IEICE TRANSACTIONS on Information
Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call
Summary :
The recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a “feature-chain” of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.
- Publication
- IEICE TRANSACTIONS on Information Vol.E99-D No.4 pp.1071-1080
- Publication Date
- 2016/04/01
- Publicized
- 2016/01/28
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.2015CYP0007
- Type of Manuscript
- Special Section PAPER (Special Section on Cyberworlds)
- Category
Authors
Hyun-Joo KIM
Electronics and Telecommunications Research Institute (ETRI),Sungkyunkwan University
Jong-Hyun KIM
Electronics and Telecommunications Research Institute (ETRI)
Jung-Tai KIM
Electronics and Telecommunications Research Institute (ETRI)
Ik-Kyun KIM
Electronics and Telecommunications Research Institute (ETRI)
Tai-Myung CHUNG
Sungkyunkwan University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Hyun-Joo KIM, Jong-Hyun KIM, Jung-Tai KIM, Ik-Kyun KIM, Tai-Myung CHUNG, "Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call" in IEICE TRANSACTIONS on Information,
vol. E99-D, no. 4, pp. 1071-1080, April 2016, doi: 10.1587/transinf.2015CYP0007.
Abstract: The recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a “feature-chain” of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2015CYP0007/_p
Copy
@ARTICLE{e99-d_4_1071,
author={Hyun-Joo KIM, Jong-Hyun KIM, Jung-Tai KIM, Ik-Kyun KIM, Tai-Myung CHUNG, },
journal={IEICE TRANSACTIONS on Information},
title={Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call},
year={2016},
volume={E99-D},
number={4},
pages={1071-1080},
abstract={The recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a “feature-chain” of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.},
keywords={},
doi={10.1587/transinf.2015CYP0007},
ISSN={1745-1361},
month={April},}
Copy
TY - JOUR
TI - Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call
T2 - IEICE TRANSACTIONS on Information
SP - 1071
EP - 1080
AU - Hyun-Joo KIM
AU - Jong-Hyun KIM
AU - Jung-Tai KIM
AU - Ik-Kyun KIM
AU - Tai-Myung CHUNG
PY - 2016
DO - 10.1587/transinf.2015CYP0007
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E99-D
IS - 4
JA - IEICE TRANSACTIONS on Information
Y1 - April 2016
AB - The recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a “feature-chain” of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.
ER -
English
