Browse > Article
http://dx.doi.org/10.13089/JKIISC.2014.24.5.897

A study on extraction of optimized API sequence length and combination for efficient malware classification  

Choi, Ji-Yeon (Korea Institute of Science and Technology Information)
Kim, HeeSeok (Korea Institute of Science and Technology Information)
Kim, Kyu-Il (Korea Institute of Science and Technology Information)
Park, Hark-Soo (Korea Institute of Science and Technology Information)
Song, Jung-Suk (Korea Institute of Science and Technology Information)
Abstract
With the development of the Internet, the number of cyber threats is continuously increasing and their techniques are also evolving for the purpose of attacking our crucial systems. Since attackers are able to easily make exploit codes, i.e., malware, using dedicated generation tools, the number of malware is rapidly increasing. However, it is not easy to analyze all of malware due to an extremely large number of malware. Because of this, many researchers have proposed the malware classification methods that aim to identify unforeseen malware from the well-known malware. The existing malware classification methods used malicious information obtained from the static and the dynamic malware analysis as the criterion of calculating the similarity between malwares. Also, most of them used API functions and their sequences that are divided into a certain length. Thus, the accuracy of the malware classification heavily depends on the length of divided API sequences. In this paper, we propose an extraction method of optimized API sequence length and combination that can be used for improving the performance of the malware classification.
Keywords
Malware classification; API sequence; Length; Combination;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Changwook Park, Hyunji Chung, Kwangseok Seo and Sangjin Lee "Research on the Classification Model of Similarity Malware using Fuzzy Hash," Journal of The Korea Institute of Information Security & Cryptology, 22(6), pp. 132 5-1336, Dec. 2012   과학기술학회마을
2 OllyDbg, available at http://www.dllydbg.de/ [Accessed: 1th September 2014]
3 Immunity Debugger, available at http://www.immunityinc.com/ [Accessed: 1th September 2014]
4 IDA Pro, available at https://www.hex-rays.com [Accessed: 1th September 2014]
5 R.Tian, L.M.Batten, and S.C.Versteeg, "Function length as a tool for malware classification," Proceedings of the 3rd International Conference on Malware 2008, pp. 69-76, Oct. 2008.
6 Ronghua Tian, Lynn Batten, Rafiqul Islam, and Steve Versteeg, "An automated classification system based on the strings of trojan and virus families," 4th International Conference on Malic ious and Unwanted Software 2009, pp. 23-30, Oct. 2009.
7 Qi-Guang Miao, Yun-Wang, and Ying -Cao, "APICapture - a tool for monitoring the behavior of malware," 2010 3rd International Conference on Advanced Computer Theory and Engineering, pp. 390-394, Aug. 2010.
8 M.Biley, J.Oberheid, J.Andersen, and Z.Morley Mao, F.Jahanian, and J.Nazario, "Automated classification and analysis of Internet malware," Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, LNCS 4637, pp. 178-197, 2007.
9 U.Bayer, P.M.Comparetti, C.Hlau sc hek, and C.Kruegel, (2009) "Scalable, behavior- based malware clustering," Proceedings of the 16th Annual Network and Distributed System Security Symposium 2009, Feb. 2009.
10 Portable Executable, Wikipedia, available at http://ko.wikipedia.org/wiki/PE_%ED%8F%AC%EB%A7%B7 [Accessed: 1th September 2014]
11 Kyoung-Soo Han, In-Kyoung Kim, and Eul-Gyu Im, "Malware Family Classification Method using API Sequential Characteristic," Journal of Security Engineering, 8(2), pp. 319-335, Apr. 2011
12 Kazuki Iwamoto and Katsumi Wasaki, "Malware classification based on extracted API Sequences using static analysis," 12 Proceedings of the Asian Internet Engineering Conference, pp. 31-38, Nov. 2012.
13 Vinod P, H.Jain, Y.K.Golecha, M.S. Gaur, and V.Laxmi, "MEDUSA: Metamorphic malware dynamic analysis using signature from API," Proceedings of the 3rd International Conference on Security of Information and Networks, pp. 263-269, Sep. 2010.
14 Younghee Park, Douglas Reeves, Vik ram Mulukutla, and Balaji Sunda ravel, "Fast malware classification by automated behavioral graph matching," Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research, Apr. 2010.
15 N-gram, Wikipedia, available at http://en.wikipedia.org/wiki/N-gram [Accessed: 1th September 2014]
16 I.Jolliffe, Principal component analysis, 2nd Ed., Springer, 488 p, 2002
17 Science&Technology Security Center, available at http://www.sntsec.or.kr/ [Accessed: 1th September 2014]
18 Virustotal homepage, available at https://www.virustotal.com/ko/ [Accessed: 1th September 2014]
19 Antivirus and Threat Report: January 2014, available at http://www.opswat .com/about/media/reports/antivirusjanuary- 2014 [Accessed: 1th September 2014]
20 Cuckoosandbox homepage, available at http://www.cuckoosandbox.org/ [Accessed: 1th September 2014]
21 Chaetae Im, JooHyung Oh, and Hyuncheol Jeong, "Study of Technical Trends and Analysis Method of Recent Malware," Journal of The Korea Information Science Society, 28(11), pp. 117-126, Nov. 2010   과학기술학회마을
22 Ekta Gandotra, Divya Bansal, and Sanjeev Sofat, "Malware analysis and classification a survey," Journal of Information Security, vol. 5, no. 2, pp. 56-64, Apr. 2014   DOI
23 API, Wikipedia, available at http://ko.wikipedia.org/wiki/API [Accessed: 1th September 2014]