Annual Computer Security Applications Conference (ACSAC) 2020

Full Program »

Advanced Windows Methods on Malware Detection and Family Classification

Application Programming Interfaces (APIs) are still considered the standard accessible data source and core wok of the most widely adopted malware detection and classification techniques. API-based malware detectors highly rely on measuring API's statistical features, such as calculating the frequency counter of calling specific API calls or finding their malicious sequence pattern (i.e., signature-based detectors). Using simple hooking tools, malware authors would help in failing such detectors by interrupting the sequence and shuffling the API calls or deleting/inserting irrelevant calls (i.e., changing the frequency counter). Moreover, relying on API calls (e.g., function names) alone without taking into account their function parameters is insufficient to understand the purpose of the program. For example, the same API call (e.g., writing on a file) would act in two ways if two different arguments are passed (e.g., writing on a system versus user file). However, because of the heterogeneous nature of API arguments, most of the available API-based malicious behavior detectors would consider only the API calls without taking into account their argument information (e.g., function parameters). Alternatively, other detectors try considering the API arguments in their techniques, but they acquire having proficient knowledge about the API arguments or powerful processors to extract them. Such requirements demand a prohibitive cost and complex operations to deal with the arguments. To overcome the above limitations, with the help of machine learning and without any expert knowledge of the arguments, we propose a light-weight API-based dynamic feature extraction technique, and we use it to implement a malware detection and family classification approach. To evaluate our approach, we use reasonable datasets of 7774 benign and 7105 malicious samples belonging to ten distinct malware families. Experimental results show that our family classification module could achieve an accuracy of 98.0253%, where our malware detection module could reach an accuracy of over 99.8992%, and outperforms many state-of-the-art API-based malware detectors.

Dima Rabadi
Research Scientist at Institute for Infocomm Research (I2R), A*STAR, Singapore

Sin G. Teo
Research Scientist at Institute for Infocomm Research (I2R), A*STAR, Singapore

Paper (ACM DL)




Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC