TY - GEN
T1 - Malicious Behavior Detection based on Extracted Features from APIs for Windows Platforms
AU - Rabadi, Dima
AU - Fok, Kar Wai
AU - Dai, Zhongmin
AU - Gee, Teo Sin
N1 - Publisher Copyright:
© 2019 ACM.
PY - 2019/12/9
Y1 - 2019/12/9
N2 - Many malicious behavior detection approaches rely on dynamic features that are extracted from Application Programming Interfaces (APIs), which represent the run-time behavior of programs. Most API-based malicious behavior detection techniques highly focus on measuring the statistical features of API calls such as finding the frequency (e.g., how many times a specific API is called) or recognizing the sequence pattern of API calls. However, such detectors can be easily evaded and bypassed by malware authors who would interrupt the sequence by basically hooking and shuffling the API calls or deleting/inserting the irrelevant calls. Also, most proposed API-based malicious behavior detectors would either consider only the API calls (e.g., function names) without taking into account their arguments information (e.g., function parameters) or incur a prohibitive cost, such as requiring complex operations to deal with the arguments (e.g., proficient knowledge about the types of the arguments and/or powerful computers to extract them). As relying on API calls alone is insufficient to understand the purpose of the program, we propose a low-cost malicious behavior detection approach that can extract APIs dynamic features by studying the API calls together with their arguments using machine learning. Experimental results show that our approach achieves an accuracy of over 98.24% with two different datasets, and outperforms the state-of-the-art malicious behavior detection techniques.
AB - Many malicious behavior detection approaches rely on dynamic features that are extracted from Application Programming Interfaces (APIs), which represent the run-time behavior of programs. Most API-based malicious behavior detection techniques highly focus on measuring the statistical features of API calls such as finding the frequency (e.g., how many times a specific API is called) or recognizing the sequence pattern of API calls. However, such detectors can be easily evaded and bypassed by malware authors who would interrupt the sequence by basically hooking and shuffling the API calls or deleting/inserting the irrelevant calls. Also, most proposed API-based malicious behavior detectors would either consider only the API calls (e.g., function names) without taking into account their arguments information (e.g., function parameters) or incur a prohibitive cost, such as requiring complex operations to deal with the arguments (e.g., proficient knowledge about the types of the arguments and/or powerful computers to extract them). As relying on API calls alone is insufficient to understand the purpose of the program, we propose a low-cost malicious behavior detection approach that can extract APIs dynamic features by studying the API calls together with their arguments using machine learning. Experimental results show that our approach achieves an accuracy of over 98.24% with two different datasets, and outperforms the state-of-the-art malicious behavior detection techniques.
UR - http://www.scopus.com/inward/record.url?scp=85125833164&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85125833164&partnerID=8YFLogxK
U2 - 10.1145/3464458.3464461
DO - 10.1145/3464458.3464461
M3 - Conference contribution
AN - SCOPUS:85125833164
T3 - ACM International Conference Proceeding Series
BT - DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security Workshop, DYNAMICS 2019 - Proceedings
PB - Association for Computing Machinery
T2 - 2019 Workshop on DYnamic and Novel Advances in Machine learning and Intelligent Cyber Security, DYNAMICS 2019
Y2 - 9 December 2019 through 10 December 2019
ER -