Open AccessUsing spatio-temporal information in API calls with machine learning algorithms for malware detection
Author(s) -
Faraz Ahmed,
Haider Hameed,
Muhammad Shafiq,
Muddassar Farooq
Publication year - 2009
Publication title -
citeseer x (the pennsylvania state university)
Language(s) - English
Resource type - Conference proceedings
DOI - 10.1145/1654988.1655003
Subject(s) - malware , computer science , intrusion detection system , machine learning , scalability , key (lock) , malware analysis , artificial intelligence , application programming interface , system call , host (biology) , novelty detection , data mining , feature (linguistics) , set (abstract data type) , novelty , algorithm , operating system , programming language , ecology , philosophy , linguistics , theology , biology
Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious processes running on an end-host. Towards this end, most of the existing run-time intrusion or malware detection techniques utilize information available in Windows Application Programming Interface (API) call arguments or sequences. In comparison, the key novelty of our proposed tool is the use of statistical features which are extracted from both spatial arguments) and temporal (sequences) information available in Windows API calls. We provide this composite feature set as an input to standard machine learning algorithms to raise the final alarm. The results of our experiments show that the concurrent analysis of spatio-temporal features improves the detection accuracy of all classifiers. We also perform the scalability analysis to identify a minimal subset of API categories to be monitored whilst maintaining high detection accuracy.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom