A Preemptive behaviour-based malware detection through analysis of API calls sequence inspired by Human Immune System

Abstract

This study detects malware as it begins to execute and propose a data mining approach for malware detection using sequences of API calls in a Windows environment. We begin with some background of the study and the influence of Human Immune System in our detection mechanism, i.e. the Natural Killer (NK) and Suppressor (S) Cells. We apply the K = 10 crosses fold data validation against the dataset. We use the n-grams technique to form the data for the purpose of establishing the Knowledge Bases and for the detection stage. The detection algorithm integrates the NK and S to work in unison and statistically determine on whether a particular executable deemed as benign or malicious. The results show that we could preemptively detect malware and benign programs at the very early beginning of their execution upon inspecting the first few hundreds of the targeted API Calls. Depending on the speed of the processor and the ongoing running processes, this could just happen in a split of a second or a few. This research is as part of our initiative to build a behaviour based component of a cyber defence and this will enhance our readiness to combat zero-day attacks.