Open AccessMalware classification based on API calls and behaviour analysis
Author(s) -
Pektaş Abdurrahman,
Acarman Tankut
Publication year - 2018
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/iet-ifs.2017.0430
Subject(s) - malware , computer science , application programming interface , malware analysis , artificial intelligence , machine learning , set (abstract data type) , data mining , computer security , operating system , programming language
This study presents the runtime behaviour‐based classification procedure for Windows malware. Runtime behaviours are extracted with a particular focus on the determination of a malicious sequence of application programming interface (API) calls in addition to the file, network and registry activities. Mining and searching n‐gram over API call sequences is introduced to discover episodes representing behaviour‐based features of a malware. Voting Experts algorithm is used to extract malicious API patterns over API calls. The classification model is built by applying online machine learning algorithms and compared with the baseline classifiers. The model is trained and tested with a fairly large set of 17,400 malware samples belonging to 60 distinct families and 532 benign samples. The malware classification accuracy is reached at 98%.