A Study on Similarity Calculation Method for API Invocation Sequences

  • Yu Jin Shim
  • TaeGuen Kim
  • Eul Gyu ImEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9436)


Malware variants have been developed and spread in the Internet, and the number of new malware variants is increases every year. Recently, malware is applied with obfuscation and mutation techniques to hide its existence, and malware variants are developed with various automatic tools that transform the properties of existing malware to avoid static analysis based malware detection systems. It is difficult to detect such obfuscated malware with static-based signatures, so we have designed a detection system based on dynamic analysis. In this paper, we propose a dynamic analysis based system that uses the API invocation sequences to compare behaviors of suspicious software with behaviors of existing malware.


Malware detection API invocation sequence Dynamic analysis Similarity calculation method 



This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (2011-0029923)


  1. 1.
    The Independent IT-Security Institute.
  2. 2.
    The site for providing information about computer viruses.
  3. 3.
  4. 4.
    Wu, L., Ping, R., Ke, L., Hai-xin, D.: Behavior-based Malware analysis and detection. In: First International Workshop on Complexity and Data Mining, pp. 39–42. IEEE, Nanjing (2011)Google Scholar
  5. 5.
    Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: The 5th LCN Workshop on Security in Communications Networks, pp. 891–898. IEEE, Zurich (2009)Google Scholar
  6. 6.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  7. 7.
    Alazab, M., Venkataraman, S., Watters, P.: Towards understanding malware behaviour by the extraction of API calls. In: 2010 Cybercrime and Trustworthy Computing Workshop, pp. 52–59. IEEE, Ballarat (2010)Google Scholar
  8. 8.
    Bayer, U., Habibi, I., Balzarotti, D.: A view on current malware behaviors. In: USENIX conference on Large-scale Exploits and Emergent Threats, p. 8. ACM, Boston (2009)Google Scholar
  9. 9.
    Xu, J.-Y., Sung, A.H., Chavez, P., Mukkzmala, S.: Polymorphic malicious executable scanner by API sequence analysis. In: Hybrid Intelligent Systems, pp. 378–383. IEEE, Kitakyushu (2004)Google Scholar
  10. 10.
    Natani, P., Vidyarthi, D.: Malware detection using API function frequency with ensemble based classifier. In: Security in Computing and Communications, pp. 379–388. IEEE, Mysore (2004)Google Scholar
  11. 11.
    Soo, H.K., Kyoung, K.I., Gyu, I.E.: Malware family classification method using API sequential characteristic. In: The International Conference on IT Convergence and Security, pp. 613–626. Springer, Huangshi (2011)Google Scholar
  12. 12.
    De Huang, H., Lee, C.-S., Kao, H.-Y., Tsai, Y.L., Chang, J.-G.: Malware behavioral analysis system: twman. In: Intelligent Agent, pp. 1–8. IEEE, Paris (2011)Google Scholar
  13. 13.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  14. 14.
    Purui, S., Lingyun, Y., Dengguo, F.: Exploring malware behaviors based on environment constitution. In: Computational Intelligence and Security, pp. 320–325. IEEE, Suzhou (2008)Google Scholar
  15. 15.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Security and Privacy, pp. 231–245. IEEE, Berkeley (2008)Google Scholar
  16. 16.
    Moser, A., Kruegel, C., Kirda, E.: Byte level nGram analysis for malware detection. In: 5th International Conference on Information Processing, pp. 51–59. Bangalore (2011)Google Scholar
  17. 17.
    Jian, L., Ning, Z., Ming, X., YongQing, S., JiouChuan, L.: Malware behavior extracting via maximal patterns. In: The 1st International Conference on Information Science and Engineering, pp. 1759–1764. IEEE, Nanjing (2009)Google Scholar
  18. 18.
    Moser, A., Kruegel, C., Kirda, E.: Analysis of machine learning techniques used in behavior-based malware detection. Advances in Computing. Control and Telecommunication Technologies, pp. 201–203. IEEE, Jakarta (2010)Google Scholar
  19. 19.
    Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virology 2, 67–77 (2006)CrossRefGoogle Scholar
  20. 20.
    Smith, T.F., Waterman, M.S.: Identification of common molecular subsequences. J. Mol. Biol. 147(1), 195–197 (1981)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.Department of Computer SoftwareHanyang UniversitySeoulKorea
  2. 2.Division of Computer Science and EngineeringHanyang UniversitySeoulKorea

Personalised recommendations