All

What are you looking for?

All
Projects
Results
Organizations

Quick search

  • Projects supported by TA ČR
  • Excellent projects
  • Projects with the highest public support
  • Current projects

Smart search

  • That is how I find a specific +word
  • That is how I leave the -word out of the results
  • “That is how I can find the whole phrase”
EN
ČeštinaEnglish

A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence

The result's identifiers

  • Result code in IS VaVaI

    <a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F61989100%3A27240%2F20%3A10244830" target="_blank" >RIV/61989100:27240/20:10244830 - isvavai.cz</a>

  • Result on the web

    <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300444?via%3Dihub" target="_blank" >https://www.sciencedirect.com/science/article/pii/S0167404820300444?via%3Dihub</a>

  • DOI - Digital Object Identifier

    <a href="http://dx.doi.org/10.1016/j.cose.2020.101760" target="_blank" >10.1016/j.cose.2020.101760</a>

Alternative languages

  • Result language

    angličtina

  • Original language name

    A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence

  • Original language description

    Malware API call graph derived from API call sequences is considered as a representative technique to understand the malware behavioral characteristics. However, it is troublesome in practice to build a behavioral graph for each malware. To resolve this issue, we examine how to generate a simple behavioral graph that characterizes malware. In this paper, we introduce the use of word embedding to understand the contextual relationship that exists between API functions in malware call sequences. We also propose a method that segregating individual functions that have similar contextual traits into clusters. Our experimental results prove that there is a significant distinction between malware and goodware call sequences. Based on this distinction, we introduce a new method to detect and predict malware based on the Markov chain. Through modeling the behavior of malware and goodware API call sequences, we generate a semantic transition matrix which depicts the actual relation between API functions. Our models return an average detection precision of 0.990, with a false positive rate of 0.010. We also propose a prediction methodology that predicts whether an API call sequence is malicious or not from the initial API calling functions. Our model returns an average accuracy for the prediction of 0.997. Therefore, we propose an approach that can block malicious payloads instead of detecting them after their post-execution and avoid repairing the damage. (C) 2020 Elsevier Ltd. All rights reserved.

  • Czech name

  • Czech description

Classification

  • Type

    J<sub>imp</sub> - Article in a specialist periodical, which is included in the Web of Science database

  • CEP classification

  • OECD FORD branch

    10200 - Computer and information sciences

Result continuities

  • Project

  • Continuities

    S - Specificky vyzkum na vysokych skolach

Others

  • Publication year

    2020

  • Confidentiality

    S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Data specific for result type

  • Name of the periodical

    Computers and Security

  • ISSN

    0167-4048

  • e-ISSN

  • Volume of the periodical

    92

  • Issue of the periodical within the volume

    5

  • Country of publishing house

    GB - UNITED KINGDOM

  • Number of pages

    15

  • Pages from-to

  • UT code for WoS article

    000526984900024

  • EID of the result in the Scopus database

Similar results(10)

Contextual identification of windows malware through semantic interpretation of API call sequenceA Multi-Perspective malware detection approach through behavioral fusion of API call sequenceA Multi-Perspective malware detection approach through behavioral fusion of API call sequence