Loading…
Malware Detection Method by Catching Their Random Behavior in Multiple Executions
Modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when a malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when a malware tries to...
Saved in:
Main Authors: | , , , |
---|---|
Format: | Conference Proceeding |
Language: | English |
Subjects: | |
Online Access: | Request full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Summary: | Modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when a malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when a malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such random behaviors are unnecessary for benign software. Therefore the behaviors can be clues to distinguish malware from benign software. In this paper, we propose a novel malware detection method based on investigating the behavioral difference in multiple executions of suspicious software. Our proposed method conducts dynamic analysis on an executable file multiple times in the same sandbox environment so as to obtain plural lists of API call sequence, and then compares the lists to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, the proposed method could detect about 67% malware samples and the false positive rate is about 1%. Moreover, the proposed method could detect 117 malware samples out of 273 malware samples which could not be detected by the antivirus software. Therefore we confirmed the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods. |
---|---|
DOI: | 10.1109/SAINT.2012.49 |