Skip to the main content

Original scientific paper

https://doi.org/10.17559/TV-20210202132203

Malicious Behavior Detection Method Using API Sequence in Binary Execution Path

Jihun Kim ; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
Sungwon Lee ; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
Jonghee Youn* ; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea


Full text: english pdf 1.133 Kb

page 810-818

downloads: 835

cite


Abstract

Today, the amount of malware is growing very rapidly, and the types and behaviors of malware are becoming very diverse. Unlike existing malicious codes, new types or variants of malicious codes are being identified, and it takes a lot of time to analyze all malicious codes. To solve these problems malware analysts analyze and research effective ways to reduce analysis time and cost. In this paper, we propose a method to express characteristics and detect malicious codes by using API Sequence for malicious code detection and classification. It compares and analyzes several existing expression methods and verifies the effectiveness through actual malicious code samples. Using the expression method proposed in the paper, we detected six malicious behaviors: DLL Injection, Downloader, IAT Hooking, Key Logger, Screen Capture and Antidebugging. As a result, more detection was detected than by conventional detection methods, and it can be seen that the more complex the malicious behavior, the higher the detection efficiency. In addition, static analysis was adopted as the main method, but because it searches execution compression, the flow of malicious behavior can be analyzed.

Keywords

API sequence; binary execution path; malware analysis; malware detection

Hrčak ID:

258200

URI

https://hrcak.srce.hr/258200

Publication date:

6.6.2021.

Visits: 1.841 *