Analysis and classification of context-based malware behavior

Abstract

This paper presents an overview of the findings on trigger-based malware behavior elicitation, classification, modeling, and behavioral signature generation. Considering reactions to environmental conditions, we suggest a new classification of trigger-based malware behavior as evasive and elicited behaviors. Both these behaviors are concerned with the elaboration of environmental conditions. However, evasive behaviors are targeted at self-defense while elicited behaviors manifest malware opportunism for malicious acts. Therefore, appropriate models, representing such behaviors are expected to provide indications of the conditions conducting different sub-behaviors. To this aim, we propose a new behavioral model based on a conditioned graph structure. To elicit trigger-based behaviors, we offer a greedy approach to gradual collection and feeding of environmental conditions in successive runs of a malware sample. To this aim, we have supplied our analysis environment, Parsa sandbox, with a new component, VECG, to analyze and record relevant API calls. VECG uses these API calls for supplying different environmental conditions and resources, expected by a trigger-based malware while analyzing the malware behavior. We introduce a new algorithm, Htest, to select the most discriminative sub-graphs of conditioned behavioral models as the unique signature for the malware family. The resultant behavioral models, applied as malware signatures, are evaluated using 1700 malicious programs belonging to 16 families. The signatures are evaluated, once without and then under different environmental conditions. It is observed that our signatures could segregate malware family samples with an accuracy of 97.1% while the accuracy will drop to about 22.91% if the environmental conditions are neglected.