Malware detection based on structural and behavioural features of API calls

Mamoun Alazab, Robert Layton, Sitalakshmi Venkatraman, Paul Watters

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review


In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5% for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently.
Original languageEnglish
Title of host publicationProceedings of the 1st international cyber resilience conference
EditorsCraig Valli
Place of PublicationPerth, WA
PublisherEdith Cowan University
Number of pages10
ISBN (Print)9780729806909
Publication statusPublished - 2010
Externally publishedYes
EventInternational cyber resilience conference (1st : 2010) - Perth, WA
Duration: 23 Aug 201024 Aug 2010


ConferenceInternational cyber resilience conference (1st : 2010)
CityPerth, WA


  • code obfuscation
  • feature extraction
  • malware
  • n-gram
  • SVM


Dive into the research topics of 'Malware detection based on structural and behavioural features of API calls'. Together they form a unique fingerprint.

Cite this