Concordance and Term Frequency in Analyzing API Calls for Malware Behavior Detection
- 1 Universiti Kebangsaan Malaysia, Malaysia
- 2 Centre for Development of Advanced Computing, India
Abstract
Application Programming Interface (API) is used for the software to interact with an operating system to do certain task such as opening file, deleting file and many more. Programmers use this API to make it easier for their program to communicate with the operating system without having the knowledge of the hardware of the target system. Malware author is an attacker that may belong to an organization or work for themselves. Some malware author has the capabilities to write their own malware, uses the same kind of APIs that is used to create normal programs to create malware. There are many researches done in this field, however, most researchers used n-gram to detect the sequence of API calls and although it gave good results, it is time consuming to process through all the output. This is the reason why this paper proposed to use Concordance to search for the API call sequence of a malware because it uses KWIC (Key Word in Context), thus only displayed the output based on the queried keyword. After that, Term Frequency (TF) is used to search for the most commonly used APIs in the dataset. The results of the experiment show that concordance can be used to search for API call sequence as we manage to identify six malicious behaviors (Install Itself at Startup, Enumerate All Process, Privilege Escalation, Terminate Process, Process Hollowing and Ant debugging) using this method. And based on the TF score, the most commonly used API in the dataset is the Reg Close Key (TF: 1.388), which on its own is not a dangerous API, hence we can infer that most API is not malicious in nature, it is how they were implemented is making them dangerous.
DOI: https://doi.org/10.3844/jcssp.2019.1307.1319
Copyright: © 2019 Nur Hilda Amira Abd Wahab, Masnizah Mohd, Ravie Chandren Muniyandi, Balaji Rajendran and Gopinath Palaniappan. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
- 4,150 Views
- 2,025 Downloads
- 0 Citations
Download
Keywords
- Concordance
- KWIC
- API Call Sequence
- Malware Behaviors
- Dynamic Analysis