DocumentCode
477952
Title
Unknown Malicious Executables Detection Based on Run-Time Behavior
Author
Hu, Yongtao ; Chen, Liang ; Xu, Ming ; Zheng, Ning ; Guo, Yanhua
Author_Institution
Third Res. Inst., Minist. of Public Security, Shanghai
Volume
4
fYear
2008
fDate
18-20 Oct. 2008
Firstpage
391
Lastpage
395
Abstract
Traditional anti-virus scanner employs static features to detect malicious executables. Unfortunately, this content-based approach can be obfuscated by techniques such as polymorphism and metamorphism. In this paper, we propose a malicious executable detecting method using 35-dimension feature vector. Each dimension stands for a malicious run-time behavior feature represented by corresponding Win32 API calls and their certain parameters. An automatic executable behavior tracing system (Argus) is also implemented to dynamically capture the features. Experiments are performed on a data set of 8223 malicious and 2821 benign executables. Training set is then used to generate detection model and several testing groups are set up for classification. Experiment result suggests that the method is efficient in detecting previously unknown malicious executables which have more than two behavior features captured.
Keywords
application program interfaces; computer viruses; 35-dimension feature vector; Argus; Win32 API calls; anti-virus scanner; automatic executable behavior tracing system; malicious run-time behavior; unknown malicious executables detection; Computer vision; Data analysis; Fuzzy systems; Keyboards; Operating systems; Runtime; Security; Spatial databases; Testing; Writing; Win32 API calls; malicious behavior; malicious executables;
fLanguage
English
Publisher
ieee
Conference_Titel
Fuzzy Systems and Knowledge Discovery, 2008. FSKD '08. Fifth International Conference on
Conference_Location
Jinan Shandong
Print_ISBN
978-0-7695-3305-6
Type
conf
DOI
10.1109/FSKD.2008.185
Filename
4666417
Link To Document