Approach for malware identification using dynamic behaviour and outcome triggering

Abstract

Malware identification is the process of determining the maliciousness of a program, which is necessary for detecting malware variants. Although some techniques have been developed to confront the rapid expansion of malware, they are not efficient to recognise booming malware instances, and can be evaded by using obfuscation techniques. In this study, a novel dynamic malware identification approach is proposed. Concretely, this approach employs techniques that explore multiple execution paths and trigger malicious behaviours with resulting outcomes. To this end, a group of featured malicious behaviours and outcomes (MBOs) are primarily constructed, from which weights for malware family classification are derived. A virtual monitor is then developed to dynamically trigger MBOs by exploring multipath with suitable probing depths. Finally, triggered malicious behaviours are modelled with features recorded in MBOs to train a malware classifier which can identify unknown malware variants. The experimental results on test cases demonstrate the proposed approach is effective in identifying new variants of popular malware families. The comparison with latest malware identifiers shows that our approach achieves lower false positive rate and can recognise malware equipped with obfuscation techniques. © The Institution of Engineering and Technology 2014.