Article Preview
Top1. Introduction
Each destructive malware was developed with various forms having different objectives. The most common classifications of malware are trojans, worms and viruses. (Eilam, 2005). Initially the malware was developed either for fun to show one's capabilities and / or for highlighting weaknesses within a system. But today, malware development has reached the highest level of treachery. A wide spectrum of motivation ranging from personal to national level interest was transpired and a whole new underground economy is based on malware was established now a days (Aman, 2014). Malware's are propagated using abundant infection vectors such as exploiting vulnerability on a client system, through an open or weak network service, using removable devices (Honig & Sikorski, 2012; Lyda et al., 2007) or through social engineering.
For the past 5 years (since 2013 to February 24th, 2017), creation of new kinds of malware have been tremendously increased than that of previous 10 years (AV-Test, 2016), as depicted in Figure 1.
Figure 1.
Number of new malware threats by year
Hence, the need to detect previously unseen malware is growing in a particular concern for the Windows operating systems, which run on over 85% of desktops today (Net Marketshare, 2016). The proliferation of smart mobile devices further increases the attack surface. It is believed that 80% of infected mobile devices have been traced to connections with Windows computers and laptops (Alcatel-Lucent, 2015; Chukwu et al., 2017).
Typically, two standard approaches are used to analyze the behavior of a malicious program. Dynamic analysis is a set of methods that are used to understand the behavior of a program during its execution while static analysis is used to investigate a program without executing it. The following subsections elaborate static analysis and the shortcomings associated with it.
1.1. Static Analysis
Analyzing a program to observe its behavior by investigating it without execution is commonly known as static analysis. Based on the availability of the code and representation, static analysis can be performed in numerous ways. It assists in evaluating the memory errors and also it can improve the correctness of a program execution, if the malware source code is available (Zeltser, 2016). Binary executable can also be inspected with different tools in static analysis (Christodorescu & Jha, 2003; Del Rey et al., 2016). Static analysis can be prompted before or after dynamic analysis or can be done as a standalone procedure. It can also be performed to check, if the analysts have missed anything suspicious after the dynamic analysis. Static analysis is also perform as a pre-dynamic analysis to study and understand the behavior prior to the code execution in a live environment.