Skip to main content
SpringerLink
Log in

A comparison of static, dynamic, and hybrid analysis for malware detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. For example, if one curve dominates another in ROC space, it also dominates in PR space, and vice versa.

References

  1. Ahmed, F. et al: Using spatio-temporal information in API calls with machine learning algorithms for malware detection, ACM Workshop on Security and Artificial Intelligence (2009)

  2. Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)

    Article  Google Scholar 

  3. Annachhatre, C., Austin, T.H., Stamp, M.: Hidden Markov models for malware classification. J. Comput. Virol. Hack. Tech. 11(2), 59–73 (2014)

    Article  Google Scholar 

  4. Attaluri, S., McGhee, S., Stamp, M.: Profile Hidden Markov Models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)

    Article  Google Scholar 

  5. Aycock, J.: Computer Viruses and Malware. Springer-Verlag, New York (2006)

  6. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hack. Tech. 9(4), 179–192 (2013)

    Article  Google Scholar 

  7. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  8. Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recogn. 30(7), 1145–1159 (1997)

    Article  Google Scholar 

  9. Buster Sandbox Analyser. http://bsa.isoftware.nl/. Accessed 20 Dec 2015

  10. Choi, Y.H. et al.: Toward extracting malware features for classification using static and dynamic analysis. Computing and Networking Technology (ICCNT), Gueongju, South Korea, pp. 126–129

  11. Christodorescu,M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceeding of USENIX Security Symposium. Bellevue, WA, pp. 169–186. http://www.cs.cornell.edu/courses/cs711/2005fa/papers/cj-usenix03.pdf

  12. Dai, J., Guha, R., Lee, J.: Efficient virus detection using dynamic instruction sequences. J. Comput. 4(5), 405–414 (2009)

    Article  Google Scholar 

  13. Damodaran, A.: Combining dynamic and static analysis for malware detection, Master’s report, Department of Computer Science, San Jose State University, 2015. http://scholarworks.sjsu.edu/etd_projects/391/

  14. Davis, J., Goadrich, M.: The relationship between precision-recall and ROC curves, http://www.autonlab.org/icml_documents/camera-ready/030_The_Relationship_Bet.pdf

  15. Deshpande, P.: Metamorphic detection using function call graph analysis, Master’s report, Department of Computer Science, San Jose State University, 2013, http://scholarworks.sjsu.edu/etd_projects/336/

  16. Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hack. Techn. 10(1), 53–65 (2014)

    Article  Google Scholar 

  17. Dinaburg, A., Royal, P., Sharif, M. and Lee, W.: Ether: Malware analysis via hardware virtualization extensions, CCS 08, October 27–31, 2008, Alexandria, Virginia. http://ether.gtisc.gatech.edu/ether_ccs_2008.pdf

  18. Egele, M., Scholte, T., Kirda, E. and Kruegel, C.: A survey on automated dynamic malware analysis techniques and tools. J. ACM Comput. Surv. 44(2):Article 6, (2012)

  19. Eskandari, M., Hashemi, S.: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)

    Article  Google Scholar 

  20. Eskandari, M., Khorshidpour, Z., Hashemi, S.: HDM-Analyser: A hybrid analysis approach based on data mining techniques for malware detection. J. Comput. Virol. Hack. Techn. 9(2), 77–93 (2013)

    Article  Google Scholar 

  21. Eskandari, M., Khorshidpur, Z. and Hashemi, S.: To incorporate sequential dynamic features in malware detection engines, Intelligence and Security Informatics Conference (EISIC), pp. 46–52 (2012)

  22. Fawcett. T.: An introduction to ROC analysis. http://people.inf.elte.hu/kiss/13dwhdm/roc.pdf

  23. Ghahramani, Z.: An introduction to hidden Markov models and Bayesian networks. Int. J. Pattern Recognit. Artif. Intell. 15(1), 9–42 (2001)

    Article  Google Scholar 

  24. Harebot.: http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M

  25. Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)

    Article  Google Scholar 

  26. Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hack. Techn 11(4), 203–216 (2015)

    Article  Google Scholar 

  27. Kolbitsch, C. et al.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th conference on USENIX security symposium, pp. 351–366. Montreal Canada. https://www.usenix.org/legacy/event/sec09/tech/full_papers/kolbitsch.pdf

  28. Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw 10(2), 124–136 (2015)

    Article  Google Scholar 

  29. Nappa, A., Rafique, M.Z. and Caballero, J.: Driving in the cloud: An analysis of drive-by download operations and abuse reporting, Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, July (2013)

  30. Park, Y., Reeves, D., Mulukutla, V. and Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research (2010)

  31. Park, Y., Reeves, D. and Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39(B):419–430 (2013)

  32. Qiao, Y., He, J., Yang, Y., Ji, L.: Analyzing malware by abstracting the frequent itemsets in API call sequences, pp. 265–270. Trust, Security and Privacy in Computing and Communications (TrustCom) (2013)

  33. Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. Recent Adv. Intrusion Detect. Lect. Notes Comput. Sci. 6307, 178–197 (2010)

  34. Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc IEEE 77(2):257–286 (1989). http://www.cs.ubc.ca/~murphyk/Bayes/rabiner.pdf

  35. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)

    Article  Google Scholar 

  36. SandBoxie. http://sandboxie.com/

  37. Security Shield. http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=security-shield

  38. Shankarapani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. J. Comput. Virol. 2(7), 107–119 (2011)

    Article  Google Scholar 

  39. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Techn. 9(3), 159–170 (2013)

    Article  Google Scholar 

  40. Singh, T.: Support Vector Machines and metamorphic malware detection, Master’s report, Department of Computer Science, San Jose State University (2015). http://scholarworks.sjsu.edu/etd_projects/409/

  41. Smart HDD. http://support.kaspersky.com/viruses/rogue?qid=208286454

  42. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

  43. Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf

  44. Symantec White Paper, Internet Security Report, vol 20, (2015). http://www.symantec.com/security_response/publications/threatreport.jsp

  45. Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Techn. 9(1), 1–14 (2013)

    Article  Google Scholar 

  46. Trojan.Zbot. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

  47. Trojan.ZeroAccess. http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

  48. Win32/Winwebsec. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fWinwebsec

  49. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  50. Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San Jose State University, San Jose, USA

    Anusha Damodaran, Thomas H. Austin & Mark Stamp

  2. Department of Engineering, Università degli Studi del Sannio, Benevento, Italy

    Fabio Di Troia & Corrado Aaron Visaggio

Authors
  1. Anusha Damodaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Di Troia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Corrado Aaron Visaggio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Thomas H. Austin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Damodaran, A., Troia, F.D., Visaggio, C.A. et al. A comparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hack Tech 13, 1–12 (2017). https://doi.org/10.1007/s11416-015-0261-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-015-0261-z

Keywords

Search

Navigation