Malware detection by behavioural sequential patterns

• Published in: Computer fraud & security Vol. 2013; no. 8; pp. 11 - 19
• Main Authors: Ahmadi, Mansour, Sami, Ashkan, Rahimi, Hossein, Yadegari, Babak
• Format: Journal Article
• Language: English
• Published: Elsevier B.V 01.08.2013
• ISSN: 1361-3723; 1873-7056
• DOI: 10.1016/S1361-3723(13)70072-1

For many years, malware has been the subject of intensive study by researchers in industry and academia. Malware production, while not being an organised business, has reached a level where automatic malicious code generators/engines are easily found. These tools are able to exploit multiple techniques for countering anti-virus (AV) protections, from aggressive AV killing to passive evasive behaviours in any arbitrary malicious code or executable. Development of such techniques has lead to easier creation of malicious executables. Consequently, an unprecedented prevalence of new and unseen malware is being observed. Reports suggested a global, annual economic loss due to malware exceeding $13bn in 2007.1 Traditional signature-based antivirus methods struggle to cope with polymorphic, metamorphic and unknown malicious executables. And analysing and debugging obfuscated programs is a tricky and cumbersome process. Now Mansour Ahmadi of Young Researchers and Elite Club, Shiraz Branch, Iran and Ashkan Sami, Hossein Rahimi and Babak Yadegari of Shiraz University, Iran have developed a novel framework based on runtime API call auditing and data mining, a method that achieved a malware detection rate of 98.4% in tests. Here, they detail their approach and the benefits it could bring.