Technical gazette, Vol. 28 No. 3, 2021.
Original scientific paper
https://doi.org/10.17559/TV-20210202132203
Malicious Behavior Detection Method Using API Sequence in Binary Execution Path
Jihun Kim
; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
Sungwon Lee
; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
Jonghee Youn*
; Dept. of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
Abstract
Today, the amount of malware is growing very rapidly, and the types and behaviors of malware are becoming very diverse. Unlike existing malicious codes, new types or variants of malicious codes are being identified, and it takes a lot of time to analyze all malicious codes. To solve these problems malware analysts analyze and research effective ways to reduce analysis time and cost. In this paper, we propose a method to express characteristics and detect malicious codes by using API Sequence for malicious code detection and classification. It compares and analyzes several existing expression methods and verifies the effectiveness through actual malicious code samples. Using the expression method proposed in the paper, we detected six malicious behaviors: DLL Injection, Downloader, IAT Hooking, Key Logger, Screen Capture and Antidebugging. As a result, more detection was detected than by conventional detection methods, and it can be seen that the more complex the malicious behavior, the higher the detection efficiency. In addition, static analysis was adopted as the main method, but because it searches execution compression, the flow of malicious behavior can be analyzed.
Keywords
API sequence; binary execution path; malware analysis; malware detection
Hrčak ID:
258200
URI
Publication date:
6.6.2021.
Visits: 1.841 *