Abstract
In this technical world, the detection of malware variants is getting cumbersome day by day. Newer variants of malware make it even tougher to detect them. The enormous amount of diversified malware enforced us to stumble on new techniques like machine learning. In this work, we propose an incremental malware detection model for meta-feature API and system call sequence. We represent the host behaviour using a sequence of API calls and system calls. For the creation of sequential system calls, we use NITRSCT (NITR System call Tracer) and for sequential API calls, we generate a list of anomaly scores for each API call sequence using Numenta Hierarchical Temporal Memory (N-HTM). We have converted the API call sequence into six meta-features that narrates its influence. We do the feature selection using a correlation matrix with a heatmap to select the best meta-features. An incremental malware detection model is proposed to decide the label of the binary executable under study. We classify malware samples into their respective types and demonstrated via a case study that, our proposed model can reduce the effort required in STS-Tool (Socio-Technical Security Tool) approach and Abuse case. Theoretical analysis and real-life experiments show that our model is efficient and achieves 95.2% accuracy. The detection speed of our proposed model is 0. 03s. We resolve the issue of limited precision and recall while detecting malware. User’s requirement is also met by fixing the trade-off between accuracy and speed.
Highlights
T ODAY, we are facing one of the toughest security threats, malware
We demonstrate via a case study that effort required in Abuse case and STS-Tool approach can be reduced using our proposed model
We proposed an incremental malware detection model for meta-feature API and system call sequence, which effectively identified malware
Summary
T ODAY, we are facing one of the toughest security threats, malware. Whenever an unknown application is installed by a user on their systems, the malware detector uploads the application's executable on the cloud to verify whether an application is malicious or benign. After the executable is received, the detection system unpacks it using tools like PEiD1, PolyUnpack [1], etc. The detection system disassembles the binary to extract API or system calls and trains a machinelearning based model for classification. Sequential series is a critical class of data, which can be applied in anomaly detection [2], trend analysis [3], periodic pattern detection [4], short-term prediction [5], etc. API call profile has API call sequence, e.g.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
