Applied Sciences (Jan 2019)

Cross-Method-Based Analysis and Classification of Malicious Behavior by API Calls Extraction

  • Bruce Ndibanje,
  • Ki Hwan Kim,
  • Young Jin Kang,
  • Hyun Ho Kim,
  • Tae Yong Kim,
  • Hoon Jae Lee

DOI
https://doi.org/10.3390/app9020239
Journal volume & issue
Vol. 9, no. 2
p. 239

Abstract

Read online

Data-driven public security networking and computer systems are always under threat from malicious codes known as malware; therefore, a large amount of research and development is taking place to find effective countermeasures. These countermeasures are mainly based on dynamic and statistical analysis. Because of the obfuscation techniques used by the malware authors, security researchers and the anti-virus industry are facing a colossal issue regarding the extraction of hidden payloads within packed executable extraction. Based on this understanding, we first propose a method to de-obfuscate and unpack the malware samples. Additional, cross-method-based big data analysis to dynamically and statistically extract features from malware has been proposed. The Application Programming Interface (API) call sequences that reflect the malware behavior of its code have been used to detect behavior such as network traffic, modifying a file, writing to stderr or stdout, modifying a registry value, creating a process. Furthermore, we include a similarity analysis and machine learning algorithms to profile and classify malware behaviors. The experimental results of the proposed method show that malware detection accuracy is very useful to discover potential threats and can help the decision-maker to deploy appropriate countermeasures.

Keywords