A Preemptive Behaviour-based Malware Detection through Analysis of API Calls Sequence Inspired by Human Immune System

  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract

    This study detects malware as it begins to execute and propose a data mining approach for malware detection using sequences of API calls in a Windows environment. We begin with some background of the study and the influence of Human Immune System in our detection mechanism, i.e. the Natural Killer (NK) and Suppressor (S) Cells. We apply the K = 10 crosses fold data validation against the dataset. We use the n-grams technique to form the data for the purpose of establishing the Knowledge Bases and for the detection stage. The detection algorithm integrates the NK and S to work in unison and statistically determine on whether a particular executable deemed as benign or malicious. The results show that we could preemptively detect malware and benign programs at the very early beginning of their execution upon inspecting the first few hundreds of the targeted API Calls. Depending on the speed of the processor and the ongoing running processes, this could just happen in a split of a second or a few. This research is as part of our initiative to build a behaviour based component of a cyber defence and this will enhance our readiness to combat zero-day attacks.


  • Keywords

    API Calls based Detection; K-grams; Malware; N-grams.

  • References

      [1] F-secure. Brontok.N. http://www.f-secure.com/v-descs/brontok_n.shtml.

      [2] Forrest, S., Hofmeyr, S. A., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3), 151-180.

      [3] Wespi, A., Dacier, M., & Debar, H. (2000). Intrusion detection using variable-length audit trail patterns. Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, pp. 110-129.

      [4] Delves, P., Martin, S., Burton, D., & Roitt, I. (2006). Roitt's essential immunology (essentials). Wiley-Blackwell.

      [5] Declercq, W., Vandenabeele, P., & Begley, T. P. (2007). Apoptosome and Caspase activation. Wiley Encyclopedia of Chemical Biology, pp. 1-12.

      [6] Ismail, S. (2010). Apoptosis: Kematian terancang sel. https://www.majalahsains.com/apoptosis-kematian-terancang-sel/.

      [7] Kim, J., Greensmith, J., Twycross, J., & Aickelin, U. (2005). Malicious code execution detection and response immune system inspired by the danger theory. Proceedings of the Adaptive and Resilient Computing Security Workshop, pp. 1-4.

      [8] Fu, H., Yuan, X., & Hu, L. (2007). Design of a four-layer model based on danger theory and AIS for IDS. Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing, pp. 6331-6334.

      [9] Dasgupta, D. (2006). Advances in artificial immune systems. IEEE Computational Intelligence Magazine, 1(4), 40-49.

      [10] Matzinger, P. (1994). Tolerance, danger and the extended family. Annual Review in Immunology, 12, 991-1045.

      [11] Aickelin U., Bentley P. Cayzer S, K. J., & McLeod J. (2003). Danger theory: The link between AIS and IDS. Proceedings of the 2nd International Conference on Artificial Immune Systems, pp. 147-155.

      [12] Zekri, M., & Souici-Meslati, L. (2014). Immunological approach for intrusion detection. Revue Africaine de la Recherche en Informatique et Math. ematiques Appliquees, 17, 221-240.

      [13] Akira, S., Takeda, K., & Kaisho, T. (2001). Toll-like receptors: Critical proteins linking innate and acquired immunity. Nature Immunology, 2(8), 675-680.

      [14] Nektra Advanced Computing. Deviare API. http://www.nektra.com/products/deviare-api-hook-windows/.

      [15] Microsoft. Detours - Microsoft research. http://research.microsoft.com/en-us/projects/detours/.

      [16] API Monitor. (2010). http://apimonitor.com/order.html.

      [17] nexginrc.org. API call dataset. (2010). http://nexginrc.org/Datasets/Default.aspx.

      [18] Ahmed, F., Hameed, H., Shafiq, M. Z., & Farooq, M. (2009). Using spatio-temporal information in API Calls with machine learning algorithms for malware detection. Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, pp. 55-62.

      [19] Symantec. W32.Almanahe.A. (2007). http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-041317-4330-99.

      [20] Kaspersky Lab. Malware profile search. (2010). http://www.kaspersky.com/find?

      [21] Symantec. Malware profile search. (2010). http://searchg.symantec.com/search?

      [22] VX Heavens. Virus collection. (2010). http://vx.netlux.org/faq.php#whole.

      [23] Microsoft Corporation. MSDN library. (2010). http://msdn.microsoft.com/en-us/library.

      [24] Witten, I. H., & Frank, E. (2005). Data mining: Practical machine learning tools and techniques. Morgan Kaufmann.

      [25] Lim, H. (2016). Detecting malicious behaviors of software through analysis of API sequence k-grams. Computer Science and Information Technology, 4(3), 85-91.

      [26] Forrest, S., Perelson, A .S., Allen, L., & Cherukuri, R. (1994). Self-nonself discrimination in a computer. Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 202-212.

      [27] Refaeilzadeh, P., Tang, L., & Liu, H. (2009). Cross-validation. In L. Liu, & M. T. Özsu (Eds.), Encyclopedia of Database Systems. Massachusetts: Springer, pp. 532-538.




Article ID: 21431
DOI: 10.14419/ijet.v7i4.15.21431

Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.