Characterising malicious software with high-level behavioural patterns

Abstract

Current research trends concerning malicious software indicate preferring malware behaviour over malware structure analysis. Detection is heading to methods employing malware models on higher level of abstraction, not purely on the level of program’s code. Specification of applicable level of abstraction for investigation and detection of malware may present a serious challenge. Many approaches claim using high-level abstraction of malware behaviour but they are still based on sequences of instructions which form the malicious program. Techniques which rely on syntactic representation potentially fail whenever malware writers employ mutation or obfuscation of malicious code. Our work presents a different strategy. We utilised freely available information about malicious programs which were already inspected and tried to find patterns in malware behaviour, which are not bound to syntactic representation of malicious samples and so should withstand malware mutation on the syntactic level.