Behavior-Based Tracer to Monitor Malicious Features of Unknown Executable File

In computing environments, the core of various security threats is malicious executable files. Conventional signature-based security systems are difficult to detect, at run-time, the unknowns among malicious executable files. For the reason, the static and dynamic analysis methods that the signatures are not required have been actively researched for run-time detection of the unknowns. In particular, the behavior-based dynamic analysis methods which monitor the action statuses, after the actual running of malicious executable file, have made a worthy contribution for the accuracy enhancement of analysis result. However, the analysis information which is offered by most behavior-based methods is not sufficient for applying the results to the methods which finally decide the malignancy of executable file because each behavior-based methods offer only the results of a few action or non-sequential analysis. In this paper, we classified the activities that may be occurred during the execution of malicious executable files and described the implementation of prototype program which can monitor the activities. Additionally, based on operation results of the prototype program, we discussed some important issues which are occurred due to the differences of real and virtual experimental environments.