Skip to main content
SpringerLink
Log in

MALDC: a depth detection method for malware based on behavior chains

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Malicious behavior detection is a key topic that has been a focus in the field of intrusion detection. Current intrusion detection systems are primarily based on single-point monitoring and detection and cannot detect attack modes with a hidden attack frequency. The idea presented in this paper is the incorporation of API call sequence software into the analysis and the construction of behavior chains to express the behavior patterns in software. This paper introduces related definitions of behavioral points and behaviors and proposes a depth-detection method for malware based on behavior chains (MALDC). The method monitors behavior points based on API calls and then uses the calling sequence of those behavior points at runtime to construct a behavior chain. Finally, we use depth detection method based on long short-term memory(LSTM) to detect malicious behavior from the behavior chains. To verify the performance of the proposed model, we conducted a large experiment on 54,324 malware and 53,361 benign samples collected from Windows systems and used those samples to train and test the model. Comparative verification by using various classifiers showed that the behavior points extracted based on the above method and the constructed behavior chains can be used to recognize malicious behavior at a high recognition rate. The method achieved an accuracy of 98.64% with a false positive rate of less than 2% in the best case, which is a satisfactory recognition rate for detecting malicious software behavior.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13

Similar content being viewed by others

References

  1. Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security (AISec), pp. 13–21. ACM (2016)

  2. Barreno, M., Nelson, B., Joseph, A.D., Tygar, J.D.: The security of machine learning. Mach. Learn. 81(2), 121–148 (2010)

    Article  MathSciNet  Google Scholar 

  3. Berlin, K., Slater, D., Saxe, J.: Malicious behavior detection using windows audit logs. In: Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security(AISec), pp. 35–44. ACM (2015)

  4. Dullien, T., Rolles, R.: Graph-Based comparison of executable objects (English version). In: Proceedings of the Symposium sur la sécurité des technologies de l'information et des communications(SSTIC). http://actes.sstic.org/SSTIC05/Analyse_differentielle_de_binaires/ (2005). Accessed Jan 2019

  5. Fan, C., Hsiao, H.W., Chou, C.H., Tseng, Y.F.: Malware detection systems based on API log data mining. In: Proceedings of the IEEE 39th Annual Computer Software and Applications Conference(COMPSAC), pp. 255–260. IEEE (2015)

  6. Fan, Y., Ye, Y., Chen, L.: Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl. 52(C), 16–25 (2016)

    Article  Google Scholar 

  7. Fereidooni, H., Conti, M., Yao, D., Sperduti, A.: ANASTASIA: android malware detection using static analysis of applications. In: Proceedings of the 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5 (2016)

  8. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572. (2014)

  9. Grosse, K., Papernot, N., Manoharan, P., Backes, M., Mcdaniel, P.: Adversarial perturbations against deep neural networks for malware classification. arXiv preprint arXiv:1606.04435. (2016)

  10. Han, K.S., Kim, I.K., Im, E.G.: Malware classification methods using API sequence characteristics. Lecture Notes in Electrical Engineering(LNEE). 120, 613–626 (2012)

    Article  Google Scholar 

  11. Han, L., Fu, C., Zou, D., Lee, C.H., Jia, W.: Task-based behavior detection of illegal codes. Math. Comput. Model. 55(1–2), 80–86 (2012)

    Article  MathSciNet  Google Scholar 

  12. Hansen, S.S., Larsen, T.M.T., Stevanovic, M., Pedersen, J.M.: An approach for detection and family classification of malware based on behavioral analysis. In: Proceedings of the International Conference on Computing, Networking and Communications (ICNC), pp.1–5 (2016)

  13. Hou, S., Saas, A., Chen, L., Ye, Y.: Deep4MalDroid: a deep learning framework for android malware detection based on Linux kernel system call graphs. In: Proceedings of the 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW), pp. 104–111. IEEE (2016)

  14. Hou, S., Ye, Y., Song, Y.: HinDroid: an intelligent android malware detection system based on structured heterogeneous information network. In: Proceedings of the 23rd ACM SIGKDD International Conference, pp. 13–17. ACM (2017)

  15. Huang, J., Swindlehurst, A.L: Secure communications via cooperative jamming in two-hop relay systems. In: IEEE Globecom, pp. 1–5 (2010)

  16. Idika, N., Mathur, A.P.: A Survey of Malware Detection Techniques. Purdue University (2007)

  17. Karbalaie, F., Sami, A., Ahmadi, M.: Semantic malware detection by deploying graph mining. International Journal of Computer Science Issues (IJCSI). 9(1), 373–379 (2012)

    Google Scholar 

  18. Kolosnjaji, B., Zarras, A., Webster, G., Eckert, C.: Deep learning for classification of malware system call sequences. In: Proceedings of the Australasian Joint Conference on Artificial Intelligence, pp. 137–149. Springer (2016)

  19. Li, Z., Zou, D., Xu, S., Jin, H., Hu, J.: VulPecker: an automated vulnerability detection system based on code similarity analysis. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 201–213. ACM (2016)

  20. Li, Z., Zou, D., Xu, S., Ou, X., Jin, H., Wang, S., Deng, Z., Zhong, Y.: Vuldeepecker: a deep learning-based system for vulnerability detection. In: Proceedings of the 25th Annual Network and Distributed Systems Security Symposium (NDSS’2018) (2018)

  21. MIT Technology Review. Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds Them. MIT Technology Review. https://www.technologyreview.com/s/602115/machine-learning-algorithm-combs-the-darknet-for-zero-day-exploits-and-finds-them/ (2016). Accessed Jan 2019

  22. Mosli, R., Li, R., Yuan, B., Pan, Y.: Automated malware detection using artifacts in forensic memory images. In: Technologies for Homeland Security (HST), pp. 1–6. IEEE (2016)

  23. Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: Proceedings of the 2008 ACM symposium on Information, Computer and Communications Security, pp. 156–167. ACM (2008)

  24. Rattan, D., Bhatia, R., Singh, M.: Software clone detection: a systematic review. Inf. Softw. Technol. 55(7), 1165–1199 (2013)

    Article  Google Scholar 

  25. Rieck, K., Laskov, P.: Linear-time computation of similarity measures for sequential data. J. Mach. Learn. Res. 9(9), 23–48 (2008)

    MATH  Google Scholar 

  26. Rndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, pp. 197–211. IEEE (2014)

  27. Salehi, Z., Ghiasi, M., Sami, A.: A miner for malware detection based on API function calls and their arguments. In: Proceedings of the 16th CSI International Symposium on Artificial Intelligence and Signal Processing (AISP 2012), pp. 563–568. IEEE (2012)

  28. Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: Proceedings of the 10th International Conference on Malicious and Unwanted Software, pp. 11–20. IEEE (2015)

  29. Sun, M., Li, X., Lui, J.C.S., Ma, R.T.B., Liang, Z.: Monet: a user-oriented behaviour-based malware variants detection system for android. IEEE Transactions on Information Forensics and Security. 12(5), 1103–1112 (2017)

    Article  Google Scholar 

  30. Tian, R., Islam, R., Batten, L., Versteeg, S.: Differentiating malware from cleanware using behavioural analysis. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software(MALWARE), pp. 23–30. IEEE (2010)

  31. Uppal, D., Sinha, R., Mehra, V., Jain V.: Malware detection and classification bases on extraction of API sequences. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics(ICACCI), pp. 2337–2342. IEEE (2014)

  32. Wang, Z., Pierce, K., McFarling, S.: BMAT—a binary matching tool for stale profile propagation. The Journal of Instruction-Level Parallelism(JILP). 10(2), 23–25 (2000)

  33. Wang, R., Feng, D.G., Yang, Y., Su, P.R.: Semantics-based malware behavior signature extraction and detection method. Journal of Software. 23(2), 378–393 (2012)

    Article  Google Scholar 

  34. Matt Wolff Andrew Davis: Deep learning on disassembly data. https://www.blackhat.com/docs/us-15/materials/us-15-Davis-Deep-Learning-On-Disassembly.pdf (2015). Accessed Jan 2019

  35. Yuan, Z., Lu, Y., Wang, Z., Xue, Y.: Droid-sec: deep learning in android malware detection. Acm Sigcomm Computer Communication Review. 44(4), 371–372 (2014)

    Article  Google Scholar 

Download references

Acknowledgments

We are grateful to the volunteers for capturing the data. This research is supported by the National Key Research and Development Program of China (No. 2017YFB1401300, 2017YFB1401304), the National Natural Science Foundation of China (No. 61702211,No. L1724007), the Hubei Provincial Science and Technology Program of China (No. 2017AKA191) and the Self-Determined Research Funds of CCNU from the Colleges’ Basic Research (Nos. CCNU17QN0004 and CCNU17GF0002), and Natural Science Foundation of Shandong Province(ZR2017QF015).

Author information

Authors and Affiliations

  1. National Engineering Laboratory for Educational Big Data, Central China Normal University, Wuhan, China

    Hao Zhang, Wenjun Zhang & Tao Huang

  2. National Engineering Research Center for E-Learning, Central China Normal University, Wuhan, China

    Hao Zhang, Wenjun Zhang & Tao Huang

  3. School of Data Science and Software Engineering, Qingdao University, Qingdao, 266071, China

    Zhihan Lv

  4. School of Computing Science and Engineering, Vellore Institute of Technology, Vellore, 632014, India

    Arun Kumar Sangaiah

  5. Department of Computer Science and Computer Engineering, La Trobe University, Melbourne, Australia

    Naveen Chilamkurti

Authors
  1. Hao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenjun Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhihan Lv
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Arun Kumar Sangaiah
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tao Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Naveen Chilamkurti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Zhihan Lv or Arun Kumar Sangaiah.

Additional information

This article belongs to the Topical Collection: Special Issue on Security and Privacy in Network Computing

Guest Editors: Xiaohong Jiang, Yongzhi Wang, Tarik Taleb, and Hua Wang

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, H., Zhang, W., Lv, Z. et al. MALDC: a depth detection method for malware based on behavior chains. World Wide Web 23, 991–1010 (2020). https://doi.org/10.1007/s11280-019-00675-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-019-00675-z

Keywords

Search

Navigation