Malware Detection by Static Checking and Dynamic Analysis of Executables

Malware Detection by Static Checking and Dynamic Analysis of Executables

Deepti Vidyarthi (Defence Institute of Advanced Technology, Pune, India), S.P. Choudhary (Defence Institute of Advanced Technology, Pune, India), Subrata Rakshit (Center of Artificial Intelligence & Robotics, Bangalore, India) and C.R.S. Kumar (Defence Institute of Advanced Technology, Pune, India)
Copyright: © 2017 |Pages: 13
DOI: 10.4018/IJISP.2017070103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for known malware. Static and dynamic analysis techniques focus upon different kinds of malware such as Evasive or Metamorphic malware. This paper proposes a comprehensive approach that combines static checking and dynamic analysis for malware detection. Static analysis is used to check the specific code characteristics. Dynamic analysis is used to analyze the runtime behavior of malware. The authors propose a framework for the automated analysis of an executable's behavior using text mining. Text mining of dynamic attributes identifies the important features for classifying the executable as benign and malware. The synergistic combination proposed in this paper allows detection of not only known variants of malware but even the obfuscated, packed and unknown malware variants and malware evasive to dynamic analysis.
Article Preview

Work being done in the field of malware detection can be broadly classified under static analysis and dynamic analysis as stated in (Mas'ud, 2014). Detection based on static analysis is through analyzing the executable code without the execution of malware. It can detect and prevent a malware application before it is installed. As mentioned in (Moser, 2007), malware authors being mindful of those static analysis techniques added the anti-static analysis functionalities in malwares like code obfuscation, binary encryption, packing of code etc. In dynamic detection, the detection is done by monitoring execution at runtime. The runtime behavior collected in form of the interaction of process with the operating system through system calls for files and memory modifications, registry modifications, network access etc.

Multiple behavior-based, dynamic analysis techniques have been proposed for malware detection as discussed in (Choudhary, 2015). Some of the important techniques include binary hooking, API call hooking, running in sandbox or virtual machine, using machine learning, multiple path execution, instruction trace, data flow analysis etc. Few of them are discussed in this section.

(Bayer, 2006) presented a method where binary is run in open source PC emulator Qemu and monitors its security relevant activities by analyzing windows native call or API call. It did not modify binary to prevent detection by malware and uses hooks and breakpoints implanted in relevant API and native libraries.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing