Profiling and Classifying the Behavior of Malicious Codes
Mamoun Alazab, Profiling and classifying the behavior of malicious codes, Journal of Systems and Software, Volume 100, Pages 91-102, ISSN 0164-1212, , February 2015 Forthcoming
12 Pages Posted: 8 Dec 2014 Last revised: 11 Apr 2015
Date Written: October 1, 2014
Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices.
As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance.
Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.
Keywords: Cybercrime; Malware; Profiling
Suggested Citation: Suggested Citation