Abstract
Application Programming Interface (API) is used for the software to interact with an operating system to do certain task such as opening file, deleting file and many more. Programmers use this API to make it easier for their program to communicate with the operating system without having the knowledge of the hardware of the target system. Malware author is an attacker that may belong to an organization or work for themselves. Some malware author has the capabilities to write their own malware, uses the same kind of APIs that is used to create normal programs to create malware. There are many researches done in this field, however, most researchers used n-gram to detect the sequence of API calls and although it gave good results, it is time consuming to process through all the output. This is the reason why this paper proposed to use Concordance to search for the API call sequence of a malware because it uses KWIC (Key Word in Context), thus only displayed the output based on the queried keyword. After that, Term Frequency (TF) is used to search for the most commonly used APIs in the dataset. The results of the experiment show that concordance can be used to search for API call sequence as we manage to identify six malicious behaviors (Install Itself at Startup, Enumerate All Process, Privilege Escalation, Terminate Process, Process Hollowing and Ant debugging) using this method. And based on the TF score, the most commonly used API in the dataset is the Reg Close Key (TF: 1.388), which on its own is not a dangerous API, hence we can infer that most API is not malicious in nature, it is how they were implemented is making them dangerous.
Highlights
Nowadays, with a new variant of malware being discovered, we can see that malware is becoming more sophisticated in design
The Application Programming Interface (API) calls used in this step are chosen randomly and not based on the categories of the APIs. This is because the Term Frequency (TF) is used to show which of the malicious or suspicious APIs is favorable by the malware in the dataset
The Key Word In Context (KWIC) concordance method is easier to use than n-gram because n-gram listed all possible outcomes based on n value, meaning there will be a lot of output being displayed as compared to this method who will only display results based on the queried keywords
Summary
With a new variant of malware being discovered, we can see that malware is becoming more sophisticated in design. According to Cisco (2018), security breaches can cause significant economic damages to an organization as it takes considerable time to fix the damages done. More than half of the breaches cost more than $500,000 in financial damages. This shows how severe it is the effect of the malware attack on an organization. Take example the WannaCry ransomware outbreak in 2017 which shows how dangerous modern malware is. This ransomware affected more than 200 000 computers in over 150 countries worldwide and cause huge financial damages to its victims (Business Advantage, 2017)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
