Many malicious behavior detection approaches rely on dynamic features that are extracted from Application Programming Interfaces (APIs), which represent the run-time behavior of programs. Most API-based malicious behavior detection techniques highly focus on measuring the statistical features of API calls such as finding the
frequency (e.g., how many times a specific API is called) or recognizing the sequence pattern of API calls. However, such detectors can be easily evaded and bypassed by malware authors who would interrupt the sequence by basically hooking and shuffling the API calls or deleting/inserting the irrelevant calls. Also, most proposed API-based malicious behavior detectors would either consider only the API calls (e.g., function names) without taking into account their arguments information (e.g., function parameters) or incur a prohibitive cost, such as requiring complex operations to deal with the arguments (e.g., proficient knowledge about the types of the arguments and/or powerful computers to extract them). As relying on API calls alone is insufficient to understand the purpose of the program, we propose a low-cost malicious behavior detection approach that can extract APIs dynamic features by studying the API calls together with their arguments using machine learning. Experimental results show that our approach achieves an accuracy of over 98.24% with two different datasets, and outperforms the state-of-the-art malicious behavior detection techniques.