IMDS: intelligent malware detection system
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
A Novel Immune Based Approach for Detection of Windows PE Virus
ADMA '08 Proceedings of the 4th international conference on Advanced Data Mining and Applications
An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene
ICIC '08 Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Theoretical and Methodological Issues
AccessMiner: using system-centric models for malware protection
Proceedings of the 17th ACM conference on Computer and communications security
A survey on automated dynamic malware-analysis techniques and tools
ACM Computing Surveys (CSUR)
KLIMAX: profiling memory write patterns to detect keystroke-harvesting malware
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
A graph mining approach for detecting unknown malwares
Journal of Visual Languages and Computing
A quantitative study of accuracy in system call-based malware detection
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Information Sciences: an International Journal
Hi-index | 0.00 |
The proliferation of malware (viruses, Trojans, and other malicious code) in recent years has presented a serious threat to enterprises, organizations, and individuals. Polymorphic (or variant versions of) computer viruses are more complex and difficult than their original versions to detect, often requiring antivirus companies to spend much time to create the routines needed to catch them. In this paper, we propose a new approach for detecting polymorphic malware in the Windows platform. Our approach rests on an analysis based on the Windows API calling sequence that reflects the behavior of a piece of particular code. The analysis is carried out directly on the PE (portable executable) code. It is achieved in two major steps: construct the API calling sequences for both the known virus and the suspicious code, and perform a similarity measurement between the two sequences after a sequence realignment operation is done. Favorable experimental results are obtained and presented.