Abstract
In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5% for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently.
Original language | English |
---|---|
Title of host publication | Proceedings of the 1st international cyber resilience conference |
Editors | Craig Valli |
Place of Publication | Perth, WA |
Publisher | Edith Cowan University |
Pages | 1-10 |
Number of pages | 10 |
ISBN (Print) | 9780729806909 |
Publication status | Published - 2010 |
Externally published | Yes |
Event | International cyber resilience conference (1st : 2010) - Perth, WA Duration: 23 Aug 2010 → 24 Aug 2010 |
Conference
Conference | International cyber resilience conference (1st : 2010) |
---|---|
City | Perth, WA |
Period | 23/08/10 → 24/08/10 |
Keywords
- code obfuscation
- feature extraction
- malware
- n-gram
- SVM