CFP last date
22 July 2024
Reseach Article

Malware Detection using Windows API Sequence and Machine Learning

by Chandrasekar Ravi, R Manoharan
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 43 - Number 17
Year of Publication: 2012
Authors: Chandrasekar Ravi, R Manoharan
10.5120/6194-8715

Chandrasekar Ravi, R Manoharan . Malware Detection using Windows API Sequence and Machine Learning. International Journal of Computer Applications. 43, 17 ( April 2012), 12-16. DOI=10.5120/6194-8715

@article{ 10.5120/6194-8715,
author = { Chandrasekar Ravi, R Manoharan },
title = { Malware Detection using Windows API Sequence and Machine Learning },
journal = { International Journal of Computer Applications },
issue_date = { April 2012 },
volume = { 43 },
number = { 17 },
month = { April },
year = { 2012 },
issn = { 0975-8887 },
pages = { 12-16 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume43/number17/6194-8715/ },
doi = { 10.5120/6194-8715 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T20:33:39.715735+05:30
%A Chandrasekar Ravi
%A R Manoharan
%T Malware Detection using Windows API Sequence and Machine Learning
%J International Journal of Computer Applications
%@ 0975-8887
%V 43
%N 17
%P 12-16
%D 2012
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Monitoring the behavior of program execution at run-time is widely used to differentiate benign and malicious processes executing in the host computer. Most of the existing run-time malware detection methods use the information available in Windows Application Programming Interface (API) calls. The proposed malware detection system uses the Windows API call sequence. A 3rd order Markov chain (i. e. 4-grams) is used to model the API calls. This composite feature set is provided as an input to the malware detection system to raise the final alarm. Association mining based classification is used because it yields higher detection accuracy than previous data mining based detection systems which employed Naive Bayes, Support Vector Machine and Decision Tree techniques. A minimal subset of API categories is monitored while maintaining high detection accuracy. The number of generated rules is reduced, by removing the redundant rules, to make the malware analysis efficient. The key novelty of the proposed malware detection system is the iterative learning process combined with the run-time monitoring of program execution behavior which makes this as a dynamic malware detection system. The performance of the proposed malware detection system is evaluated for accuracy of malware detection system and compared with the existing data mining based detection systems. It is inferred that the proposed malware detection system outperforms the existing malware detection systems.

References
  1. Rizwan Rehman, G. C. Hazarika and Gunadeep Chetia, "Malware Threats And Mitigation Strategies: A Survey", Journal of Theoretical and Applied Information Technology, Vol. 29, No. 2, pp. 69-73, July 2011.
  2. OECD Ministerial Meeting Report, "Malicious Software (Malware): A Security Threat to the Internet Economy", Korean Communication Commision, Final draft, May 2007.
  3. Vinod, P. Laxmi, V. and M. S. Gaur. 2009. Survey on Malware Detection Methods. In Proceedings of the Hacker 2009, pp. 74-79.
  4. Nwokedi Idika and Aditya P. Mathur. 2007. A Survey of Malware Detection Techniques. SERC Library.
  5. Faraz Ahmed, Haider Hameed, Zubair Shafiq M. and Muddassar Farooq. 2009. Using Spatio-Temporal Information in API Calls with Machine Learning Algorithms for Malware Detection. In Proceedings of the 2nd ACM Workshop on Artificial Intelligence and Security (AISec 2009), pp. 55-62.
  6. Yi-Dong Shen, Zhong Zhang and Qiang Yang. 2002. Objective-oriented utility-based association mining. In Proceedings of the IEEE International Conference on Data Mining (ICDM 2003), pp. 426-433.
  7. Yanfang Ye, Dingding Wang, Tao Li and Dongyi Ye. 2007. IMDS: Intelligent malware detection system. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD'07), pp. 1043–1047.
  8. Yanfang Ye, Dingding Wang, Tao Li, Dongyi Ye and Qingshan Jiang, "An intelligent pe-malware detection system based on association mining," Journal in Computer Virology, vol. 4, pp. 323–334, Feb. 2008.
  9. Jiawei Han and Micheline Kamber. 2006. Data mining: Concepts and Techniques, Morgan Kaufmann publishers: San Francisco, 2nd edition.
  10. Yanfang Ye, Tao Li, Qingshan Jiang and Youyu Wang. 2010. CIMDS: Adapting Postprocessing Techniques of Associative Classi?cation for Malware Detection. In Proceedings of the IEEE Transactions On Systems, Man, And Cybernetics - Part C: Applications And Reviews, vol. 40, No. 3, pp. 298-307.
  11. Overview of the Windows API. Available at: http://msdn. microsoft. com/en-us/library/aa383723(VS. 85). aspx.
  12. VX Heavens Virus Collection. Available at: http://vx. netlux. org/.
  13. IAT-Hooking-Revisited. Available at: http://www. autosectools. com/IAT-Hooking-Revisited. pdf.
  14. Understanding the Import Address Table. Available at: http://sandsprite. com/CodeStuff/Understanding_imports. html.
  15. IAT Function Hooking. Available at: http://sandsprite. com/CodeStuff/IAT_Hooking. html
Index Terms

Computer Science
Information Sciences

Keywords

Malware Detection Windows Api Calls Machine Learning