基于API调用和行为分析的恶意软件分类

IET Inf. Secur. Pub Date : 2017-10-04 DOI:10.1049/iet-ifs.2017.0430

Abdurrahman Pektas, T. Acarman

{"title":"基于API调用和行为分析的恶意软件分类","authors":"Abdurrahman Pektas, T. Acarman","doi":"10.1049/iet-ifs.2017.0430","DOIUrl":null,"url":null,"abstract":"This study presents the runtime behaviour-based classification procedure for Windows malware. Runtime behaviours are extracted with a particular focus on the determination of a malicious sequence of application programming interface (API) calls in addition to the file, network and registry activities. Mining and searching n-gram over API call sequences is introduced to discover episodes representing behaviour-based features of a malware. Voting Experts algorithm is used to extract malicious API patterns over API calls. The classification model is built by applying online machine learning algorithms and compared with the baseline classifiers. The model is trained and tested with a fairly large set of 17,400 malware samples belonging to 60 distinct families and 532 benign samples. The malware classification accuracy is reached at 98%.","PeriodicalId":13305,"journal":{"name":"IET Inf. Secur.","volume":"321 1","pages":"107-117"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"58","resultStr":"{\"title\":\"Malware classification based on API calls and behaviour analysis\",\"authors\":\"Abdurrahman Pektas, T. Acarman\",\"doi\":\"10.1049/iet-ifs.2017.0430\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This study presents the runtime behaviour-based classification procedure for Windows malware. Runtime behaviours are extracted with a particular focus on the determination of a malicious sequence of application programming interface (API) calls in addition to the file, network and registry activities. Mining and searching n-gram over API call sequences is introduced to discover episodes representing behaviour-based features of a malware. Voting Experts algorithm is used to extract malicious API patterns over API calls. The classification model is built by applying online machine learning algorithms and compared with the baseline classifiers. The model is trained and tested with a fairly large set of 17,400 malware samples belonging to 60 distinct families and 532 benign samples. The malware classification accuracy is reached at 98%.\",\"PeriodicalId\":13305,\"journal\":{\"name\":\"IET Inf. Secur.\",\"volume\":\"321 1\",\"pages\":\"107-117\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-10-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"58\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IET Inf. Secur.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1049/iet-ifs.2017.0430\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Inf. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1049/iet-ifs.2017.0430","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 58

摘要

提出了基于运行时行为的Windows恶意软件分类方法。在提取运行时行为时，除了文件、网络和注册表活动外，还特别关注确定应用程序编程接口(API)调用的恶意序列。引入API调用序列的n-gram挖掘和搜索来发现代表恶意软件基于行为的特征的事件。投票专家算法用于通过API调用提取恶意API模式。应用在线机器学习算法建立分类模型，并与基线分类器进行比较。该模型是用相当大的一组17400个恶意软件样本进行训练和测试的，这些样本属于60个不同的家族和532个良性样本。恶意软件分类准确率达到98%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Malware classification based on API calls and behaviour analysis

This study presents the runtime behaviour-based classification procedure for Windows malware. Runtime behaviours are extracted with a particular focus on the determination of a malicious sequence of application programming interface (API) calls in addition to the file, network and registry activities. Mining and searching n-gram over API call sequences is introduced to discover episodes representing behaviour-based features of a malware. Voting Experts algorithm is used to extract malicious API patterns over API calls. The classification model is built by applying online machine learning algorithms and compared with the baseline classifiers. The model is trained and tested with a fairly large set of 17,400 malware samples belonging to 60 distinct families and 532 benign samples. The malware classification accuracy is reached at 98%.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IET Inf. Secur.

自引率

0.00%

发文量

期刊最新文献

Revisit Two Memoryless State-Recovery Cryptanalysis Methods on A5/1 Improved Lattice-Based Mix-Nets for Electronic Voting Adaptive and survivable trust management for Internet of Things systems Comment on 'Targeted Ciphers for Format-Preserving Encryption' from Selected Areas in Cryptography 2018 Time-specific encrypted range query with minimum leakage disclosure