Browse > Article
http://dx.doi.org/10.13089/JKIISC.2007.17.6.89

Malware Detection Via Hybrid Analysis for API Calls  

Kang, Tae-Woo (Korea University)
Cho, Jae-Ik (Korea University)
Chung, Man-Hyun (Korea University)
Moon, Jong-Sub (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.17, no.6, 2007 , pp. 89-98 More about this Journal
Abstract
We have come a long way in the information age. Thanks to the advancement of such technologies as the internet, we have discovered new ways to convey information on a broader scope. However, negative aspects exist as is with anything else. These may include invasion of privacy over the web, or identity theft over the internet. What is more alarming is that malwares so called 'maliciouscodes' are rapidly spreading. Its intent is very destructive which can result in hacking, phishing and as aforementioned, one of the most disturbing problems on the net, invasion of privacy. This thesis describes the technology of how you can effectively analyze and detect these kind of malicious codes. We propose sequencial hybrid analysis for API calls that are hooked inside user-mode and kernel-level of Windows. This research explains how we can cope with malicious code more efficiently by abstracting malicious function signature and hiding attribute.
Keywords
API(Application Programming Interface) Call; Native API; Malware detection;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 우종우, 하경휘, '시그너처 패턴기반의 악성코드 탐색도구의 개발', 한국 컴퓨터정보학회 논문지 10권 6호, December 2005
2 Kimmo Kasslin, 'Kernel Malware:The Attack from Within', AVAR 2006, December 2006
3 Ed Skoudis, Lenny Zeltser, 'Malware : Fighting Malicious Code', Upper saddle River, NJ, 2004
4 Vinod Ganapathy, Sanjit A.Seshia, 'Automatic Discovery of API-Level Exploits', ICSE 05, 2005
5 Kwak Taejin, 'Attack Native API (Looking around Native API)', Devguru, www.devguru.co.kr, 2004
6 Campbell, C and Cristianini N,'Simple Learning Algorithms for Training Support Vector Machines', Technical Report, University of Bristol, 1998
7 Ulrich Bayer, Andreas Moser, Christopher Kruegel, 'Dynamic analysis of Malicious code' J Comput Virol 2006, p. 67-77. May 2006
8 Birdman, 'The Evolution of Windows Spyware Techniques', HIT2005, July 2005
9 Roberto Battistoni, Emanuele Gabrielli, 'A Host Intrusion Prevention System for Windows Operating Systems', ESORICS 2004, p. 352-368, 2004
10 Chih-Chung Chang and Chih-Jen Lin, 'LIBSVM : a library for support vector machines', 2001. Software available at www.csie.ntu.edu.tw/-cjlin/libsvm
11 Microsoft, 'Visual Studio, Microsoft Portable Executable and Common Object File Format Specification', www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx, 2006, Visited 2007
12 C. Cortes and V.Vapnik, 'Support-Vector Networks, In Machine Learning', pp. 273-297, 1995
13 박남열, 김용민, 노봉남, '우회기법을 이용하는 악성코드 행위기반 탐지 방법', 정보보호학회 논문지 16권 3호, pp. 17-26, June 2006   과학기술학회마을
14 Mark Russinovich, 'Inside Native API', www.sysinternals.com, 2004, Visited 2007
15 A. Sung, J. Xu, P. Chavez, and S.Mukkamala, 'Static Analyzer for Vicious Executables(SAVE)', 20th Annual Computer Security Applications Conference, pp. 326-334, December 2004
16 Bontchev, V. 'Macro Virus Identification Problems', Proceedings of the 7th international Virus, Bulletin Conference, p. 175-196, 1997
17 Tomasz Nowak, 'Undocumented Functions for Microsoft Windows NT/2000', NTinternals.net, 2006, Visited 2007