Exploring the API Calls for Malware Behavior Detection using Concordance and Document Frequency

Abstract

In the era of ubiquitous sensors and smart devices, detecting malware is becoming an endless battle between ever-evolving malware and antivirus programs that need to process ever-increasing security related data. Malwares are becoming persistent by creating full-fledged variants of the same or different family. Malwares belonging to same family share same characteristics in their functionality of spreading infections into the victim computer. We find that certain malicious functions are commonly included in malware even in different categories. From checking the existence of certain functions or API call sequence patterns matched, we can even detect new unknown malware. For malware detection, various approaches have been proposed. An Application Programming Interface (API) is widely is used for the software to interact with an operating system to do certain task such as opening file, deleting file etc., Users of the computers use this API to make it comfortable for their program to communicate with the operating system without having the prior knowledge of the hardware of the object system. The attacker also use the same type of APIs to create malware, hence it is very much difficult to know about these APIs. There are many researches done in this field, however, most researchers used n-gram to detect the sequence of API calls. Even though, it gave good results, it is time consuming to process through all the output. Hence, we proposed to use Concordance to search for the API call sequence of a malware because it use KWIC (Key Word in Context), thus only displayed the output based on the queried keyword. After that, Document Frequency (DF) is used to search for the most commonly used APIs in the dataset. The result of our experiment gave high accuracy than other methods and also found more categories than other methods. API call sequence can be extracted from most of the modern devices. Hence we supposed that our method can detect the malware for all types of the ubiquitous devices. The results of the experiment show that Concordance can be used to search for API call sequence as we manage to identify Eight malicious Activities (Screen Capture, Hooking, Downloader, Enumerate all process, Anti debugging, Synchronization, Key Logger and Dropper) using this method.