeef; Ali Al-Naji; Javaan Chahl

doi:10.3390/telecom4040034

Telecom (Nov 2023)

Lightweight and Robust Malware Detection Using Dictionaries of API Calls

Ammar Yahya Daeef,
Ali Al-Naji,
Javaan Chahl

Affiliations

Ammar Yahya Daeef: Technical Institute for Administration, Middle Technical University, Baghdad 10074, Iraq
Ali Al-Naji: Electrical Engineering Technical College, Middle Technical University, Baghdad 10022, Iraq
Javaan Chahl: School of Engineering, University of South Australia, Mawson Lakes, SA 5095, Australia

DOI: https://doi.org/10.3390/telecom4040034
Journal volume & issue: Vol. 4, no. 4
pp. 746 – 757

Abstract

Read online

Malware in today’s business world has become a powerful tool used by cyber attackers. It has become more advanced, spreading quickly and causing significant harm. Modern malware is particularly dangerous because it can go undetected, making it difficult to investigate and stop in real time. For businesses, it is vital to ensure that the computer systems are free from malware. To effectively address this problem, the most responsive solution is to operate in real time at the system’s edge. Although machine learning and deep learning have given promising performance for malware detection, the significant challenge is the required processing power and resources for implementation at the system’s edge. Therefore, it is important to prioritize a lightweight approach at the system’s edge. Equally important, the robustness of the model against the concept drift at the system’s edge is crucial to detecting the evolved zero-day malware attacks. Application programming interface (API) calls emerge as the most promising candidate to provide such a solution. However, it is quite challenging to create API call features to achieve a lightweight implementation, high malware detection rate, robustness, and fast execution. This study seeks to investigate and analyze the reuse rate of API calls in both malware and goodware, shedding light on the limitations of API call dictionaries for each class using different datasets. By leveraging these dictionaries, a statistical classifier (STC) is introduced to detect malware samples. Furthermore, the study delves into the investigation of model drift in the STC model, employing entirely distinct datasets for training and testing purposes. The results show the outstanding performance of the STC model in accurately detecting malware, achieving a recall value of one, and exhibiting robustness against model drift. Furthermore, the proposed STC model shows comparable performance to deep learning algorithms, which makes it a strong competitor for performing real-time inference on edge devices.

Published in Telecom

ISSN: 2673-4001 (Online)
Publisher: MDPI AG
Country of publisher: Switzerland
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics: Computer engineering. Computer hardware; Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://www.mdpi.com/journal/telecom

About the journal

Abstract

Keywords