NDLI: Malware Detection Method by Catching Their Random Behavior in Multiple Executions

Content Provider	IEEE Xplore Digital Library
Author	Kasama, T. Yoshioka, K. Inoue, D. Matsumoto, T.
Copyright Year	2012
Abstract	Modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when a malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when a malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such random behaviors are unnecessary for benign software. Therefore the behaviors can be clues to distinguish malware from benign software. In this paper, we propose a novel malware detection method based on investigating the behavioral difference in multiple executions of suspicious software. Our proposed method conducts dynamic analysis on an executable file multiple times in the same sandbox environment so as to obtain plural lists of API call sequence, and then compares the lists to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, the proposed method could detect about 67% malware samples and the false positive rate is about 1%. Moreover, the proposed method could detect 117 malware samples out of 273 malware samples which could not be detected by the antivirus software. Therefore we confirmed the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.
Starting Page	262
Ending Page	266
File Size	176587
Page Count	5
File Format	PDF
ISBN	9781467320016
e-ISBN	9780769547374
DOI	10.1109/SAINT.2012.49
Language	English
Publisher	Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher Date	2012-07-16
Publisher Place	Turkey
Access Restriction	Subscribed
Rights Holder	Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subject Keyword	Malware Software Internet Runtime Accuracy Servers random behavior malware detection dynamic analysis
Content Type	Text
Resource Type	Article

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in