A comparison of static, dynamic, and hybrid analysis for malware detection

Journal of Computer Virology and Hacking Techniques

Volumn 13, Issue 1, 2017, Pages 1-12

  Damodaran, Anusha ^a   Troia, Fabio Di ^b   Visaggio, Corrado Aaron ^b   Austin, Thomas H ^a   Stamp, Mark ^a  

^a SAN JOSE STATE UNIVERSITY   (United States)

^b UNIVERSITY OF SANNIO   (Italy)

Author keywords

[No Author keywords available]

Indexed keywords

HIDDEN MARKOV MODELS;

DETECTION PHASE; DYNAMIC APPROACHES; DYNAMIC FEATURES; HIDDEN MARKOV MODELS (HMMS); HYBRID TECHNIQUES; MALWARE DETECTION; MALWARE FAMILIES; STATIC TECHNIQUES;

MALWARE;

EID: 84952030369     PISSN: None     EISSN: 22638733     Source Type: Journal    
DOI: 10.1007/s11416-015-0261-z     Document Type: Article

References (50)

1. Ahmed, F. et al: Using spatio-temporal information in API calls with machine learning algorithms for malware detection, ACM Workshop on Security and Artificial Intelligence (2009)
2. Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)
3. Annachhatre, C., Austin, T.H., Stamp, M.: Hidden Markov models for malware classification. J. Comput. Virol. Hack. Tech. 11(2), 59–73 (2014)
4. Attaluri, S., McGhee, S., Stamp, M.: Profile Hidden Markov Models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)
5. Aycock, J.: Computer Viruses and Malware. Springer-Verlag, New York (2006)
6. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hack. Tech. 9(4), 179–192 (2013)
7. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)
8. Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recogn. 30(7), 1145–1159 (1997)
9. Buster Sandbox Analyser. http://bsa.isoftware.nl/. Accessed 20 Dec 2015
10. Choi, Y.H. et al.: Toward extracting malware features for classification using static and dynamic analysis. Computing and Networking Technology (ICCNT), Gueongju, South Korea, pp. 126–129
11. Christodorescu,M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceeding of USENIX Security Symposium. Bellevue, WA, pp. 169–186. http://www.cs.cornell.edu/courses/cs711/2005fa/papers/cj-usenix03.pdf
12. Dai, J., Guha, R., Lee, J.: Efficient virus detection using dynamic instruction sequences. J. Comput. 4(5), 405–414 (2009)
13. Damodaran, A.: Combining dynamic and static analysis for malware detection, Master’s report, Department of Computer Science, San Jose State University, 2015. http://scholarworks.sjsu.edu/etd_projects/391/
14. Davis, J., Goadrich, M.: The relationship between precision-recall and ROC curves, http://www.autonlab.org/icml_documents/camera-ready/030_The_Relationship_Bet.pdf
15. Deshpande, P.: Metamorphic detection using function call graph analysis, Master’s report, Department of Computer Science, San Jose State University, 2013, http://scholarworks.sjsu.edu/etd_projects/336/
16. Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hack. Techn. 10(1), 53–65 (2014)
17. Dinaburg, A., Royal, P., Sharif, M. and Lee, W.: Ether: Malware analysis via hardware virtualization extensions, CCS 08, October 27–31, 2008, Alexandria, Virginia. http://ether.gtisc.gatech.edu/ether_ccs_2008.pdf
18. Egele, M., Scholte, T., Kirda, E. and Kruegel, C.: A survey on automated dynamic malware analysis techniques and tools. J. ACM Comput. Surv. 44(2):Article 6, (2012)
19. Eskandari, M., Hashemi, S.: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)
20. Eskandari, M., Khorshidpour, Z., Hashemi, S.: HDM-Analyser: A hybrid analysis approach based on data mining techniques for malware detection. J. Comput. Virol. Hack. Techn. 9(2), 77–93 (2013)
21. Eskandari, M., Khorshidpur, Z. and Hashemi, S.: To incorporate sequential dynamic features in malware detection engines, Intelligence and Security Informatics Conference (EISIC), pp. 46–52 (2012)
22. Fawcett. T.: An introduction to ROC analysis. http://people.inf.elte.hu/kiss/13dwhdm/roc.pdf
23. Ghahramani, Z.: An introduction to hidden Markov models and Bayesian networks. Int. J. Pattern Recognit. Artif. Intell. 15(1), 9–42 (2001)
24. Harebot.: http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M
25. Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)
26. Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hack. Techn 11(4), 203–216 (2015)
27. Kolbitsch, C. et al.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th conference on USENIX security symposium, pp. 351–366. Montreal Canada. https://www.usenix.org/legacy/event/sec09/tech/full_papers/kolbitsch.pdf
28. Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw 10(2), 124–136 (2015)
29. Nappa, A., Rafique, M.Z. and Caballero, J.: Driving in the cloud: An analysis of drive-by download operations and abuse reporting, Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, July (2013)
30. Park, Y., Reeves, D., Mulukutla, V. and Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research (2010)
31. Park, Y., Reeves, D. and Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39(B):419–430 (2013)
32. Qiao, Y., He, J., Yang, Y., Ji, L.: Analyzing malware by abstracting the frequent itemsets in API call sequences, pp. 265–270. Trust, Security and Privacy in Computing and Communications (TrustCom) (2013)
33. Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. Recent Adv. Intrusion Detect. Lect. Notes Comput. Sci. 6307, 178–197 (2010)
34. Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc IEEE 77(2):257–286 (1989). http://www.cs.ubc.ca/~murphyk/Bayes/rabiner.pdf
35. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)
36. SandBoxie. http://sandboxie.com/
37. Security Shield. http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=security-shield
38. Shankarapani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. J. Comput. Virol. 2(7), 107–119 (2011)
39. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Techn. 9(3), 159–170 (2013)
40. Singh, T.: Support Vector Machines and metamorphic malware detection, Master’s report, Department of Computer Science, San Jose State University (2015). http://scholarworks.sjsu.edu/etd_projects/409/
41. Smart HDD. http://support.kaspersky.com/viruses/rogue?qid=208286454
42. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)
43. Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf
44. Symantec White Paper, Internet Security Report, vol 20, (2015). http://www.symantec.com/security_response/publications/threatreport.jsp
45. Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Techn. 9(1), 1–14 (2013)
46. Trojan.Zbot. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
47. Trojan.ZeroAccess. http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
48. Win32/Winwebsec. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fWinwebsec
49. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)
50. Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)