To Incorporate Sequential Dynamic Features in Malware Detection Engines

Currently, signature-based detection is a widely used method within commercial antivirus. Although this method is still used by the most commercial antivirus softwares and is capable of detecting specific malwares quickly, it fails to detect new malwares. Therefore, antivirus engines are not limited to static signature based detection, their intelligent detection subsystem can detect unknown malwares more accurate than before. It utilizes an analyzer to extract appropriate features from executable files. It, then, applies a data mining technique on these features to learn behavior of benign programs and malicious ones. Consequently, it is able to detect unknown malwares according to their behavior. Application Programming Interface (API) call sequences are commonly used features in intelligent malware detection systems. An API call sequence captures the activities of a program and, hence, it is an excellent candidate for mining of any malicious behavior. Different order of each API in sequence infers different behavior model. Therefore, ordering of called API´s is an important issue to analyze malwares´ behavior. In this paper we propose a novel feature extraction approach for modeling malwares´ behavior. The presented approach extracts called API´s sequence by dynamic analysis method which is executing programs and capturing their called API´s. This approach utilizes N-grams method to preserve call ordering sequence of API´s. The experimental results show promissing accuracy of the presented approach for analyzing malwares.