Skip to main content
Springer Nature Link
Log in

Behavior-based features model for malware detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

The sharing of malicious code libraries and techniques over the Internet has vastly increased the release of new malware variants in an unprecedented rate. Malware variants share similar behaviors yet they have different syntactic structure due to the incorporation of many obfuscation and code change techniques such as polymorphism and metamorphism. The different structure of malware variants poses a serious problem to signature-based detection technique, yet their similar exhibited behaviors and actions can be a remarkable feature to detect them by behavior-based techniques. Malware instances also largely depend on API calls provided by the operating system to achieve their malicious tasks. Therefore, behavior-based detection techniques that utilize API calls are promising for the detection of malware variants. In this paper, we propose a behavior-based features model that describes malicious action exhibited by malware instance. To extract the proposed model, we first perform dynamic analysis on a relatively recent malware dataset inside a controlled virtual environment and capture traces of API calls invoked by malware instances. The traces are then generalized into high-level features we refer to as actions. We assessed the viability of actions by various classification algorithms such as decision tree, random forests, and support vector machine. The experimental results demonstrate that the classifiers attain high accuracy and satisfactory results in the detection of malware variants.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Fossi, M., Egan, G., Haley, K., Johnson, E., Mack, T., Adams, T., Blackbird, J., Low, M.K., Mazurek, D., McKinney, D., et al.: Symantec internet security threat report trends for 2010, vol. 16 (2011)

  2. Gennari, J., French, D.: Defining malware families based on analyst insights. In: Technologies for Homeland Security (HST), 2011 IEEE International Conference on IEEE, pp. 396–401 (2011)

  3. Mairh, A., Barik, D., Verma, K., Jena, D.: Honeypot in network security: a survey. In: Proceedings of the 2011 International Conference on Communication, Computing & Security ACM, pp. 600–605 (2011)

  4. Kiemt, H., Thuy, N.T., Quang, T.M.N.: A machine learning approach to anti-virus system (artificial intelligence i). IPSJ SIG Notes. ICS 2004(125), 61–65 (2004)

    Google Scholar 

  5. Eskandari, M., Khorshidpour, Z., Hashemi, S.: Hdm-analyser: a hybrid analysis approach based on data mining techniques for malware detection. J. Comput. Virol. Hacking Tech. 9(2), 77–93 (2013)

    Article  Google Scholar 

  6. Kaspersky. Heuristic analysis in anti-virus. http://support.kaspersky.com/8641 (2013). Accessed in 1 April 2015

  7. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-third annual IEEE Computer security applications conference, 2007. ACSAC 2007, pp. 421–430 (2007)

  8. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  9. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)

    Article  Google Scholar 

  10. Sikorski, M., Honig, A.: Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press (2012)

  11. Cesare, S., Xiang, Y., Zhou, Wanlei: Malwise&# x2014; an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62(6), 1193–1206 (2013)

    Article  MathSciNet  Google Scholar 

  12. Lindorfer, M., Kolbitsch, C., Comparetti, P.M.: Detecting environment-sensitive malware. In: Recent Advances in Intrusion Detection, pp. 338–357. Springer (2011)

  13. Nektra Advanced Computing. Deviare api hook. http://www.nektra.com/products/deviare-api-hook-windows/ (2015). Accessed in 1 April 2015

  14. Canfora, G.: Antonio Niccolò Iannaccone, and Corrado Aaron Visaggio. Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J. Comput. Virol. Hacking Tech. 10(1), 11–27 (2014)

    Article  Google Scholar 

  15. Kalbhor, A., Austin, T.H., Filiol, E., Josse, S., Mark, S.: Dueling hidden markov models for virus analysis. J. Comput. Virol. Hacking Tech. 11, 1–16 (2014)

  16. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  17. Musale, M., Austin, T.H., Stamp, M.: Hunting for metamorphic javascript malware. J. Comput. Virol. Hacking Tech. 1–14 (2014)

  18. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)

    Article  Google Scholar 

  19. Annachhatre, C., Austin, T.H., Stamp, M.: Hidden markov models for malware classification. J. Comput. Virol. Hacking Tech. 1–15 (2014)

  20. Faruki, P., Laxmi, V., Gaur, M.S., Vinod, P.: Mining control flow graph as api call-grams to detect portable executable malware. In Proceedings of the Fifth International Conference on Security of Information and Networks ACM, pp. 130–137 (2012)

  21. Park, Y., Reeves, D.S., Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39, 419–430 (2013)

    Article  Google Scholar 

  22. Eskandari, M., Hashemi, Sattar: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)

    Article  Google Scholar 

  23. Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 36(2), 646–656 (2013)

    Article  Google Scholar 

  24. VirusSign. Malware research and data center. http://www.VirusSign.com (2015). Accessed in 1 April 2015

  25. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  26. Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)

    MATH  Google Scholar 

  27. Safavian, S.R., Landgrebe, D.: A survey of decision tree classifier methodology (1990)

  28. Demšar, J., Curk, T., Erjavec, A., Gorup, Č., Hočevar, T., Milutinovič, M., Možina, M., Polajnar, M., Toplak, M., Starič, A., Štajdohar, M., Umek, L., Žagar, L., Žbontar, J., Žitnik, M., Zupan, B.: Orange: Data mining toolbox in python. J. Mach. Learn. Res. 14, 2349–2353 (2013)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Computers and Information, Assiut University, Assiut, Egypt

    Hisham Shehata Galal, Yousef Bassyouni Mahdy & Mohammed Ali Atiea

Authors
  1. Hisham Shehata Galal
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Yousef Bassyouni Mahdy
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Mohammed Ali Atiea
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Hisham Shehata Galal.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Galal, H.S., Mahdy, Y.B. & Atiea, M.A. Behavior-based features model for malware detection. J Comput Virol Hack Tech 12, 59–67 (2016). https://doi.org/10.1007/s11416-015-0244-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-015-0244-0

Keywords