Using hidden markov model for dynamic malware analysis: First impressions

Malware developers are coming up with new techniques to escape malware detection. Furthermore, with the common availability of malware construction kits and metamorphic virus generators, creation of obfuscated malware has become a child´s play. This has made the task of anti-malware industry a challenging one, who need to analyze tens of thousands of new malware samples everyday in order to provide defense against the malware threat. The silver lining is that most of the malware generated by such means is different only syntactically, and hence techniques employing dynamic analysis and behavior modeling can be effectively used for classifying malware. In this paper we have proposed a malware classification scheme based on Hidden Markov Models using system calls as observed symbols. Our approach combines the powerful statistical pattern analysis capability of Hidden Markov Models with the proven capacity of system calls as discriminating dynamic features for countering malware obfuscation. Testing the proposed technique on system call logs of real malware shows that it has the potential of effectively classifying unknown malware into known classes.