Malware detection by behavioural sequential patterns
For many years, malware has been the subject of intensive study by researchers in industry and academia. Malware production, while not being an organised business, has reached a level where automatic malicious code generators/engines are easily found. These tools are able to exploit multiple techniq...
Saved in:
| Published in | Computer fraud & security Vol. 2013; no. 8; pp. 11 - 19 |
|---|---|
| Main Authors | , , , |
| Format | Journal Article |
| Language | English |
| Published |
Elsevier B.V
01.08.2013
|
| Online Access | Get full text |
| ISSN | 1361-3723 1873-7056 |
| DOI | 10.1016/S1361-3723(13)70072-1 |
Cover
| Abstract | For many years, malware has been the subject of intensive study by researchers in industry and academia. Malware production, while not being an organised business, has reached a level where automatic malicious code generators/engines are easily found. These tools are able to exploit multiple techniques for countering anti-virus (AV) protections, from aggressive AV killing to passive evasive behaviours in any arbitrary malicious code or executable. Development of such techniques has lead to easier creation of malicious executables. Consequently, an unprecedented prevalence of new and unseen malware is being observed. Reports suggested a global, annual economic loss due to malware exceeding $13bn in 2007.1
Traditional signature-based antivirus methods struggle to cope with polymorphic, metamorphic and unknown malicious executables. And analysing and debugging obfuscated programs is a tricky and cumbersome process.
Now Mansour Ahmadi of Young Researchers and Elite Club, Shiraz Branch, Iran and Ashkan Sami, Hossein Rahimi and Babak Yadegari of Shiraz University, Iran have developed a novel framework based on runtime API call auditing and data mining, a method that achieved a malware detection rate of 98.4% in tests. Here, they detail their approach and the benefits it could bring. |
|---|---|
| AbstractList | For many years, malware has been the subject of intensive study by researchers in industry and academia. Malware production, while not being an organised business, has reached a level where automatic malicious code generators/engines are easily found. These tools are able to exploit multiple techniques for countering anti-virus (AV) protections, from aggressive AV killing to passive evasive behaviours in any arbitrary malicious code or executable. Development of such techniques has lead to easier creation of malicious executables. Consequently, an unprecedented prevalence of new and unseen malware is being observed. Reports suggested a global, annual economic loss due to malware exceeding $13bn in 2007.1
Traditional signature-based antivirus methods struggle to cope with polymorphic, metamorphic and unknown malicious executables. And analysing and debugging obfuscated programs is a tricky and cumbersome process.
Now Mansour Ahmadi of Young Researchers and Elite Club, Shiraz Branch, Iran and Ashkan Sami, Hossein Rahimi and Babak Yadegari of Shiraz University, Iran have developed a novel framework based on runtime API call auditing and data mining, a method that achieved a malware detection rate of 98.4% in tests. Here, they detail their approach and the benefits it could bring. |
| Author | Yadegari, Babak Sami, Ashkan Rahimi, Hossein Ahmadi, Mansour |
| Author_xml | – sequence: 1 givenname: Mansour surname: Ahmadi fullname: Ahmadi, Mansour organization: Young Researchers and Elite Club, Shiraz Branch, Iran – sequence: 2 givenname: Ashkan surname: Sami fullname: Sami, Ashkan organization: Shiraz University, Iran – sequence: 3 givenname: Hossein surname: Rahimi fullname: Rahimi, Hossein organization: Shiraz University, Iran – sequence: 4 givenname: Babak surname: Yadegari fullname: Yadegari, Babak organization: Shiraz University, Iran |
| BookMark | eNqFkE9LAzEQxYNUsK1-BGGPeljNJLubLR5Eiv-g4kE9hyQ7wci6W5O00m9vttWLl57mMcx7zPtNyKjrOyTkFOgFUKguX4BXkHPB-Bnwc0GpYDkckDHUgueCltUo6b-TIzIJ4YNSxkCwMSmeVPutPGYNRjTR9V2mN5nGd7V2_cqrNgv4tcIuuiSXKkb0XTgmh1a1AU9-55S83d2-zh_yxfP94_xmkRvGipjPRA3WMlaaxnLe1NTOdFGCgkoYpFrzUqdNjU1llQKDyJKhLJjVVoBuBJ-Sq12u8X0IHq00LqrhyeiVayVQOQCQWwByaCeByy2AJKak_Odeevep_Gav73rnw1Rt7dDLYBx2BhvnEyLZ9G5Pwg9fJnXP |
| CitedBy_id | crossref_primary_10_1109_TIFS_2022_3152360 crossref_primary_10_1016_j_comcom_2019_08_013 crossref_primary_10_1016_j_asoc_2021_107505 crossref_primary_10_1007_s13042_019_00978_7 crossref_primary_10_1016_j_knosys_2022_108266 crossref_primary_10_1016_j_engappai_2016_12_016 crossref_primary_10_1016_j_cose_2022_102741 crossref_primary_10_1017_S1351324913000259 crossref_primary_10_1016_j_cogsys_2019_03_007 crossref_primary_10_1109_TIFS_2015_2469253 crossref_primary_10_1145_3408894 crossref_primary_10_3390_electronics12244992 crossref_primary_10_1016_j_future_2021_11_030 crossref_primary_10_1016_j_cose_2022_102838 crossref_primary_10_1016_j_cose_2023_103518 crossref_primary_10_3390_su12187262 crossref_primary_10_1007_s42979_019_0017_9 crossref_primary_10_1002_sec_1255 crossref_primary_10_1007_s11416_018_0319_9 crossref_primary_10_1016_j_procs_2015_02_149 crossref_primary_10_1016_j_eswa_2016_01_002 crossref_primary_10_1016_j_teler_2024_100130 |
| Cites_doi | 10.1023/A:1010933404324 10.1145/1774088.1774303 10.1109/SP.2005.20 10.1145/948109.948149 |
| ContentType | Journal Article |
| Copyright | 2013 Elsevier Ltd |
| Copyright_xml | – notice: 2013 Elsevier Ltd |
| DBID | AAYXX CITATION |
| DOI | 10.1016/S1361-3723(13)70072-1 |
| DatabaseName | CrossRef |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Social Welfare & Social Work Computer Science |
| EISSN | 1873-7056 |
| EndPage | 19 |
| ExternalDocumentID | 10_1016_S1361_3723_13_70072_1 S1361372313700721 |
| GroupedDBID | --K --M .DC .~1 0R~ 1B1 1RT 1~. 1~5 29F 4.4 457 4G. 5GY 5VS 7-5 71M 8P~ AABNK AACTN AAEDT AAEDW AAIAV AAIKJ AAKOC AALRI AAMHT AAOAW AAQXK AAXUO ABBOA ABFNM ABJNI ABMAC ABXDB ABYKQ ACDAQ ACGFS ACNNM ACRLP ACZNC ADBBV ADEZE ADJOM ADMUD AEKER AFKWA AFTJW AGHFR AGUBO AGYEJ AHZHX AIALX AIKHN AITUG AJBFU AJOXV ALMA_UNASSIGNED_HOLDINGS AMFUW AMRAJ AOUOD ASPBG AVWKF AZFZN BKOJK BLXMC CS3 DU5 EBS EFLBG EJD EO8 EO9 EP2 EP3 FDB FEDTE FGOYB FIRID FNPLU G-Q GBLVA GBOLZ HVGLF HZ~ IHE J1W KOM M41 MO0 N9A O-L O9- OAUVE OZT P-8 P-9 PC. Q38 R2- RIG ROL RPZ SDF SDG SES SEW SPC SPCBC SSV SSZ T5K TN5 UHS ~G- AAYFN AAYWO AAYXX ABWVN ACLOT ACRPL ACVFH ADCNI ADKUH ADNMO AEIPS AEUPX AFPUW AGQPQ AIGII AKBMS AKRWK AKYEP ANKPU CITATION ~HD |
| ID | FETCH-LOGICAL-c224t-9781ff225cdf33d80f9b451a167ce0bb35bf9b8ed6faa1cee2781542fbf71bd73 |
| IEDL.DBID | .~1 |
| ISSN | 1361-3723 |
| IngestDate | Thu Apr 24 22:57:22 EDT 2025 Wed Oct 01 04:06:38 EDT 2025 Fri Feb 23 02:30:06 EST 2024 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 8 |
| Language | English |
| License | https://www.elsevier.com/tdm/userlicense/1.0 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c224t-9781ff225cdf33d80f9b451a167ce0bb35bf9b8ed6faa1cee2781542fbf71bd73 |
| PageCount | 9 |
| ParticipantIDs | crossref_citationtrail_10_1016_S1361_3723_13_70072_1 crossref_primary_10_1016_S1361_3723_13_70072_1 elsevier_sciencedirect_doi_10_1016_S1361_3723_13_70072_1 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | August 2013 2013-8-00 |
| PublicationDateYYYYMMDD | 2013-08-01 |
| PublicationDate_xml | – month: 08 year: 2013 text: August 2013 |
| PublicationDecade | 2010 |
| PublicationTitle | Computer fraud & security |
| PublicationYear | 2013 |
| Publisher | Elsevier B.V |
| Publisher_xml | – name: Elsevier B.V |
| References | Ashkan Sami, Babak Yadegar, Hossein Rahimi, Naser Peiravian. ‘Malware Detection Based On Mining API Calls’. ACM Symposium on Applied Computing, Switzerland, (2010). Cullen Linn, Saumya Debray. ‘Obfuscation of executable code to improve resistance to static disassembly’. ACM Conference on Computer and Communications Security, (2003). Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang ‘Effective and Efficient Malware Detection at the End Host’. 18th Usenix Security Symposium, (2009). Hong, Xifeng, Jiawei, Chih-wei (bib17) 2007 Microsoft (bib23) Jacquelin (bib7) Vmware. Accessed 2010. Nicolas (bib16) bib21 . Mihai Christodorescu, Somesh Jha. ‘Static analysis of executables to detect malicious patterns’. USENIX Security Symposium, (2003). Chih-Chung, Chih-Jen (bib20) 2011 David, Siau-Cheng, Chao (bib18) 2007 David, Hong, Jiawei, Siau-Cheng, Chengnian (bib19) 2009 The Unpacker Archive. Accessed 2010. IDA Pro Disassembler and Debugger. Accessed 2011. Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, Randal E. Bryant. ‘Semantics-aware malware detection’. IEEE Symposiumon Security and Privacy, (2005). Fabrice Bellard. ‘Qemu, a fast and portable dynamic translator’. Usenix Annual Technical Conference, (2005). Keehyung, Byung-Ro (bib15) 2010 (bib1) 2007 Leo, Adele (bib22) 2001; 45 Yanfang, Dingding, Tao, Dongyi, Qingshan (bib3) 2008 Jianyong, Ratan, Joohan (bib6) 2009 John (bib8) 2006 10.1016/S1361-3723(13)70072-1_bib4 David (10.1016/S1361-3723(13)70072-1_bib19) 2009 10.1016/S1361-3723(13)70072-1_bib2 Jianyong (10.1016/S1361-3723(13)70072-1_bib6) 2009 Jacquelin (10.1016/S1361-3723(13)70072-1_bib7) David (10.1016/S1361-3723(13)70072-1_bib18) 2007 Chih-Chung (10.1016/S1361-3723(13)70072-1_bib20) 2011 John (10.1016/S1361-3723(13)70072-1_bib8) 2006 Keehyung (10.1016/S1361-3723(13)70072-1_bib15) 2010 Leo (10.1016/S1361-3723(13)70072-1_bib22) 2001; 45 10.1016/S1361-3723(13)70072-1_bib14 10.1016/S1361-3723(13)70072-1_bib12 10.1016/S1361-3723(13)70072-1_bib13 10.1016/S1361-3723(13)70072-1_bib9 10.1016/S1361-3723(13)70072-1_bib10 Hong (10.1016/S1361-3723(13)70072-1_bib17) 2007 10.1016/S1361-3723(13)70072-1_bib11 Yanfang (10.1016/S1361-3723(13)70072-1_bib3) 2008 Nicolas (10.1016/S1361-3723(13)70072-1_bib16) (10.1016/S1361-3723(13)70072-1_bib1) 2007 10.1016/S1361-3723(13)70072-1_bib5 Microsoft (10.1016/S1361-3723(13)70072-1_bib23) |
| References_xml | – year: 2006 ident: bib8 publication-title: ‘Computer Viruses and Malware’ – year: 2009 ident: bib19 publication-title: ‘Classification of Software Behaviors for Failure Detection: A Discriminative Pattern Mining Approach’ – volume: 45 start-page: 5 year: 2001 end-page: 32 ident: bib22 article-title: ‘Random Forests’ publication-title: Machine Learning – ident: bib21 article-title: Weka 3: Data Mining open source Software – ident: bib16 article-title: ‘Windows Anti-Debug Reference’ – reference: Vmware. Accessed 2010. – year: 2008 ident: bib3 article-title: ‘An intelligent pe-malware detection system based on association mining’ publication-title: Journal in Computer Virology – year: 2011 ident: bib20 article-title: ‘LIBSVM: A library for support vector machines’ publication-title: ACM Transactions on Intelligent Systems and Technology – reference: . – reference: The Unpacker Archive. Accessed 2010. – ident: bib7 article-title: ‘WinAPIOverride32’ – ident: bib23 article-title: ‘Overview of the Windows API’ – reference: Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang ‘Effective and Efficient Malware Detection at the End Host’. 18th Usenix Security Symposium, (2009). – year: 2010 ident: bib15 publication-title: ‘Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm’ – reference: Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, Randal E. Bryant. ‘Semantics-aware malware detection’. IEEE Symposiumon Security and Privacy, (2005). – reference: Fabrice Bellard. ‘Qemu, a fast and portable dynamic translator’. Usenix Annual Technical Conference, (2005). – reference: Cullen Linn, Saumya Debray. ‘Obfuscation of executable code to improve resistance to static disassembly’. ACM Conference on Computer and Communications Security, (2003). – year: 2009 ident: bib6 article-title: ‘Efficient Virus Detection Using Dynamic Instruction Sequences’ publication-title: Journal of Computers – reference: IDA Pro Disassembler and Debugger. Accessed 2011. – year: 2007 ident: bib1 article-title: ‘Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code’ publication-title: Computer economics – reference: Mihai Christodorescu, Somesh Jha. ‘Static analysis of executables to detect malicious patterns’. USENIX Security Symposium, (2003). – year: 2007 ident: bib18 publication-title: ‘Efficient mining of iterative patterns for software specification discovery’ – reference: Ashkan Sami, Babak Yadegar, Hossein Rahimi, Naser Peiravian. ‘Malware Detection Based On Mining API Calls’. ACM Symposium on Applied Computing, Switzerland, (2010). – year: 2007 ident: bib17 publication-title: ‘Discriminative frequent pattern analysis for effective classification’ – year: 2006 ident: 10.1016/S1361-3723(13)70072-1_bib8 – ident: 10.1016/S1361-3723(13)70072-1_bib13 – volume: 45 start-page: 5 year: 2001 ident: 10.1016/S1361-3723(13)70072-1_bib22 article-title: ‘Random Forests’ publication-title: Machine Learning doi: 10.1023/A:1010933404324 – ident: 10.1016/S1361-3723(13)70072-1_bib2 doi: 10.1145/1774088.1774303 – year: 2011 ident: 10.1016/S1361-3723(13)70072-1_bib20 article-title: ‘LIBSVM: A library for support vector machines’ publication-title: ACM Transactions on Intelligent Systems and Technology – year: 2008 ident: 10.1016/S1361-3723(13)70072-1_bib3 article-title: ‘An intelligent pe-malware detection system based on association mining’ publication-title: Journal in Computer Virology – year: 2009 ident: 10.1016/S1361-3723(13)70072-1_bib6 article-title: ‘Efficient Virus Detection Using Dynamic Instruction Sequences’ publication-title: Journal of Computers – ident: 10.1016/S1361-3723(13)70072-1_bib14 doi: 10.1109/SP.2005.20 – ident: 10.1016/S1361-3723(13)70072-1_bib23 – year: 2007 ident: 10.1016/S1361-3723(13)70072-1_bib18 – year: 2007 ident: 10.1016/S1361-3723(13)70072-1_bib1 article-title: ‘Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code’ publication-title: Computer economics – year: 2010 ident: 10.1016/S1361-3723(13)70072-1_bib15 – ident: 10.1016/S1361-3723(13)70072-1_bib7 – ident: 10.1016/S1361-3723(13)70072-1_bib12 doi: 10.1145/948109.948149 – ident: 10.1016/S1361-3723(13)70072-1_bib16 – year: 2009 ident: 10.1016/S1361-3723(13)70072-1_bib19 – year: 2007 ident: 10.1016/S1361-3723(13)70072-1_bib17 – ident: 10.1016/S1361-3723(13)70072-1_bib9 – ident: 10.1016/S1361-3723(13)70072-1_bib5 – ident: 10.1016/S1361-3723(13)70072-1_bib10 – ident: 10.1016/S1361-3723(13)70072-1_bib11 – ident: 10.1016/S1361-3723(13)70072-1_bib4 |
| SSID | ssj0022172 |
| Score | 2.1254337 |
| Snippet | For many years, malware has been the subject of intensive study by researchers in industry and academia. Malware production, while not being an organised... |
| SourceID | crossref elsevier |
| SourceType | Enrichment Source Index Database Publisher |
| StartPage | 11 |
| Title | Malware detection by behavioural sequential patterns |
| URI | https://dx.doi.org/10.1016/S1361-3723(13)70072-1 |
| Volume | 2013 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVESC databaseName: Baden-Württemberg Complete Freedom Collection (Elsevier) customDbUrl: eissn: 1873-7056 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0022172 issn: 1361-3723 databaseCode: GBLVA dateStart: 20110101 isFulltext: true titleUrlDefault: https://www.sciencedirect.com providerName: Elsevier – providerCode: PRVESC databaseName: Elsevier SD Complete Freedom Collection [SCCMFC] customDbUrl: eissn: 1873-7056 dateEnd: 20211231 omitProxy: true ssIdentifier: ssj0022172 issn: 1361-3723 databaseCode: ACRLP dateStart: 19960101 isFulltext: true titleUrlDefault: https://www.sciencedirect.com providerName: Elsevier – providerCode: PRVESC databaseName: Elsevier SD Freedom Collection Journals [SCFCJ] customDbUrl: eissn: 1873-7056 dateEnd: 20211231 omitProxy: true ssIdentifier: ssj0022172 issn: 1361-3723 databaseCode: AIKHN dateStart: 19960101 isFulltext: true titleUrlDefault: https://www.sciencedirect.com providerName: Elsevier – providerCode: PRVESC databaseName: ScienceDirect (Elsevier) customDbUrl: eissn: 1873-7056 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0022172 issn: 1361-3723 databaseCode: .~1 dateStart: 19960101 isFulltext: true titleUrlDefault: https://www.sciencedirect.com providerName: Elsevier – providerCode: PRVLSH databaseName: Elsevier Journals customDbUrl: mediaType: online eissn: 1873-7056 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0022172 issn: 1361-3723 databaseCode: AKRWK dateStart: 19960101 isFulltext: true providerName: Library Specific Holdings |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1NSwMxEB1KvXjxoypWa8lBRA_bbjbZjx5LsVSlvWixt7DZJFAs21JXxIu_3SSbrQqi4HXYCctsMm_CznsDcE55j0oeYk_oYlVfUHDkJUr4noZXiYnSV4rQsJHHk2g0pbezcFaDQcWFMW2VLveXOd1ma2fpumh2V_N59x4TDUWxrk9IbPSvLYOdxmaKQed90-YRmAFMJfcKe-bpTxZPuYI1XmJyZRfx8M_49AVzhnuw44pF1C_fZx9qMm_AbjWIAblz2YBWSbJFj3Kh0rVEF6gyLNdPB0DH6eLV2IUsbOdVjvgbcgR9I7uByobqwrisrOBm_nwI0-H1w2DkuWkJXqZhuPCMeJVS-nhmQhEiEl_1OA1xiqM4kz7nJOTakkgRqTTFGhsD7RDSQHEVYy5icgT1fJnLY0DUVzjweRLwNNRfUiRECF9JElFfmh95TaBVjFjmpMTNRIsF2_SMmdAyE1qGCbOhZbgJnY3bqtTS-MshqT4A-7YpmM73v7ue_N_1FLYDO_PCdPm1oF6sX-SZrjwK3rZbqw1b_Zu70eQDPUfQrA |
| linkProvider | Elsevier |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3NS8MwFA9DD3rxYypOp-YgoodsTZO03VGGY-q2ixvuFpolgeHoxqyIF_92kzSdCqLg9dFfCC_J-6Dv_R4A51S0qBIMI2mCVZOg4AglWgbIuFeFiTYpBbPdyP1B1B3RuzEbV0C77IWxZZXe9hc23VlrL2l6bTYX02nzARPjimITn5DY8l-bFGidsjC2GVjjfVXnEdoJTEXzFUb28882nmIJJ7zE5MqtgvDPDuqL0-nsgC0fLcLrYkO7oKKyKtguJzFA_zCroF502cJHNdPpUsELWArmy6c9QPvp7NXKpcpd6VUGxRv0HfqWdwMWFdW5hSwc42b2vA9GnZthu4v8uAQ0MX44R5a9SmvzPidSEyKTQLcEZTjFUTxRgRCECSNJlIx0mmLjHEMDYDTUQsdYyJgcgLVsnqlDAGmgcRiIJBQpM0cpEyJloBWJaKDsn7waoKWO-MRziduRFjO-KhqzquVWtRwT7lTLcQ00VrBFQabxFyApD4B_uxXcGPzfoUf_h56Bje6w3-O928H9MdgM3QAMW_JXB2v58kWdmDAkF6fumn0AQ3bSQQ |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Malware+detection+by+behavioural+sequential+patterns&rft.jtitle=Computer+fraud+%26+security&rft.au=Ahmadi%2C+Mansour&rft.au=Sami%2C+Ashkan&rft.au=Rahimi%2C+Hossein&rft.au=Yadegari%2C+Babak&rft.date=2013-08-01&rft.pub=Elsevier+B.V&rft.issn=1361-3723&rft.eissn=1873-7056&rft.volume=2013&rft.issue=8&rft.spage=11&rft.epage=19&rft_id=info:doi/10.1016%2FS1361-3723%2813%2970072-1&rft.externalDocID=S1361372313700721 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1361-3723&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1361-3723&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1361-3723&client=summon |