Using spatio-temporal information in API calls with machine learning algorithms for malware detection

Authors:
Faraz Ahmed;Haider Hameed;M. Zubair Shafiq;Muddassar Farooq
Affiliations:
FAST National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan;FAST National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan;FAST National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan;FAST National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan
Venue:
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Year:
2009

Citing 8
Cited 9

Elements of information theory

Elements of information theory
Data mining: concepts and techniques

Data mining: concepts and techniques
Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Anomalous system call detection

ACM Transactions on Information and System Security (TISSEC)
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
A practical mimicry attack against powerful system-call monitors

Proceedings of the 2008 ACM symposium on Information, computer and communications security

A malware detection algorithm based on multi-view fusion

ICONIP'10 Proceedings of the 17th international conference on Neural information processing: models and applications - Volume Part II
Application of evolutionary algorithms in detecting SMS spam at access layer

Proceedings of the 13th annual conference on Genetic and evolutionary computation
Run-time malware detection based on positive selection

Journal in Computer Virology
Feature reduction to speed up malware classification

NordSec'11 Proceedings of the 16th Nordic conference on Information Security Technology for Applications
Mining control flow graph as API call-grams to detect portable executable malware

Proceedings of the Fifth International Conference on Security of Information and Networks
A comparative study of malware family classification

ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS

Information Sciences: an International Journal
Review: Classification of malware based on integrated static and dynamic features

Journal of Network and Computer Applications
Behavioural detection with API call-grams to identify malicious PE files

Proceedings of the First International Conference on Security of Internet of Things

Quantified Score

Hi-index	0.00

Visualization

Abstract

Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious processes running on an end-host. Towards this end, most of the existing run-time intrusion or malware detection techniques utilize information available in Windows Application Programming Interface (API) call arguments or sequences. In comparison, the key novelty of our proposed tool is the use of statistical features which are extracted from both spatial arguments) and temporal (sequences) information available in Windows API calls. We provide this composite feature set as an input to standard machine learning algorithms to raise the final alarm. The results of our experiments show that the concurrent analysis of spatio-temporal features improves the detection accuracy of all classifiers. We also perform the scalability analysis to identify a minimal subset of API categories to be monitored whilst maintaining high detection accuracy.