Unknown Malicious Executables Detection Based on Run-Time Behavior

Author

Hu, Yongtao ; Chen, Liang ; Xu, Ming ; Zheng, Ning ; Guo, Yanhua

Author_Institution

Third Res. Inst., Minist. of Public Security, Shanghai

Volume

4

fYear

2008

fDate

18-20 Oct. 2008

Firstpage

391

Lastpage

395

Abstract

Traditional anti-virus scanner employs static features to detect malicious executables. Unfortunately, this content-based approach can be obfuscated by techniques such as polymorphism and metamorphism. In this paper, we propose a malicious executable detecting method using 35-dimension feature vector. Each dimension stands for a malicious run-time behavior feature represented by corresponding Win32 API calls and their certain parameters. An automatic executable behavior tracing system (Argus) is also implemented to dynamically capture the features. Experiments are performed on a data set of 8223 malicious and 2821 benign executables. Training set is then used to generate detection model and several testing groups are set up for classification. Experiment result suggests that the method is efficient in detecting previously unknown malicious executables which have more than two behavior features captured.

Keywords

application program interfaces; computer viruses; 35-dimension feature vector; Argus; Win32 API calls; anti-virus scanner; automatic executable behavior tracing system; malicious run-time behavior; unknown malicious executables detection; Computer vision; Data analysis; Fuzzy systems; Keyboards; Operating systems; Runtime; Security; Spatial databases; Testing; Writing; Win32 API calls; malicious behavior; malicious executables;

fLanguage

English

Publisher

ieee

Conference_Titel

Fuzzy Systems and Knowledge Discovery, 2008. FSKD '08. Fifth International Conference on

Conference_Location

Jinan Shandong

Print_ISBN

978-0-7695-3305-6

Type

conf

DOI

10.1109/FSKD.2008.185

Filename

4666417