Analysis and Evaluation of Dynamic Feature-Based Malware Detection Methods

  • Arzu Gorgulu KakisimEmail author
  • Mert Nar
  • Necmettin Carkaci
  • Ibrahim Sogukpinar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)


While increasing the threat of malware for information systems, researchers strive to find alternative malware detection methods based on static, dynamic and hybrid analysis. Due to obfuscation techniques to bypass the static analysis, dynamic methods become more useful to detect malware. Therefore, most of the researches focus on dynamic behavior analysis of malicious software. In this work, our main objective is to find more discriminative dynamic features to detect malware executables by analyzing different dynamic features with common malware detection approaches. Moreover, we analyze separately different features obtained in dynamic analysis, such as API-call, usage system library and operations, to observe the contributions of these features to malware detection and classification success. For this purpose, we evaluate the performance of some dynamic feature-based malware detection and classification approaches using four data sets that contain real and synthetic malware executables.


Malware detection Dynamic analysis Polymorphic/metamorphic malware API-call Usage system library Behavior-based analysis 



This work was supported by the Scientific and Technological Research Council of Turkey (TUBITAK), Grant No: ARDEB-116E624.


  1. 1.
    AV-Test GmbH AV-Test malware statistics Technical report 2017. Accessed 18 Oct 2018
  2. 2.
    Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)Google Scholar
  3. 3.
    Szor, P., Ferrie, P.: Hunting for metamorphic. In: Virus Bulletin Conference, pp. 123–144, Abingdon (2001)Google Scholar
  4. 4.
    Han, K.S., Kang, B., Im, E.G.: Malware classification using instruction frequencies. In: Proceedings of the 2011 ACM Symposium on Research in Applied Computation, pp. 298–300. ACM (2011)Google Scholar
  5. 5.
    Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graphs. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1970–1977. ACM (2010)Google Scholar
  6. 6.
    Alam, S., Sogukpinar, I., Traore, I., Horspool, R.N.: Sliding window and control flow weight for metamorphic malware detection. J. Comput. Virol. Hacking Tech. 11(2), 75–88 (2015)CrossRefGoogle Scholar
  7. 7.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)CrossRefGoogle Scholar
  8. 8.
    Bayer, U., Kirda, E., Kruegel, C.: Improving the efficiency of dynamic malware analysis. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1871–1878. ACM (2010)Google Scholar
  9. 9.
    Bai, J., An, Z., Zou, Z., Mu, S.: A dynamic malware detection approach by mining the frequency of API calls. In: Applied Mechanics and Materials, vol. 519–520, pp. 309–312 (2014)Google Scholar
  10. 10.
    Hansen, S.S., Larsen, T.M.T., Stevanovic, M., Pedersen, J.M.: An approach for detection and family classification of malware based on behavioral analysis. In: 2016 International Conference on Computing, Networking and Communications (ICNC), pp. 1–5. IEEE (2016)Google Scholar
  11. 11.
    Shaid, S.Z.M., Maarof, M.A.: Malware behavior image for malware variant identification. In: 2014 International Symposium on Biometrics and Security Technologies (ISBAST), pp. 238–243. IEEE (2014)Google Scholar
  12. 12.
    Pektaş, A.: Behavior based malware classification using online machine learning. Doctoral dissertation, Grenoble Alpes (2015)Google Scholar
  13. 13.
    Imran, M., Afzal, M.T., Qadir, M.A.: Using hidden Markov model for dynamic malware analysis: first impressions. In: 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), pp. 816–821. IEEE (2015)Google Scholar
  14. 14.
    Ki, Y., Kim, E., Kim, H.K.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sens. Netw. 11(6), 659101 (2015)CrossRefGoogle Scholar
  15. 15.
    Choudhary, S.P., Vidyarthi, M.D.: A simple method for detection of metamorphic malware using dynamic analysis and text mining. Procedia Comput. Sci. 54, 265–270 (2015)CrossRefGoogle Scholar
  16. 16.
    Yu, B., Fang, Y., Yang, Q., Tang, Y., Liu, L.: A survey of malware behavior description and analysis. Front. Inf. Technol. Electr. Eng. 19(5), 583–603 (2018)CrossRefGoogle Scholar
  17. 17.
    Udayakumar, N., Anandaselvi, S., Subbulakshmi, T.: Dynamic malware analysis using machine learning algorithm. In: 2017 International Conference on Intelligent Sustainable Systems (ICISS), pp. 795–800. IEEE (2017)Google Scholar
  18. 18.
    Choi, Y.H., Han, B.J., Bae, B.C., Oh, H.G., Sohn, K.W.: Toward extracting malware features for classification using static and dynamic analysis. In: 2012 8th International Conference on Computing and Networking Technology (ICCNT), pp. 126–129. IEEE (2012)Google Scholar
  19. 19.
    Gandotra, E., Bansal, D., Sofat, S.: Zero-day malware detection. In: 2016 Sixth International Symposium on Embedded Computing and System Design (ISED), pp. 171–175. IEEE (2016)Google Scholar
  20. 20.
    Firdausi, I., Erwin, A., Nugroho, A.S.: Analysis of machine learning techniques used in behavior-based malware detection. In: 2010 Second International Conference on Advances in Computing, Control and Telecommu-nication Technologies (ACT), pp. 201–203. IEEE (2010)Google Scholar
  21. 21.
    Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)Google Scholar
  22. 22.
    Arends, J., Kerstin, I.: Malware Analysis (2018)Google Scholar
  23. 23.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Priv. 5(2) (2007)CrossRefGoogle Scholar
  24. 24.
    The Cuckoo sandbox. Accessed 18 Oct 2018
  25. 25.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefGoogle Scholar
  26. 26.
    Windows API Index. Tech Article 2018. Accessed 18 Oct 2018
  27. 27.
    Aizawa, A.: An information-theoretic perspective of TF-IDF measures. Inf. Process. Manage. 39(1), 45–65 (2003)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Nair, V.P., Jain, H., Golecha, Y.K., Gaur, M.S., Laxmi, V.: MEDUSA: MEtamorphic malware dynamic analysis usingsignature from API. In: Proceedings of the 3rd International Conference on Security of Information and Networks, pp. 263–269. ACM (2010)Google Scholar
  29. 29.
    Kim, C. W.: NtMalDetect: A Machine Learning Approach to Malware Detection Using Native API System Calls. arXiv preprint arXiv:1802.05412 (2018)
  30. 30.
    Eskandari, M., Khorshidpur, Z., Hashemi, S.: To incorporate sequential dynamic features in malware detection engines. In: Intelligence and Security Informatics Conference (EISIC) 2012 European, pp. 46–52. IEEE (2012)Google Scholar
  31. 31.
    Cavnar, W.B., Trenkle, J.M.: N-gram-based text categorization. Ann Arbor MI 48113(2), 161–175 (1994)Google Scholar
  32. 32.
    Stamp, M.: A Revealing Introduction to Hidden Markov Models. Department of Computer Science, San Jose State University, pp. 26–56 (2004)Google Scholar
  33. 33.
    Damodaran, A., Di Troia, F., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 13(1), 1–12 (2017)CrossRefGoogle Scholar
  34. 34.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  35. 35.
    Heavens, VX.: Accessed 18 Oct 2018
  36. 36.
    Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)CrossRefGoogle Scholar
  37. 37.
    Souri, A., Hosseini, R.: A state-of-the-art survey of malware detection approaches using data mining techniques. Hum.-centric Comput. Inf. Sci. 8(1), 3 (2018)CrossRefGoogle Scholar
  38. 38.
    WekaTool. Accessed 18 Oct 2018
  39. 39.
    Hall, M.A.: Correlation-based feature subset selection for machine learning. Thesis sub-mitted in partial fulfillment of the requirements of the degree of Doctor of Philosophy at the University of Waikato (1998)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Arzu Gorgulu Kakisim
    • 1
    Email author
  • Mert Nar
    • 1
  • Necmettin Carkaci
    • 1
  • Ibrahim Sogukpinar
    • 1
  1. 1.Gebze Technical UniversityKocaeliTurkey

Personalised recommendations