Skip to main content
SpringerLink
Log in

A Study on Similarity Calculation Method for API Invocation Sequences

  • Conference paper
  • First Online:
Rough Sets and Knowledge Technology (RSKT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 9436))

Included in the following conference series:

  • 1038 Accesses

Abstract

Malware variants have been developed and spread in the Internet, and the number of new malware variants is increases every year. Recently, malware is applied with obfuscation and mutation techniques to hide its existence, and malware variants are developed with various automatic tools that transform the properties of existing malware to avoid static analysis based malware detection systems. It is difficult to detect such obfuscated malware with static-based signatures, so we have designed a detection system based on dynamic analysis. In this paper, we propose a dynamic analysis based system that uses the API invocation sequences to compare behaviors of suspicious software with behaviors of existing malware.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. The Independent IT-Security Institute. http://www.av-test.org/en/

  2. The site for providing information about computer viruses. http://vxheaven.org/

  3. Cuckoo Sandbox. http://www.cuckoosandbox.org/

  4. Wu, L., Ping, R., Ke, L., Hai-xin, D.: Behavior-based Malware analysis and detection. In: First International Workshop on Complexity and Data Mining, pp. 39–42. IEEE, Nanjing (2011)

    Google Scholar 

  5. Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: The 5th LCN Workshop on Security in Communications Networks, pp. 891–898. IEEE, Zurich (2009)

    Google Scholar 

  6. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: 2010 Cybercrime and Trustworthy Computing Workshop, pp. 52–59. IEEE, Ballarat (2010)

    Google Scholar 

  8. Bayer, U., Habibi, I., Balzarotti, D.: A view on current malware behaviors. In: USENIX conference on Large-scale Exploits and Emergent Threats, p. 8. ACM, Boston (2009)

    Google Scholar 

  9. Xu, J.-Y., Sung, A.H., Chavez, P., Mukkzmala, S.: Polymorphic malicious executable scanner by API sequence analysis. In: Hybrid Intelligent Systems, pp. 378–383. IEEE, Kitakyushu (2004)

    Google Scholar 

  10. Natani, P., Vidyarthi, D.: Malware detection using API function frequency with ensemble based classifier. In: Security in Computing and Communications, pp. 379–388. IEEE, Mysore (2004)

    Google Scholar 

  11. Soo, H.K., Kyoung, K.I., Gyu, I.E.: Malware family classification method using API sequential characteristic. In: The International Conference on IT Convergence and Security, pp. 613–626. Springer, Huangshi (2011)

    Google Scholar 

  12. De Huang, H., Lee, C.-S., Kao, H.-Y., Tsai, Y.L., Chang, J.-G.: Malware behavioral analysis system: twman. In: Intelligent Agent, pp. 1–8. IEEE, Paris (2011)

    Google Scholar 

  13. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. Purui, S., Lingyun, Y., Dengguo, F.: Exploring malware behaviors based on environment constitution. In: Computational Intelligence and Security, pp. 320–325. IEEE, Suzhou (2008)

    Google Scholar 

  15. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Security and Privacy, pp. 231–245. IEEE, Berkeley (2008)

    Google Scholar 

  16. Moser, A., Kruegel, C., Kirda, E.: Byte level nGram analysis for malware detection. In: 5th International Conference on Information Processing, pp. 51–59. Bangalore (2011)

    Google Scholar 

  17. Jian, L., Ning, Z., Ming, X., YongQing, S., JiouChuan, L.: Malware behavior extracting via maximal patterns. In: The 1st International Conference on Information Science and Engineering, pp. 1759–1764. IEEE, Nanjing (2009)

    Google Scholar 

  18. Moser, A., Kruegel, C., Kirda, E.: Analysis of machine learning techniques used in behavior-based malware detection. Advances in Computing. Control and Telecommunication Technologies, pp. 201–203. IEEE, Jakarta (2010)

    Google Scholar 

  19. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virology 2, 67–77 (2006)

    Article  Google Scholar 

  20. Smith, T.F., Waterman, M.S.: Identification of common molecular subsequences. J. Mol. Biol. 147(1), 195–197 (1981)

    Article  Google Scholar 

Download references

Acknowledgments

This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (2011-0029923)

Author information

Authors and Affiliations

  1. Department of Computer Software, Hanyang University, Seoul, Korea

    Yu Jin Shim & TaeGuen Kim

  2. Division of Computer Science and Engineering, Hanyang University, Seoul, Korea

    Eul Gyu Im

Authors
  1. Yu Jin Shim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. TaeGuen Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eul Gyu Im
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eul Gyu Im .

Editor information

Editors and Affiliations

  1. University of Milano-Bicocca, Milano, Italy

    Davide Ciucci

  2. Chongqing University of Posts and Telecommunications, Chongqing, China

    Guoyin Wang

  3. Indian Statistical Institute, Kolkata, India

    Sushmita Mitra

  4. Zhejiang Ocean University, Zhejiang, China

    Wei-Zhi Wu

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (http://creativecommons.org/licenses/by-nc/2.5/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Shim, Y.J., Kim, T., Im, E.G. (2015). A Study on Similarity Calculation Method for API Invocation Sequences. In: Ciucci, D., Wang, G., Mitra, S., Wu, WZ. (eds) Rough Sets and Knowledge Technology. RSKT 2015. Lecture Notes in Computer Science(), vol 9436. Springer, Cham. https://doi.org/10.1007/978-3-319-25754-9_43

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25754-9_43

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25753-2

  • Online ISBN: 978-3-319-25754-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation