CFP last date
20 January 2025
Reseach Article

File Checker: Determining Behavioural Signatures of an Executable Binary to Detect Malware

by Harshal R. Shinde, Himanshu Shukla, A. Jothimani, Anurag Singh Baghel
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 176 - Number 22
Year of Publication: 2020
Authors: Harshal R. Shinde, Himanshu Shukla, A. Jothimani, Anurag Singh Baghel
10.5120/ijca2020920200

Harshal R. Shinde, Himanshu Shukla, A. Jothimani, Anurag Singh Baghel . File Checker: Determining Behavioural Signatures of an Executable Binary to Detect Malware. International Journal of Computer Applications. 176, 22 ( May 2020), 15-20. DOI=10.5120/ijca2020920200

@article{ 10.5120/ijca2020920200,
author = { Harshal R. Shinde, Himanshu Shukla, A. Jothimani, Anurag Singh Baghel },
title = { File Checker: Determining Behavioural Signatures of an Executable Binary to Detect Malware },
journal = { International Journal of Computer Applications },
issue_date = { May 2020 },
volume = { 176 },
number = { 22 },
month = { May },
year = { 2020 },
issn = { 0975-8887 },
pages = { 15-20 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume176/number22/31330-2020920200/ },
doi = { 10.5120/ijca2020920200 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T00:43:12.112333+05:30
%A Harshal R. Shinde
%A Himanshu Shukla
%A A. Jothimani
%A Anurag Singh Baghel
%T File Checker: Determining Behavioural Signatures of an Executable Binary to Detect Malware
%J International Journal of Computer Applications
%@ 0975-8887
%V 176
%N 22
%P 15-20
%D 2020
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The increasing dependency in this technologically advancing world on data is making us vulnerable to frequent cyber-attacks. This study aims at classifying executable binaries(Portable Executable files) based on its run-time behaviour. Traditional approaches to detecting windows-based malware include comparing files hashes, strings, etc., which clearly failed to detect the new world malware kinds - morphed and obfuscated. Although the dynamically based detection distinctly outperformed static based detection techniques, it failed to effectively detect advanced malicious programs. System-call injection attacks usually inject irrelevant calls to alter an execution sequence of malware, thereby making it undetectable to calls based detection systems. The proposed method aims at extracting traces of API calls made to generate possible unique alternative traces in order to detect other malicious API patterns which may be left out due to prevent call injection attacks. A classification model is built by employing the RandomForest algorithm, and its efficiency is compared with other baseline classifiers. This model classifies the data effectively with 91.9% accuracy.

References
  1. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant, “Semantics-aware malware detection,” in Proc. of IEEE Symposium on Security and Privacy (SP’10), 2005, pp. 32–46.
  2. Sundarkumar, G.G., Ravi, V., Nwogu, I. and Govindaraju, V., 2015, August. Malware detection via API calls, topic models and machine learning. In 2015 IEEE International Conference on Automation Science and Engineering (CASE) (pp. 1212-1217). IEEE.
  3. A. Sami, H. Rahimi, and B. Yadegari, “Malware detection by behavioural sequential patterns,” Comput. Fraud and Secur., vol. 2013, no. 8, pp. 11 – 19, 2013.
  4. Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of Computer Security, 6, 151–180.
  5. A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, “Accessminer: Using system-centric models for malware protection,” in Proc. of the 17th ACM Conference on Computer and Communications Security (CCS’10), 2010, pp. 399–412.
  6. S. Naval, V. Laxmi, M. Rajarajan, M. S. Gaur and M. Conti, "Employing Program Semantics for Malware Detection," in IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2591-2604, Dec. 2015.
  7. M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan “Synthesizing near-optimal malware specifications from suspicious behaviours,” in Proc. of IEEE Symposium on Security and Privacy (SP’10), 2010, pp. 45–60.
  8. G. Jacob, R. Hund, C. Kruegel, and T. Holz, “Jackstraws: Picking command and control connections from bot traffic,” in Proc. of the 20th USENIX Conference on Security (SEC’11), 2011, pp. 29–48.
  9. D. Quist and L. Liebrock, “Visualizing compiled executables for malware analysis,” in Proc. of 6th International Workshop on Visualization for Cyber Security (VizSec’09), Oct 2009, pp. 27–32.
  10. J. R. Norris, Markov Chains. Cambridge University Press, 1998.
  11. M. J. Quinn and N. Deo, “Parallel graph algorithms,” ACM Comput. Surv., vol. 16, no. 3, pp. 319–348, Sep. 1984.
  12. A. Cabrera and R. A. Calix, "On the Anatomy of the Dynamic Behavior of Polymorphic Viruses," 2016 International Conference on Collaboration Technologies and Systems (CTS), Orlando, FL, 2016, pp. 424-429.
  13. T. Fawcett, “An introduction to ROC analysis,” Pattern Recognition Lett., vol. 27, no. 8, pp. 861–874, 2006.
Index Terms

Computer Science
Information Sciences

Keywords

Executable Binaries Portable Executable Malware Hashes Morphed Obfuscated System-Call Injection Attacks API Patterns.