Name
Abstract | ||
|---|---|---|
Modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when a malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when a malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such random behaviors are unnecessary for benign software. Therefore the behaviors can be clues to distinguish malware from benign software. In this paper, we propose a novel malware detection method based on investigating the behavioral difference in multiple executions of suspicious software. Our proposed method conducts dynamic analysis on an executable file multiple times in the same sandbox environment so as to obtain plural lists of API call sequence, and then compares the lists to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, the proposed method could detect about 67% malware samples and the false positive rate is about 1%. Moreover, the proposed method could detect 117 malware samples out of 273 malware samples which could not be detected by the antivirus software. Therefore we confirmed the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods. |
Year | DOI | Venue |
|---|---|---|
2012 | 10.1109/SAINT.2012.49 | Applications and the Internet |
Keywords | Field | DocType |
random behavior,novel malware detection method,multiple executions,multiple execution,malware copy,malware detection,malware analysis,benign software,malware detection method,modern malware,antivirus software,malware sample,internet,accuracy,servers,malware,dynamic analysis | Sandbox (software development),Cryptovirology,Data mining,File system,Computer science,Blacklist,Computer network,Asprox botnet,Malware,Cyber-collection,Operating system,Executable | Conference |
ISBN | Citations | PageRank |
978-0-7695-4737-4 | 3 | 0.44 |
References | Authors | |
6 | 4 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Takahiro Kasama | 1 | 43 | 4.88 |
| Katsunari Yoshioka | 2 | 147 | 22.92 |
| Daisuke Inoue | 3 | 13 | 5.06 |
| Tsutomu Matsumoto | 4 | 1156 | 197.58 |