Title :
Unknown Malicious Executables Detection Based on Run-Time Behavior
Author :
Hu, Yongtao ; Chen, Liang ; Xu, Ming ; Zheng, Ning ; Guo, Yanhua
Author_Institution :
Third Res. Inst., Minist. of Public Security, Shanghai
Abstract :
Traditional anti-virus scanner employs static features to detect malicious executables. Unfortunately, this content-based approach can be obfuscated by techniques such as polymorphism and metamorphism. In this paper, we propose a malicious executable detecting method using 35-dimension feature vector. Each dimension stands for a malicious run-time behavior feature represented by corresponding Win32 API calls and their certain parameters. An automatic executable behavior tracing system (Argus) is also implemented to dynamically capture the features. Experiments are performed on a data set of 8223 malicious and 2821 benign executables. Training set is then used to generate detection model and several testing groups are set up for classification. Experiment result suggests that the method is efficient in detecting previously unknown malicious executables which have more than two behavior features captured.
Keywords :
application program interfaces; computer viruses; 35-dimension feature vector; Argus; Win32 API calls; anti-virus scanner; automatic executable behavior tracing system; malicious run-time behavior; unknown malicious executables detection; Computer vision; Data analysis; Fuzzy systems; Keyboards; Operating systems; Runtime; Security; Spatial databases; Testing; Writing; Win32 API calls; malicious behavior; malicious executables;
Conference_Titel :
Fuzzy Systems and Knowledge Discovery, 2008. FSKD '08. Fifth International Conference on
Conference_Location :
Jinan Shandong
Print_ISBN :
978-0-7695-3305-6
DOI :
10.1109/FSKD.2008.185
