Advanced Windows Methods on Malware Detection and Classification

Advanced Windows Methods on Malware Detection and Classification
Title:
Advanced Windows Methods on Malware Detection and Classification
Other Titles:
ACSAC '20: Annual Computer Security Applications Conference
Publication Date:
07 December 2020
Citation:
Abstract:
Application Programming Interfaces (APIs) are still considered the standard accessible data source and core wok of the most widely adopted malware detection and classification techniques. API-based malware detectors highly rely on measuring API’s statistical features, such as calculating the frequency counter of calling specific API calls or finding their malicious sequence pattern (i.e., signature based detectors). Using simple hooking tools, malware authors would help in failing such detectors by interrupting the sequence and shuffling the API calls or deleting/inserting irrelevant calls (i.e., changing the frequency counter). Moreover, relying on API calls (e.g., function names) alone without taking into account their function parameters is insufficient to understand the purpose of the program. For example, the same API call (e.g., writing on a file) would act in two ways if two different arguments are passed (e.g., writing on a system versus user file). However, because of the heterogeneous nature of API arguments, most of the available API based malicious behavior detectors would consider only the API calls without taking into account their argument information (e.g., function parameters). Alternatively, other detectors try considering the API arguments in their techniques, but they acquire having proficient knowledge about the API arguments or powerful processors to extract them. Such requirements demand a prohibitive cost and complex operations to deal with the arguments. To overcome the above limitations, with the help of machine learning and without any expert knowledge of the arguments, we propose a light-weight API-based dynamic feature extraction technique, and we use it to implement a malware detection and type classification approach. To evaluate our approach, we use reasonable datasets of 7774 benign and 7105 malicious samples belonging to ten distinct malware types. Experimental results show that our type classification module could achieve an accuracy of 98.0253 %, where our malware detection module could reach an accuracy of over 99.8992 %, and outperforms many state-of-the-art API-based malware detectors.
License type:
Funding Info:
There is no specific funding for this research work.
Description:
© {Rabadi Dima | ACM} {2020}. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in {ACSAC '20: Annual Computer Security Applications Conference}, http://dx.doi.org/10.1145/3427228.3427242.
ISBN:

Files uploaded:

File Size Format Action
34272283427242.pdf 934.82 KB PDF Open