Malware Characterization Using Windows API Call Sequences
DOI:
https://doi.org/10.13052/2245-1439.741Keywords:
Win-API, API hooking, malware, fuzzy hashingAbstract
In this research we have used Windows API (Win-API) call sequences to capture the behaviour of malicious applications. Detours library by Microsoft has been used to hook the Win-APIs call sequences. To have a higher level of abstraction, related Win-APIs have been mapped to a single category. A total set of 534 important Win-APIs have been hooked and mapped to 26 categories (A. . . Z). Behaviour of any malicious application is captured through sequence of these 26 categories of APIs. In our study, five classes of malware have been analyzed: Worm, Trojan-Downloader, Trojan-Spy, Trojan-Dropper and Backdoor. 400 samples for each of these classes have been taken for experimentation. So a total of 2000 samples were taken as training set and their API call sequences were analyzed. For testing, 120 samples were taken for each class. Fuzzy hashing algorithm ssdeep was applied to generate fuzzy hash based signature. These signatures were matched to quantify the API call sequence homologies between test samples and training samples. Encouraging results have been obtained in classification of these samples to the above mentioned 5 categories. Further, N-gram analysis has also been done to extract different API call sequence patterns specific to each of the 5 categories of malware.
Downloads
References
Shafiq, M. Z., Tabish, S. M., Mirza, F., and Farooq, M. (2009). Pe-Miner: Mining structural information to detect malicious executable in real time. In 12th international symposium on recent advances in intrusion detection.
Moskovitch, R. et al., (2008). Unknown Malcode Detection Using OPCODE Representation. Intelligence and Security Informatics, Volume LNCS 5376, 204–215.
Moskovitch, R. et al., (2008). Unknown Malcode Detection via text categorization and the imbalance problem. In IEEE International Conference on Intelligence and Security Informatics, 156–161.
Santos, I. et al., (2013). Opcode sequences as representation of executables for data-mining based unknown malware detection. Information Science, 231, 64–82.
Egele, M., Scholte, T., Kirda, E., Kruegel, C. (2012). A Survey on Automated Dynamic Malware Analysis Techniques and Tools. ACM Computing Surveys, 44(2) 1–42.
Santos, I. et al., (2013) OPEM: A Static-Dynamic Approach for Machine-learning-based Malware Detection. In International Conference CISIS12-ICEUTE12, 189, 271–280.
Ye, Y. et al., SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging. Journal in Computer Virology, 5(4), 283–293.
Zolkipli, M. F., and Jantan, A. (2011) Approach for Malware Behavior Identification and Classification. In 3rd International Conference on Computer Research and Development, Shanghai, 191–194.
Islam, M. R., Tian, R., Batten, L., and Versteeg, S. (2013). Classification of malware based on integrated static and dynamic features. Journal of Network and Computer Applications, 36, 646–656.
Gandotra, E., Bansal, D., and Sofat, S. (2014). Malware Analysis and Classification: A Survey. Journal of Information Security, 5, 56–64.
Ranveer, S., and Hiray, S. (2015). Comparative Analysis of Feature Extraction Methods of Malware Detection. International Journal of Computer Applications, 120(5), 1–7.
Youngjoon, K., Eunjin, K., and HuyKang, K. (2015). A Novel approach to detect Malware based on API call sequence analysis. International Journal of Distributed Sensor Networks, 4.
Park, Y., Reeves, D., Mulukutla, V., and Sundaravel, B. (2010). Fast malware classification by automated behavioural graph matching, In Sixth Annual Workshop on Cyber Security and Information Intelligence Research. (P. 45). ACM.
Nari, S., and Ghorbani, A. A. (2013). Automated Malware Classification based on Network Behavior, In International Conference on Computing, Networking and Communications (ICNC), 642–647.
Reina, A. et al., (2013). A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. ACM Eur. Work. Syst. Secur. (EuroSec), 1–6.
Yu, W. et al., (2013). On behavior-based detection of malware on Android platform, GLOBECOM - IEEE Glob. Telecommun. Conf., 814–819.
VxVault, http://www.vxvault.net
Vxheaven, http://www.vxheaven.org
VirusSign, http://www.virussign.com
VirusTotal, https://www.virustotal.com
Kornblum, J., (2006). Identifying almost identical files using context triggered piecewise hashing. Digital Investigation, 3, 91–97.
Hunt, G., and Brubacher, D., (1999). Detours: Binary Interception of Win32 Functions. 3rd Conference on USENIX Windows NT Symposium, 135–143.
Firdausi, I. et al., (2010). Analysis of Machine Learning Techniques used in Behavior-Based Malware Detection. In Second International Conference on Advances in Computing, Control and Telecommunication Technologies (ACT). IEEE. 201–203.
