A Mathematical Model of HMST Model on Malware Static Analysis

A Mathematical Model of HMST Model on Malware Static Analysis

Satheesh Abimannan (VIT University, Vellore, India) and Kumaravelu R. (VIT University, Vellore, India)
Copyright: © 2019 |Pages: 18
DOI: 10.4018/IJISP.2019040106


Malware is a malicious software that can contaminate communication devices, where information can be lost, encrypting or deleting the sensitive data, altering or hijacking core computing activities and monitoring a user's computer activity without proper authorization. Analyzing the behavior of any new type of malware, that threatens the security of information is the challenging task. Previous studies and research has used static and dynamic based analysis. Althrough there are various methods to analysis the behaviour of the malware, the innovation of new technology lead to undesirable growth of malware. A procedure to analyze the characteristics and its nature is the need of the day. To mitigate this issue, malware specific procedures need to be evolved by analysing its behaviour. In this article, the authors present a heuristic-based malware static analysis testing (HMST) through a six step process including hash verification, PE structure analysis, packer signature analysis, entropy analysis, antivirus check and string analysis. Heuristic-based malware static analysis (MSA) depends on the six characterstics. The six characteristics sequence is quantified mathematially. Hash verification is presented as a dynamic function, PE structure analysis (PESA) as the functional string, Packer Signature (PS) by functional boundedness, Entropy Analysis (EA) with probability, antivirus check (AC) of the discrete lagorthm-bit representation and string analysis (SA) lies with the comutational complexity. Hence, an optimized string is proposed for transmitting securely. CFF Explorer, BinText, PeID, DIE and VirusTotal are used for analyzing the behavior of the samples in this study.
Article Preview

1. Introduction

Each destructive malware was developed with various forms having different objectives. The most common classifications of malware are trojans, worms and viruses. (Eilam, 2005). Initially the malware was developed either for fun to show one's capabilities and / or for highlighting weaknesses within a system. But today, malware development has reached the highest level of treachery. A wide spectrum of motivation ranging from personal to national level interest was transpired and a whole new underground economy is based on malware was established now a days (Aman, 2014). Malware's are propagated using abundant infection vectors such as exploiting vulnerability on a client system, through an open or weak network service, using removable devices (Honig & Sikorski, 2012; Lyda et al., 2007) or through social engineering.

For the past 5 years (since 2013 to February 24th, 2017), creation of new kinds of malware have been tremendously increased than that of previous 10 years (AV-Test, 2016), as depicted in Figure 1.

Figure 1.

Number of new malware threats by year

Hence, the need to detect previously unseen malware is growing in a particular concern for the Windows operating systems, which run on over 85% of desktops today (Net Marketshare, 2016). The proliferation of smart mobile devices further increases the attack surface. It is believed that 80% of infected mobile devices have been traced to connections with Windows computers and laptops (Alcatel-Lucent, 2015; Chukwu et al., 2017).

Typically, two standard approaches are used to analyze the behavior of a malicious program. Dynamic analysis is a set of methods that are used to understand the behavior of a program during its execution while static analysis is used to investigate a program without executing it. The following subsections elaborate static analysis and the shortcomings associated with it.

1.1. Static Analysis

Analyzing a program to observe its behavior by investigating it without execution is commonly known as static analysis. Based on the availability of the code and representation, static analysis can be performed in numerous ways. It assists in evaluating the memory errors and also it can improve the correctness of a program execution, if the malware source code is available (Zeltser, 2016). Binary executable can also be inspected with different tools in static analysis (Christodorescu & Jha, 2003; Del Rey et al., 2016). Static analysis can be prompted before or after dynamic analysis or can be done as a standalone procedure. It can also be performed to check, if the analysts have missed anything suspicious after the dynamic analysis. Static analysis is also perform as a pre-dynamic analysis to study and understand the behavior prior to the code execution in a live environment.

Complete Article List

Search this Journal:
Open Access Articles
Volume 13: 4 Issues (2019): 2 Released, 2 Forthcoming
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing