Markhor: malware detection using fuzzy similarity of system call dependency sequences
Tóm tắt
Static malware detection approaches are time-consuming and cannot deal with code obfuscation techniques. Dynamic malware detection approaches, on the other hand, address these two challenges, however, suffer from behavioral ambiguity, such as the system calls obfuscation. In this paper, we introduce Markhor, a dynamic and behavior-based malware detection approach. Markhor uses system call data dependency and system call control dependency sequences to create a weighted list of malicious patterns. The list is then used to determine the malicious processes. Next, the similarity of a file system call sequences to a malicious pattern is extracted based on a fuzzy algorithm and the file nature is determined. The evaluation results reveal the efficiency of Markhor in terms of accuracy (0.982), precision (0.976), and F-measure (0.982).
Tài liệu tham khảo
Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 13(1), 1–12 (2017)
Scott, J..: Signature Based Malware Detection is Dead, Cybersecurity Think Tank. Institute for Critical Infrastructure Technology (February). www.ICITForum.org
Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop, pp. 52–59 (2010). 10.1109/CTC.2010.8
Fang, Z., Wang, J., Li, B., Wu, S., Zhou, Y., Huang, H.: Evading anti-malware engines with deep reinforcement learning. IEEE Access 7, 48867–48879 (2019)
Martín, A., Menéndez, H. D., Camacho, D.: Studying the influence of static API calls for hiding malware. In: Lecture Notes in Computer Science, vol. 9868, pp. 363–372. Springer (2016)
Lopez, J., Babun, L., Aksu, H., Uluagac, A.S.: A survey on function and system call hooking approaches. J. Hardw. Syst. Secur. 1(2), 114–136 (2017)
Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: Cybercrime and Trustworthy Computing Workshop, pp. 52–59 (2010)
Sihwail, R., Omar, K., Ariffin, K.A.: A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 8(4–2), 1662–1671 (2018)
Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)
Dependency Walker, Dependency Walker (2018). http://www.dependencywalker.com/
Garg, V., Yadav, R.K.: Malware detection based on API calls frequency. In: International Conference on Information Systems and Computer Networks, pp. 400–404. IEEE (2019)
Sami, A., Yadegari, B., Rahimi, H., Peiravian, N., Hashemi, S., Hamze, A.: Malware detection based on mining API calls. In: Proceedings of the ACM Symposium on Applied Computing, pp. 1020–1025. ACM Press, New York (2010)
Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using API call sequences. In: Advances in Intelligent Systems and Computing, vol. 214, pp. 225–236. Springer (2014)
Tran, T.K., Sato, H.: NLP-based approaches for malware classification from API sequences. In: Symposium on Intelligent and Evolutionary Systems, vol. 2017-Janua, pp. 101–105. Institute of Electrical and Electronics Engineers Inc. (2017)
Kim, H., Kim, J., Kim, Y., Kim, I., Kim, K.J., Kim, H.: Improvement of malware detection and classification using API call sequence alignment and visualization. Clust. Comput. 22(1), 921–929 (2019)
Fadadu, F.: Evading API call sequence based malware classifiers. In: International Conference on Information and Communications Security, pp. 18–33. Springer, Cham (2019)
Suaboot, J., Tari, Z., Mahmood, A., Zomaya, A.Y., Li, W.: Sub-curve HMM: a malware detection approach based on partial analysis of API call sequences. Comput. Secur. 92, 101773 (2020)
CWSandbox Data. http://pi1.informatik.uni-mannheim.de/malheur/
Virus Sign Malware Data Base. https://www.virussign.com
API Monitoring Tool. https://www.rohitab.com/apimonitor
Parsa, S., Zareie, F., Vahidi-Asl, M.: Fuzzy clustering the backward dynamic slices of programs to identify the origins of failure. In: Lecture Notes in Computer Science, vol. 6630, pp. 352–363 (2011)