Skip to main content
SpringerLink
Log in

Markhor: malware detection using fuzzy similarity of system call dependency sequences

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Static malware detection approaches are time-consuming and cannot deal with code obfuscation techniques. Dynamic malware detection approaches, on the other hand, address these two challenges, however, suffer from behavioral ambiguity, such as the system calls obfuscation. In this paper, we introduce Markhor, a dynamic and behavior-based malware detection approach. Markhor uses system call data dependency and system call control dependency sequences to create a weighted list of malicious patterns. The list is then used to determine the malicious processes. Next, the similarity of a file system call sequences to a malicious pattern is extracted based on a fuzzy algorithm and the file nature is determined. The evaluation results reveal the efficiency of Markhor in terms of accuracy (0.982), precision (0.976), and F-measure (0.982).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Markhor (Capra falconeri), is a large Capra species native to Central Asia, Karakoram and the Himalayas. The name is thought to be derived from Persian–a conjunction of mar (“snake, serpent”) and the suffix khor (“-eater”), interpreted to represent the animal’s alleged ability to kill snakes.

References

  1. Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 13(1), 1–12 (2017)

    Article  Google Scholar 

  2. Scott, J..: Signature Based Malware Detection is Dead, Cybersecurity Think Tank. Institute for Critical Infrastructure Technology (February). www.ICITForum.org

  3. Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop, pp. 52–59 (2010). 10.1109/CTC.2010.8

  4. Fang, Z., Wang, J., Li, B., Wu, S., Zhou, Y., Huang, H.: Evading anti-malware engines with deep reinforcement learning. IEEE Access 7, 48867–48879 (2019)

    Article  Google Scholar 

  5. Martín, A., Menéndez, H. D., Camacho, D.: Studying the influence of static API calls for hiding malware. In: Lecture Notes in Computer Science, vol. 9868, pp. 363–372. Springer (2016)

  6. Lopez, J., Babun, L., Aksu, H., Uluagac, A.S.: A survey on function and system call hooking approaches. J. Hardw. Syst. Secur. 1(2), 114–136 (2017)

    Article  Google Scholar 

  7. Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: Cybercrime and Trustworthy Computing Workshop, pp. 52–59 (2010)

  8. Sihwail, R., Omar, K., Ariffin, K.A.: A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 8(4–2), 1662–1671 (2018)

    Article  Google Scholar 

  9. Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)

    Article  Google Scholar 

  10. Dependency Walker, Dependency Walker (2018). http://www.dependencywalker.com/

  11. Garg, V., Yadav, R.K.: Malware detection based on API calls frequency. In: International Conference on Information Systems and Computer Networks, pp. 400–404. IEEE (2019)

  12. Sami, A., Yadegari, B., Rahimi, H., Peiravian, N., Hashemi, S., Hamze, A.: Malware detection based on mining API calls. In: Proceedings of the ACM Symposium on Applied Computing, pp. 1020–1025. ACM Press, New York (2010)

  13. Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using API call sequences. In: Advances in Intelligent Systems and Computing, vol. 214, pp. 225–236. Springer (2014)

  14. Tran, T.K., Sato, H.: NLP-based approaches for malware classification from API sequences. In: Symposium on Intelligent and Evolutionary Systems, vol. 2017-Janua, pp. 101–105. Institute of Electrical and Electronics Engineers Inc. (2017)

  15. Kim, H., Kim, J., Kim, Y., Kim, I., Kim, K.J., Kim, H.: Improvement of malware detection and classification using API call sequence alignment and visualization. Clust. Comput. 22(1), 921–929 (2019)

    Article  Google Scholar 

  16. Fadadu, F.: Evading API call sequence based malware classifiers. In: International Conference on Information and Communications Security, pp. 18–33. Springer, Cham (2019)

  17. Suaboot, J., Tari, Z., Mahmood, A., Zomaya, A.Y., Li, W.: Sub-curve HMM: a malware detection approach based on partial analysis of API call sequences. Comput. Secur. 92, 101773 (2020)

    Article  Google Scholar 

  18. CWSandbox Data. http://pi1.informatik.uni-mannheim.de/malheur/

  19. Virus Sign Malware Data Base. https://www.virussign.com

  20. API Monitoring Tool. https://www.rohitab.com/apimonitor

  21. Parsa, S., Zareie, F., Vahidi-Asl, M.: Fuzzy clustering the backward dynamic slices of programs to identify the origins of failure. In: Lecture Notes in Computer Science, vol. 6630, pp. 352–363 (2011)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Sharif University of Technology, Tehran, Iran

    Amir Mohammadzade Lajevardi

  2. Department of Computer Engineering, Iran University of Science and Technology, Tehran, Iran

    Saeed Parsa

  3. Department of Computer and Information Science, University of Pennsylvania, Pennsylvania, USA

    Mohammad Javad Amiri

Authors
  1. Amir Mohammadzade Lajevardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saeed Parsa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Javad Amiri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amir Mohammadzade Lajevardi.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lajevardi, A.M., Parsa, S. & Amiri, M.J. Markhor: malware detection using fuzzy similarity of system call dependency sequences. J Comput Virol Hack Tech 18, 81–90 (2022). https://doi.org/10.1007/s11416-021-00383-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-021-00383-1

Search

Navigation