ResearchArticle ...downloads.hindawi.com/journals/scn/2020/7501894.pdf · ing methods to make the detection process more diﬃcult. is makes practically almost impossible to detect

Research ArticleUsing a Subtractive Center Behavioral Model to Detect Malware

Omer Aslan 12 Refik Samet 1 and Omer Ozgur Tanrıover 1

1Ankara University Computer Engineering Department Ankara 06830 Turkey2Siirt University Computer Engineering Department Siirt 56100 Turkey

Correspondence should be addressed to Omer Aslan omeraslansiirtedutr

Received 6 November 2019 Accepted 29 January 2020 Published 27 February 2020

Guest Editor Hammad Afzal

Copyright copy 2020 Omer Aslan et al is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In recent years malware has evolved by using different obfuscation techniques due to this evolution the detection of malware hasbecome problematic Signature-based and traditional behavior-based malware detectors cannot effectively detect this newgeneration of malwareis paper proposes a subtractive center behavior model (SCBM) to create a malware dataset that capturessemantically related behaviors from sample programs In the proposed model system paths where malware behaviors areperformed and malware behaviors themselves are taken into consideration is way malicious behavior patterns are differ-entiated from benign behavior patterns Features that could not exceed the specified score are removed from the dataset edatasets created using the proposed model contain far fewer features than the datasets created by n-gram and other models thathave been used in other studies e proposed model can handle both known and unknown malware and the obtained detectionrate and accuracy of the proposed model are higher than those of the known models To show the effectiveness of the proposedmodel 2 datasets with score and without score are created by using SCBM In total 6700 malware samples and 3000 benignsamples are tested e results are compared with those derived from n-gram and models from other studies in the literature etest results show that by combining the proposed model with an appropriate machine learning algorithm the detection rate falsepositive rate and accuracy are measured as 999 02 and 998 respectively

1 Introduction

Any software that performs malicious activities on victimmachines is considered to be malware Sophisticatedmalware uses packing and obfuscation techniques to makethe analysis and detection processes more difficult [1]Malware lies at the root of almost all cyber threats andattacks including global threats advanced persistentthreats (APTs) sensitive data theft remote code execu-tion and distributed denial of service (DDoS) attacks Inrecent years the number sophistication of malware at-tacks and the economic damage caused by malware havebeen increasing exponentially According to scientific andbusiness reports approximately 1 million malware filesare created every day According to cybersecurity ven-tures cybercrime will cost the world economy approxi-mately $6 trillion annually by 2021 [2] According to thesame report in 2019 ransomware malware costs around$115 billion globally [2]

Mobile malware is on the rise According to the McAfeemobile threat report there is a substantial increase inbackdoors fake applications and banking Trojans formobile devices [3] e number of new mobile malwarevariants increased by 54 from 2016 to 2017 [4] and mosttypes of unknown and mobile malware are evolved versionsof known malware [5] Moreover malware attacks related tothe healthcare industry cloud computing social mediaInternet of ings and cryptocurrencies are also on the rise[2 6]

It is almost impossible to propose a method or systemthat can detect every new generation of sophisticatedmalware e 4 main methods used to detect malware arebased on signature behavior heuristic and model checkingdetection Each method has advantages and disadvantages

Signature-based malware detector examines the featuresthat encapsulate the programrsquos structure and uniquely identifythe malware is method detects known malware efficientlybut it cannot detect unknownmalware Behavior-basedmalware

HindawiSecurity and Communication NetworksVolume 2020 Article ID 7501894 17 pageshttpsdoiorg10115520207501894

detector observes program behaviors using monitoring toolsand determines whether the program is malware or benignAlthough program codes change the behavior of the programwill remain relatively the same thus new malware can bedetected with this method [7] However some malware doesnot run properly under the protected environment (eg virtualmachine and sandbox environment) and thus the malwaresample may be incorrectly marked as benign

In recent years heuristic-based detection methods havebeen used frequently ese methods are complex detectionmethods that apply both experience and different techniquessuch as rules and machine learning techniques [8] Howevereven if the heuristic technique can detect various forms ofknown and unknown malware [7] it cannot detect newmalware that is quite different from existingmalware Inmodelchecking-based detection malware behaviors are manuallyextracted and behavior groups are coded using linear temporallogic (LTL) to display a specific feature [9] Although modelchecking-based detection can successfully detect some un-known malware that could not be detected with the previous 3methods it is insufficient for detecting all new malware

In this paper the subtractive center behavior model(SCBM) which captures semantically associated behaviorswhen creating a dataset is proposed In this model inaddition to malware behaviors system paths where malwarebehaviors are executed are also considered

e proposed model makes the following contributions

(i) SCBM is proposed to create a malware dataset withfewer features than known models

(ii) Instead of directly using system calls as behaviorssystem calls are mapped to relevant behaviors

(iii) Behaviors are divided into groups and risk scoresare calculated based on the system path and active-passive behaviors

(iv) Features are extracted from behaviors according tothe type of resources and instances that have beenused is way malicious behavior patterns aresegregated from benign behavior patterns

(v) e proposed model can handle both known andunknown malware

(vi) e obtained detection rate and accuracy of theproposed model are higher than those of the knownmodels

e rest of this paper is organized as follows Section 2defines malware and describes trends in malware technol-ogies Related work is summarized in Section 3 SCBM isexplained in Section 4 and the case study is presented inSection 5 e results and discussion are provided in Section6 Finally the limitations and future works are given inSection 7 and the conclusion is given in Section 8

2 Definition of Malware and Trends inMalware Technologies

Any software that intentionally executes malicious payloadson victim machines is considered to be malware [7] ere

are different types of malware including viruses wormsTrojan horses rootkits and ransomware Commonmalwaretypes and their primary characteristics can be seen in Table 1e malware types and families are designed to affect theoriginal victimmachine in different ways (eg damaging thetargeted system allowing remote code execution andstealing confidential data) Generally hackers launch anattack by using malware which exploits vulnerabilities inexisting systems such as buffer overflow injection andsensitive data misconfiguration [10] ese days the clas-sification of malware is becoming more complex becausesome malware instances can present the characteristics ofmultiple classes at the same time [11]

Viruses which are considered to be first malware thatappeared in the wild were defined as self-replicatingautomata by John von Neumann in the 1950s Howeverpractically the first virus called ldquothe Creeperrdquo was created in1971 by Bobomas [12 13] In the early days this softwarewas written for simple purposes but in time it was replacedby a new generation of malware that targeted large com-panies and governments Malware that runs in the kernelmode is more destructive and difficult to detect than tra-ditional malware and it can be defined as a new generation(next generation) of malware e comparison betweentraditional and new generation malware can be seen inTable 2

e inability to implement the operating system controlfeatures in the kernel mode makes the detection of newgeneration malware difficult is malware can easily bypassprotection software that is running in the kernel mode suchas antivirus software and firewalls In addition by using thissoftware targeted and persistent cyberattacks that havenever been seen before can be launched and more than onetype of malware can be used during the attacks Examples oftraditional versus new generation malware can be seen inFigures 1 and 2

M represents malware and (P1 P2 P3 P4) show therunning processes that interact with the malware First Mcopies itself into different processes such as P1 P2 and P3enM deletes itself from the system to make itself invisible(Figure 2) In early days rootkits were using similar tech-niques to hide themselves from the system However inprocess of time many other kinds of malware (in some casesrootkits are combining with viruses worms and Trojanhorses) have started to use similar techniques to hidethemselves as well With the help of the processes it hasrecently copied (P1⟶P2 P1⟶ P3 P3⟶ P4) and itconnects to remote system and makes changes on thevictimrsquos operating system Even if the actual malwarecontaining the malicious code has deleted itself from thesystem the new version of the malware remains in andaffects the system because the actual malware injecteditself into different processes such as existing system filesthird-party software and newly created processes whichmake the malware almost impossible to detect To de-termine the malicious software mentioned in Figure 2 Mand the P1 P2 P3 and P4 processes must be examinedseparately and the relations among these processesshould be determined

2 Security and Communication Networks

In addition the new generation malware uses thecommon obfuscation techniques such as encryption oli-gomorphic polymorphic metamorphic stealth and pack-ing methods to make the detection process more difficultis makes practically almost impossible to detect allmalware with single detection approach e well-knownobfuscation techniques can be explained as follows

(1) Encryption malware uses encryption to hide mali-cious code block in its entire code [9]us malwarebecomes invisible in the host

(2) Oligomorphic a different key is used when encryptingand decrypting malware payload Hence it is more

difficult to detect malware which uses the oligomor-phic method rather than encryption

(3) Polymorphic malware uses a different key to encryptand decrypt likewise the key used in the oligomorphic

Table 1 Common malware types and their primary characteristics

Common malware types Primary characteristics

Virus Most common and well-known malwareAttaches itself to other programs to replicate

WormSpreads by using computer network

Allows unauthorized accessOften opens backdoor in the victim system

Trojan Horse

Appears to be a normal program but it is notCan open backdoors

Can cause unauthorized accessCan send critical information to the third party

Backdoor

Bypasses traditional security mechanismsOpens system to remote access

Usually installed by using Trojans and wormsUsed by viruses and worms for complex attacks

RootkitProvides administrator-level access

Hides their files from the operating systemCan combine with other malware

Ransomware Encrypts the data on infected systemVictim needs to pay ransom to view the data

Spyware Collects victimrsquos sensitive information and sends them to third partiesCommonly used to access credit card information or to identify user habits

Obfuscated malware Can be any type of malwareUses obfuscation techniques to make detection process more difficult

Table 2 Comparison of traditional and new generation malware

Comparison parameter Traditional New generationImplementation level Simple coded Hard codedState of behaviors Static DynamicProliferation Each copy is similar Each copy is differentrough spreading Uses exe extension Uses also different extensionsPermanence in the system Temporal PersistentInteraction with processes A few processes Multiple processesUsing concealment techniques None YesAttack type General TargetedDefensive challenge Easy DifficultTargeted devices A few devices Many different devices

M P1 Operating system

Hardware

Figure 1 Traditional malware

M P1

Operating system

Hardware

RemotesystemM(D)

Deletedprocess

P2

P3

P4

Figure 2 New generation malware

Security and Communication Networks 3

and encryption method However the encryptedpayload portion contains several copies of the decoderus it is more difficult to detect polymorphic mal-ware when compared to oligomorphic malware

(4) Metamorphic metamorphic method does not useencryption Instead it uses dynamic code hidingwhich the opcode is changing on each iteration whenthe malicious process is executed [9] It is verydifficult to detect such malware because each newcopy has a completely different signature

(5) Stealth the stealth method also called code protec-tion implements a number of countertechniques toprevent it from being analyzed correctly For ex-ample it can make changes on the system and keep ithidden from detection systems

(6) Packaging packaging is an obfuscation technique tocompress malware to prevent detection or hiding theactual code by using encryption Due to this tech-nique malware can easily bypass firewall and anti-virus software [7] Packaged malware need to beunpacked before being analyzed

3 Related Work

In recent years there has been a rapid increase in thenumber of studies on malware analysis and detection In theearly years signature-based detection was used widely Overtime researchers have developed new techniques fordetecting malware including detection techniques based onbehavior heuristics and model checking ere is hugedemand for methods that effectively detect complex andunknown malware us we present related research fromthe literature and examine the pros and cons of each studye summary of related works can be seen in Table 3

e similarities determined among features by usingsystem calls were described in [14 20] Wagener et al [14]proposed a flexible and automated approach that consideredsystem calls to be program behaviors ey used an align-ment technique to identify similarities and calculated theHellinger distance to compute associated distances epaper claimed that the classification process can be im-proved using a phylogenetic tree that represents the com-mon functionalities of malware ey also claimed thatobfuscated malware variants that show similar behaviors canbe detected e limitations of paper can be summarized asfollows

(1) Lack of knowledge is provided about the malwaredataset

(2) Statistical evaluation of performance is not provided(3) Comparison of proposed method against other

methods is not given Besides it is not clear howphylogenetic tree can improve the performance

Shan and Wang proposed a behavior-based clusteringmethod to classify malware [20] Behaviors were generatedusing system calls and features within a cluster were shownto be similar According to paper the proposed method can

detect 711 of unknown malware samples without FPswhile the performance overhead is around 91 e pro-posed method is complex not scalable for large datasets andthere are some performance issues on servers Eliminatingthese deficiencies will improve the model performance

A graph-based detection schema was defined in[15 17 21] Kolbitsch et al [21] proposed a graph-baseddetection method in which system calls are converted into abehavior graph where the nodes represent system calls andthe edges indicate transitions among system calls to showthe data dependency e program graph to be marked isextracted and compared with the existing graph to deter-mine whether the given program is malware Although theproposed model has performed well for the knownmalwareit has difficulties detecting unknown malware

Park et al proposed a graph method that specifies thecommon behaviors of malware and benign programs [15] Inthis method kernel objects are determined by system callsand behaviors are determined according to these objectsAccording to the paper the proposed method is scalable andcan detect unknown malware with high detection rates(DRs) and false positive (FP) rates close to 0 In additionthe proposed model is highly scalable regardless of newinstances added and robust against system call attacksHowever the proposed method can observe only partialbehavior of an executable To explore more possible exe-cution paths would improve the accuracy of this method

Naval et al [17] suggested a dynamic malware detectionsystem that collects system calls and constructs a graph thatfinds semantically relevant paths among them To find allsemantically relevant paths in a graph is a NP-completeproblem us to reduce the time complexity the authorsmeasured the most relevant paths which specify malwarebehaviors that cannot be found in benign samples eauthors claim that the proposed approach outperforms itscounterparts because unlike similar approaches the pro-posed approach can detect a high percentage of malwareusing system call injection attacks Paper has some limita-tions such as performance overhead during path compu-tation and vulnerable to call-injection attacks and cannotidentify all semantically relevant paths efficiently Elimi-nating these limitations may improve the performance

Fukushima et al proposed a behavior-based detectionmethod that can detect unknown and encrypted malware onWindows OS [22]e proposed framework not only checksfor specific behaviors that malware performs but also checksnormal behaviors that malware usually does not performe proposed schemersquos malware DR was approximately 60to 67 without any FP e DR is very low to increase theDR more malicious behaviors can be identified and toprove the effectiveness of new method the test set will beextended

Lanzi et al [23] proposed a system-centric behaviormodel According to the authors the interaction of malwareprograms with system resources (directory file and registry)is different from that of benign programs e behavioralsequences of the program to be marked are compared withthe behavior sequences of the two groups (ie malware andbenign)e paper claimed that the suggested system detects


a significant fraction of malware with a few FPe proposedmethod cannot detect all malicious activities such as mal-ware which does not attempt to hide its presence or to gaincontrol of the OS and which uses only computer network fortransmission To include network-related policies and rulesfor malware which ignores tomodify legitimate applicationsand the OS execution can improve the performance

Chandramohan et al proposed BOFM (bounded featurespace behavior modeling) which limits the number offeatures to detect malware [24] First system calls weretransformed into high-level behaviors en features werecreated using the behaviors Finally the feature vector iscreated and machine learning algorithms are applied to thefeature vector to determine whether the program is malwareor benign is method ignored the frequency of systemcalls Executing the same system call repeatedly can causeDoS attacks Considering the frequency of system calls canimprove DR and accuracy

A hardware-enhanced architecture that uses a processorand an FPGA (field-programmable gate array) is proposedin [18] e authors suggested using an FCM (frequency-centralized model) to extract the system calls and constructthe features from the behaviors Features obtained from thebenign and malware samples are used to train the machinelearning classifier to detect the malware e paper claimedthat the suggested system achieved a high classificationaccuracy fast DR low power consumption and flexibilityfor easy functionality upgrades to adapt to new malwaresamples However malware can perform various behaviorsand there is no uniform policy to specify number of be-haviors and features to be extracted before triggering theearly prediction Furthermore the proposed method per-formance has only been compared with BOFM and n-gramwhich is not enough to determine the efficiency of theproposed model

Ye et al proposed associative classification post-processing techniques for malware detection [25] eproposed system greatly reduces the number of generatedrules by using rule pruning rule ranking and rule selectionus the technique does not need to deal with a largedatabase of rules which accelerate the detection time andimprove the accuracy rate According to the paper theproposed system outperformed popular antivirus softwaretools such as McAfee VirusScan and Norton Antivirus anddata mining-based detection systems such as naive Bayessupport vector machine (SVM) and decision tree To collectmore API calls which can provide more information aboutmalware and identify complex relationships among the APIcalls may improve the performance

A supervised machine learning model is proposed in[26] e model applied a kernel-based SVM that usedweighting measure which calculates the frequency of eachlibrary call to detect Mac OS X malware e DR was 91with an FP rate of 39 Test results indicated that incre-menting sample size increases the detection accuracy butdecreases the FPR Combining static and dynamic featuresusing other techniques such as fuzzy classification and deeplearning can increase the performance

e method of grouping system calls using MapReduceand detecting malware according to this grouping is de-scribed by Liu et al [27] According to the authors most ofthe studies performed so far were process-oriented whichdetermines a process as a malware only by its invoked systemcalls However most current malware is module-basedwhich consists of several processes and it is transmitted tothe system via driver or DLL [28] In such cases malwareperforms actions on the victimrsquos machine by using morethan one process instead of its own process When only oneprocess is analyzed malware can be marked as benignHowever there are some limitations of the proposedmethod e limitations of this method can be addressed asfollows (1) some malware does not require persistent be-havior ASEP (2) persistent malware behaviors can becompleted without using system calls and (3) the cost ofdata transmission has not been measured Besides theproposed method results were not compared with otherstudies in the literature Eliminating abovementioned lim-itations can improve the method performance

A detection system that combines static and dynamicfeatures was proposed in [16] is system has threeproperties the frequencies (in bytes) of the method thestring information and the system calls and their param-eters By combining these properties the feature vector wasconstructed and classified using classification algorithmse paper claimed that the detection of the proposed systemis reasonable and increases the probability of detectingunknown malware compared to their first study Howeverthe probability of detecting unknown malware is still lowand FPR is high Using more distinctive features and trainmodel with more malware may improve the method per-formance for unknown malware

Recent works on malware behaviors are represented in[19 29ndash31] Lightweight behavioral malware detection forwindows platforms is explained in [29] It extracts featuresfrom prefetch files and discriminates malware from benignapplications using these features To show the effectivenessof the malware detector on the prefetch datasets they usedLR (logistic regression) and SVM (support vector machine)

Table 3 Summary of related works on malware detection methods

Paper Feature representation Goalsuccess YearWagener et al [14] System calls Hellinger distance phylogenetic tree Identify new and different forms of malware 2008Park et al [15] Creating system call diagrams Identify different forms of malware 2013Islam et al [16] Printable strings API method frequencies Identify malware with 97 accuracy 2013Naval et al [17] Diagram of system calls and relations Detect code insertion attacks 2015Das et al [18] System call frequencies n-gram Identify new and different forms of malware 2016Zhang et al [19] API calls sequence to construct a behavior chain It achieved 9864 accuracy with 2 FPR 2019


classifier According to the authors test results are promisingespecially TPR and FPR for practical malware detection Choiet al proposedmetamorphicmalicious code behavior detectionusing probabilistic inference methods [30] It used FP-growthand Markov logic networks algorithm to detect metamorphicmalware FP-growth algorithmwas used to findAPI patterns ofmalicious behaviors from among the various APIs Markovlogic networks algorithm was used to verify the proposedmethodology based on inference rules According to the testresults the proposed approach outperformed the Bayesiannetwork by 8 higher category classification

Karbab and Debbabi proposed MalDy (mal die) aportable (plug and play) malware detection and familythreat attribution framework using supervised ML tech-niques [31] It uses behavioral reports into a sequence ofwords along with advanced natural language processing(NLP) and ML techniques to extract relevant security fea-tures According to the test results MalDy achieved 94success on Win32 malware reports A depth detectionmethod on behavior chains (MALDC) is proposed in [19]e MALDC monitors behavior points based on API callsand uses the calling sequence of those behavior points atruntime to construct behavior chainsen it uses the depthdetection method based on long short-term memory(LSTM) to detect malicious behaviors from the behaviorchains To verify the performance of the proposed model54324 malware and 53361 benign samples were collectedfrom Windows systems and tested MALDC achieved9864 accuracy with 2 FPR in the best case

e malware detection schema landscape is changing fromcomputers to mobile devices and cloud- deep learning- andmobile-based detection techniques are becoming popularHowever these detection schemas have some problems tooFor instance deep learning-based detection approach is ef-fective to detect new malware and reduces features spacesharply [32] but it is not resistant to some evasion attacks Onthe other hand cloud-based detection approach increases DRdecreases FPs and provides bigger malware databases andpowerful computational resources [33] However the overheadbetween client and server and lack of real monitoring is a stillchallenging task in cloud environment Mobile- and IoT-baseddetection approaches can use both static and dynamic featuresand improve detection rates on traditional and new generationof malware [34] But they have difficulties to detect complexmalware and are not scalable for large bundle of apps

In the literature review the malware detection methodshave been summarized Current studies can be divided into 2major groups

(1) Studies that apply certain rules directly to behaviorsor features to group similar behaviors and extract thesignature (no ML is required at this stage)

(2) Studies that determine behaviors extract featuresfrom behaviors and apply classification by using MLand data mining algorithms

In current studies some new techniques and methodshave been used widely for many years ese techniques andmethods are can be listed as follows

(i) Datamining and ML have been used widely for adecade and cloud and deep learning have been usedrecently in malware detection

(ii) e n-gram n-tuple bag and graph models havebeen used to determine the features from behaviors

(iii) Probability and statistical methods such as Hellingerdistance cosine coefficient chi-square and distancealgorithms are used to specify similarities amongfeatures

Current studies which are explained above have somelimitations and can be addressed as follows

(i) Many detection methods produce high FPs andrequire complex and resource-intensive hardware

(ii) Detection rate and accuracies are low(iii) Cannot effectively handle new and complex

malware(iv) Focused on specific malware type family or spe-

cific OS(v) Prone to evasion techniques(vi) Have difficulties to handle all malicious behaviors(vii) Feature extraction methods are not effective so the

size of the features increases overtime

As a result the difficulties in defining behaviors andidentifying the similarities and differences among theextracted properties have prevented the creation of an ef-fective detection system e use of new methods and ap-proaches along with the use of ML and data miningalgorithms in malware detection has begun to play a majorrole in making the extracted features meaningfully

On the contrary the SCBM has a high detection rate andaccuracy with low FP It can handle new and complexmalware to a certain degree and it is resistant to evasiontechniques Besides the feature extraction method is ef-fective and only specifies the features which can discriminatemalware from benign During the feature extraction processthe SCBM assigns numbers to each feature which shows theimportance of the feature in the dataset us the modeldoes not need feature selection techniques before ML andthis makes SCBM faster and less resource-intensive

4 Subtractive Center Behavior Model

is section describes the system architecture and explainsthe proposed model in detail

41 Architecture of the Proposed Model e system archi-tecture of the proposed malware detection model is sum-marized in Figure 3

According to the proposed model the program samplesare first collected and analyzed by relevant dynamic toolsen the behavior is determined according to the results ofthe analysis After that behaviors are grouped according tothe determined rules and features are extracted Finally themost important features are selected and the system is


trained Based on the training data each sample is marked asmalware or benign

During the detection process the SCBM specifiesmalicious behavioral patterns which can be seen in malwarebut not seen or rarely seen in benign samples Scoring system isused to determine the behavioral patterns For instance even ifmalware (M) and benign (B) samples system calls are the same(in real examples this is not the case)MB a b c d e thebehavior patterns will be differentMpattern(candidate) ab acce where abscore 4 acscore 1 cescore 3 whileBpattern(candidate) ab ac ce where abscore 1 acscore 1and cescore 0 In this caseMpattern ab ce while Bpattern and we can easily differentiate malware from benign

To collect the execution trace of each sample both aprocess monitor and explorer are used in this study butother dynamic tools such as API monitor and differentsandboxes can be used as well e proposed system is

implemented using the Python scripting language andclassification is done on Weka To prove the efficiency of theproposed model different tools and programming languagehave been used However someone can use different toolsand can get better results with proposed model us theimplementation of proposed model does not put restrictionon SCBM

42 Proposed Model In this study the SCBM creates adataset When the SCBM and the n-gram model are com-pared the SCBM contains far fewer features and determinesthe related processes more clearly than n-gram In theproposed model system paths where malware behaviors areperformed and the malware behaviors themselves are takeninto consideration Based on each malware behavior andrelated system path a score is assigned Features that do notexceed the specified score are removed from the dataset Forexample to run properly each process accesses certainsystem files and performs similar actions and behaviorsose behaviors and the resulting properties are not in-cluded in the dataset erefore the datasets created usingthe proposed model contain far fewer features than thedatasets created by n-gram and the models used in otherstudies e proposed SCBM model consists of followingphases

(i) Phase 1 convert the actions into behaviors(ii) Phase 2 divide the behaviors into groups and

calculate the risk scores(iii) Phase 3 group the behaviors according to the types

of resources(iv) Phase 4 group the behaviors based on the same

resources but different instances(v) Phase 5 extract the features from repeated

behaviors(vi) Phase 6 extract the features from different data

sources(vii) Phase 7 calculate the risk scores for each behavior

based on activepassive behaviors

e details of these phases are given below

421 Phase 1 Convert Actions into Behaviors In this phasesystem calls such asWindows API andWindows Native APIcalls are converted into higher-level operations and theassociated behaviors are generated For example if the se-quence of the running programrsquos operations are in the orderof NtCreateFile NtWriteFile and NtCloseFile then themapped behavior will be WriteFile When we convert theaction into a behavior we drop the Nt and remove theNtCreateFile and NtCloseFile actions which are not neededfor real behavior Similarly if the system calls are order ofNtCreateFile NtQueryFile and NtCloseFile the mappedbehavior will be SearchFile In this way low-level systemcalls are transformed into higher-level behaviors e al-gorithm used to create behaviors is shown in Algorithm 1

Unknown malware benign samples

Dynamic analysis tools

Identify processes

Grouping tosystem path

Feature extraction

Features

Selected features

Result malware or benign

Identify behaviors

Group the behaviors

Grouping tooperation type

Grouping to activeness

Training and classification

Figure 3 Proposed model architecture


In Algorithm 1 d1 d2 and n represent the input actionsequence output behavior sequence and input size re-spectively e algorithm takes d1 as an input and generatesd2 During this process AE (active) and PE (passive) be-haviors are identified and sfPs (system file paths) such asself system and third partyrsquos software are determined Onthis basis ψ and micro which represent action state and actiontype are calculated by using AE PE and eST (action statetype) Finally system calls which cannot define new be-haviors such as rcK ldquoRegCloseKeyrdquo cF ldquoCloseFilerdquo tEldquoread Exitrdquo and pE ldquoProcess Exitrdquo are eliminated fromthe action list and the rest of the actions are written to the d2file

An example system-call sequence and correspondingbehaviors are given in Table 4 e system calls that areproduced by each sample are formulated as S= a b c d n where S represents the system-call sequence and a b c n represent each system call Only s sub S is taken intoconsideration when building behaviors In this way thebehaviors that define the program are clarified and the datato be analyzed are reduced significantly before featureextraction

422 Phase 2 Divide the Behaviors into Groups and Cal-culate the Risk Scores e behaviors identified in the

previous phase are divided into three groups self-generatedbehaviors behaviors on third-party software and behaviorson system software In this section the risk score is cal-culated for each behavior and its path (Table 5) e riskscore is numbered from 0 to 4 where 0 means that relatedbehavior is normal and can be seen in both malware andbenign samples and 4 means that the related behavior isrisky likely to be seen for malware and rarely seen inbenign samples (Table 5) e score is assigned based onthe behavior path performed by the program sampleSGB1 shows the first type of behaviors from self-generatedbehaviors TPB1 shows the first type of third-party be-haviors and SB1 shows the first type of system behaviorsHigher score is given to system behaviors because moredifferentiating malicious behaviors are performed onsystem files In addition a score is assigned for active andpassive behaviors as explained in phase 7 A thresholdvalue was used when excluding behaviors For instancefeature xi isin feature set X consists of y1 y2 yn behaviorse risk score for feature path (rsP) is calculated for xi asfollows

xi(rsP) y1(rsP) + y2(rsP) + middot middot middot + yn(rsP)

n (1)

Let a be a specified threshold value if xi(rsP)ge a xi is inthe feature set Otherwise xi is not in the feature set

(1) d1⟵ file1 d2⟵ file2 n⟵ u(d1)(2) for i⟵ 1 to n(3) if (d1[i][state] lsquoAErsquo)(4) ψ⟵ A(5) else(6) ψ⟵ P(7) end if(8) if (Pname d1FileName)(9) μ⟵ self(10) elif (eST lsquossrsquo)(11) μ⟵ system(12) elif (eST lsquotsrsquo)(13) μ⟵ thirdParty(14) else(15) 1 1(16) end if(17) if (d1[iminus 1][o] d1[i][o])(18) if (d1[i][o] rcK ampamp d1[i][o] cF ampamp d1[i][o] tE ampamp d1[i][o] pE)(19) if (d1[iminus 1][s] d1[i][s])(20) Writed2()(21) end if(22) end if(23) end if(24) if (d1[iminus 1][o] d1[i][o])(25) if (d1[iminus 1][sfP] d1[i][sfP])(26) if (d1[i][o] rcKampamp d1[i][o] cF ampamp d1[i][o] tE ampamp d1[i][o] pE)(27) writed2()(28) end if(29) end if(30) end if(31) end for

ALGORITHM 1 Malware behavior creation algorithm


(1) Phase 21 Self-generated behaviors (SGB) When an ex-ecuted malwarebenign sample performs behaviors on itsown directory (SGB1) these behaviors are determined as thelowest dangerous behaviors and assigned a risk score of 0 Inthis case because the program needs to retrieve some datafrom its own file to run properly it generates normal be-haviors that cannot be categorized as dangerous Howeverwhen an executed malwarebenign sample presents registryor network-related behaviors within some files (SGB2) thisbehavior group is considered to be slightly more dangerousand is assigned a risk score of 1e behaviors marked with arisk score of 1 are likely to be included in the datasetaccording to the specified threshold For instance the be-havior in which a file that creates another file and then copiesits own file content to another file is more dangerous thanthe behavior that retrieves some data from its own file to runproperly

(2) Phase 22 6ird-Party Behaviors (TPBs) Many programsrequire third-party software to run properly For instance inorder to compile and run a program written in the Pythonlanguage the program will frequently perform behaviors for

the file path (TPB1) where this language exists Such be-havior is considered harmless and the behavior risk score isassigned as 0 However behaviors related to directories andfiles that are not related to the performed sample (TPB2) areconsidered dangerous and the behavior risk score is assignedas 3

(3) Phase 23 System behaviors (SBs) Programs are neededto interact with the operating system to work properlyTypically this interaction is provided by system DLLsbackground processes Windows services etc on theWindows operating system Most of these interactions areconsidered normal while some of them are classified asmalicious If a program contains interactions that arenecessary for the program to work properly these type ofbehaviors (SB1) are evaluated not dangerous and lowest levelrisk score is assigned as 0 If the program uses ldquoGDI32dllrdquoand ldquoshell32dllrdquo [35] which can be used for both in mali-cious and benign behaviors (SB2) the risk score assigned as1 If the program uses ldquoUser32dllrdquo and ldquokernel32dllrdquo whichcan be used frequently by malware and also sometimes usedby benign (SB3) the risk score is assigned as 2 However ifthe program frequently calls ldquoWininetdllrdquo ldquoAdvapi32dllrdquoand directly calls ldquoNtdlldllrdquo instead of ldquokernel32dllrdquo or useshigh-level methods that are likely to be categorized asdangerous such as ldquoReadProcessMemoryrdquo and ldquoAdjust-TokenPrivilegesrdquo [35] (SB4) then a behavior risk score isassigned as 3

In addition if the program is attempting to interfere withsystem processes such as ldquosvchostexerdquo and ldquowinlogonexerdquoand to use these processes to access system databases thatcontain critical information then these behaviors (SB5) are alsoconsidered malicious and behavior risk score is assigned as 4Furthermore if the same name as the system files in differentsystem paths such as ldquosvchostexerdquo ldquowinlogonexerdquo and

Table 4 Sample malware execution trace and behaviors (list is abbreviated)

Action call System path Extracted behaviorNtCreateFile ldquocwindowssfile1exerdquo malwareexe⟶ 1 CreateFile (1)NtCreateFile ldquocprogramfilesrdquo malwareexe⟶ 2 noneNtQueryDirectory 2 ldquocprogramfilesrdquo malwareexe⟶ 3 SearchDirectory (2)NtReadFile 3 ldquoctfile1txtrdquo malwareexe⟶ 4 ReadFile (3)NtReadFile 3 ldquoctfile2exerdquo malwareexe⟶ 5 ReadFile (3)NtCloseFile 4 ldquotfile1txtrdquo malwareexe⟶ 6 noneNtWriteFile 1 ldquosfile1exerdquo malwareexe⟶ 7 WriteFile (1)NtReadFile 7 ldquosfile1exerdquo malwareexe⟶ 8 ReadFile (7)NtWriteFile 5 ldquotfile2exerdquo sfile1exe⟶ 9 WriteFile (5)NtCreateKey ldquohklmsoftware key1rdquo tfile2exe⟶ 10 noneNtSetValue 10 ldquokey1rdquo tfile2exe⟶ 11 SetValue (10)NtRegCloseKey 11 ldquokey1rdquo tfile2exe⟶ 12 noneNtCreateFile ldquocwindowsstfile1dllrdquo tfile2exe⟶ 13 noneNtCreateFile ldquocwindowsstfile2dllrdquo tfile2exe⟶ 14 noneNtCloseFile 8 ldquosfile1exerdquo malwareexe⟶ 15 noneNtReadFile 13 ldquostfile1dllrdquo tfile2exe⟶ 16 ReadFile (13)NtReadFile 13 ldquostfile1dllrdquo tfile2exe⟶ 17 ReadFile (13)NtReadFile 14 ldquostfile2dllrdquo tfile2exe⟶ 18 ReadFile (14)NtCloseFile 17 ldquostfile1dllrdquo tfile2exe⟶ 19 noneNtCloseFile 18 ldquostfile2dllrdquo tfile2exe⟶ 20 noneNtCloseFile 9 ldquotfile2exerdquo tfile2exe⟶ 21 none

Table 5 Risk score calculation

System path Path risk score (PRS)

Behaviorrisk score(BRS)

P ASGB1 TPB1 SB1 0 0 3SGB2 SB2 1 0 3SB3 2 0 3TPB2 SB4 3 0 3SB5 4 0 3


ldquosmssexerdquo have been created or if the file is automaticallyinitializing itself each time the system is started (autostartlocations such as ldquohklmsoftwarecurrentversionrunrdquoldquohklmsoftwarecurrentversionrunoncerdquo ldquocusersstartmenustartuprdquo) then these behaviors (SB4) are alsoconsidered malicious and behavior risk score is assigned as 3

423 Phase 3 Group the Behaviors according to Types ofResources Operating system resources are divided intogroups such as file registry network section and threadand the same types of resources are generally consideredwhen determining property relationships For instance inTable 4 the behaviors of ReadFile (7 ldquosfile1exerdquo malwar-eexe 8) and WriteFile (5 ldquotfile2exerdquo sfile1exe 9) are di-rectly associated with each other However SetValue (10ldquokey1rdquo tfile2exe 11) and ReadFile (13 ldquostfile1dllrdquo tfi-le2exe 16) are not directly associated with each other usReadFile andWriteFile can create a property while SetValueand ReadFile cannot create a property

424 Phase 4 Group the Behaviors on the Same Resourcesbut Different Instances While behaviors on the same re-source (file and registry) and the same file format create thesame properties behaviors on the same resource on differentfile formats (exe txt sys and dll) create different propertiesFor example ReadFile (ldquotfile1txtrdquo malwareexe⟶ 4) andReadFile (ldquotfile2exerdquo malwareexe⟶ 5) create two differ-ent properties (Table 4) while ReadFile (13 ldquostfile1dllrdquotfile2exe⟶ 16) and ReadFile (14 ldquostfile2dllrdquotfile2exe⟶ 18) create the same property

425 Phase 5 Extract the Features from Repeated Behaviorse successive behaviors on the same resource and sampleare set to a single property Behaviors that occur in differentlocations and names are set to the same feature as well butthe importance of the feature increases

426 Phase 6 Extract the Features from Different DataResources Behaviors that are on different resources but areindirectly determined as having a relationship also create aproperty For example although their behaviors take place indifferent resources WriteFile (5 ldquotfile2exerdquo sfile1exe⟶ 9)and SetValue (10 ldquokey1rdquo tfile2exe⟶ 11) (Table 4) create aproperty between them

427 Phase 7 Calculate the Risk Scores for Each BehaviorBased on ActivePassive Behaviors Active behaviors areconsidered to be more dangerous than passive behaviorsand consequently a higher level of danger is assigned Forexample while the danger level for ReadFile is set to 0 thedanger level of WriteFile is set to 3 e feature creationalgorithms are shown in Algorithms 2 and 3

In Algorithms 2 and 3 the first algorithm containsabbreviations d2 d3 (rD tY aS and sRY) and pRS whichdefine input file output file related file paths and each filepath risk score and the second algorithm contains

abbreviations d2 d4 as (O O1 and O2) π rdF and weFwhich define input file output file action state action valuesoperation value ldquoReadFilerdquo and ldquoWriteFilerdquo In Algo-rithms 2 and 3 the risk score is first calculated for eachbehavior and the features from the related behaviors areconstructed For example let B a b c d be a behaviorsequence where a and c are active behaviors while b and dare passive behaviors In addition behavior a is related tobehaviors b and c and behavior b is related to behavior d Inthis case features (F) and their risk scores (rS) are calculatedas

F a ab ac b bd c d

rS 3 + rSa 3 + rSab 4 + rSac 0 + rSb 0 + rSbd 3 + rSc 0 + rSd1113864 1113865

(2)

where the first score represents the active-passive risk scoreand the second score represents the path score After thefeature sequences have been generated the frequency of eachfeature is calculatede features that have a risk score abovea certain threshold are considered during classification Inthis case the number of features decreases significantly andclassification algorithms produce better results without theuse of feature selection algorithms

(1) d2⟵ file2 d3⟵ file3 n⟵ u(d2)(2) for i⟵ 1 to n(3) if (μ lsquoself rsquo)(4) if ( Pname d2fileName)(5) pRS⟵ 0(6) elif (Pname d2fileName ampamp d2fileName rD)(7) pRS⟵ 3(8) else(9) pRS⟵ 2(10) end if(11) elif (μ lsquotsrsquo)(12) if (d2[i][fP] tY)(13) pRS⟵ 2(14) Registry Autostart Location(15) elif (d2[i][fP] aS)(16) pRS⟵ 3(17) else(18) pRS⟵ 0(19) end if(20) elif (μ lsquossrsquo)(21) if (Pname d2fileName)(22) pRS⟵ 0(23) elif ( d2fileName lsquolowastexersquo)(24) pRS 3(25) elif (d2[i][sfP] sRY)(26) pRS⟵ 3(27) elif (d2[i][sfP] rD)(28) pRS⟵ 3(29) else(30) pRS⟵ 0(31) end if(32) end if(33) end for

ALGORITHM 2 Feature creation algorithm I


Using the SCBM Table 4 malware behaviors Table 6malware features and Table 7 feature vector are generatedIn Table 6 the Risk IDs column provides information aboutfeatures By looking at the Risk IDs column the importanceof each feature and risk score can be understood In the RiskIDs column Ia represents property types such as self thirdparty and system b represents the level of property and Aand P represent active and passive respectively For ex-ample in I12 A can be evaluated as a related process tryingto make changes on its files by using active behaviors whilein I31 P can be evaluated as a related process trying toperform operations on system files by using passive be-haviors When the values for Table 7 are obtained by usingTable 6 a value of 0 is assigned for missing properties 1 isassigned for one-time repeated properties and x is assignedfor x-time repeated properties In addition risk scores areassigned as a subfeature of the feature considering behav-ioral groups and danger levels

When comparing SCBM and the n-gram model the testresults showed that the number of created features decreasesrapidly while the remaining features are more closely related oneanother e dataset constructed by n-gram contained approx-imately 37-foldsmore features than the proposedmodelrsquos datasetwhich shows that machine learning algorithms likely performbetter on dataset that is generated by the proposed model

5 Case Study

is section describes the case study and experiments Testcases were performed on different versions ofWindows suchas Windows 7 virtual machines Windows 8 virtual ma-chines and Windows 10 For malware analysis a processexplorer and process monitor were used To show the ef-fectiveness of the proposed model 2 datasets with score andwithout score by using SCBM have been created and theresults are compared with those of n-gram and othermethods from the literature A dataset with score is amodification of a dataset without score which takes thefeatures that can precisely represent each sample In total6700 malware and 3000 benign samples have been analyzedis section consists of 5 parts data collection represen-tation differentiate malicious patterns ML and detectionand model performance and evaluation

51 DataCollection Malware samples were collected from avariety of sources such as Malware Benchmark [36]ViruSign [37] Malshare [38] Malware [39] KerelMode[40] and Tekdefense [41] e malware was labeled usingVirustotal [42] which uses approximately 70 antivirus scannersonline and 10 antivirus scanners locally such as Avast AVGClamAV Kaspersky McAfee and Symantec For this purpose6700 malware samples were randomly selected among 10000malware samples and analyzed e dataset contains differentmalware types including viruses Trojans worms backdoorrootkit ransomware and packed malware (Figure 4) andcontains different malware families such as agent rooter ge-neric ransomlock cryptolocker sality snoopy win32 andCTB-Locker Analyzed malware is created from year 2000 to2019 and can be categorized as regular knownmalware packedmalware complicated malware and some zero-day malwaree dataset contains 3000 benign samples from several cate-gories including system tools games office documents soundmultimedia and other third-party software

e malware signature was used for each scanner andeach malware was marked at the deepest level as possibleFor example a Trojan downloader and a virus downloaderwere marked as downloader and key logger was marked askeylogger instead of spyware Some of themalware could notbe categorized those malware files were marked as malwaree majority of the malware tested were Trojan horsesviruses adware worms downloader and backdoor Othertypes of malware tested were rootkit ransomware dropperinjector spyware and packed malware (Figure 4)

52 Data Representation As discussed in Section 42 theproposed model takes each malware sample as an input and

(1) d2⟵ file2 d4⟵ file4 n⟵ u(d2)(2) for i⟵ 1 to n(3) if (ilt n minus 10)(4) for j⟵ i+ 1 to i+ 10(5) fP2 d2[j][sfP](6) if (P1as P2as ampamp P1as lsquoArsquo)(7) ψ⟵ lsquoAArsquo(8) elif (P1as P2as ampamp P1as lsquoPrsquo)(9) ψ⟵ lsquoPPrsquo(10) else(11) ψ⟵ lsquoAPrsquo lsquoPArsquo(12) end if(13) if (d2[j][o] rdF ampamp d2[j+1][o] weF)(14) π⟵O1 + lsquo rsquo +O2(15) if (d2[j][lsquoμrsquo] lsquoselfrsquo)(16) π⟵ π + lsquoSrsquo(17) elif (d2[j][lsquoμrsquo] lsquotsrsquo)(18) π⟵ π + lsquoTPrsquo(19) elif (d2[j][lsquoμrsquo] lsquossrsquo)(20) π⟵ π + lsquoSTrsquo(21) else(22) 2⟵ 2(23) end if(24) writed4()(25) if (sfP1 sfP2 ampamp O1O2)(26) π⟵O1+ lsquo rsquo +O2(27) if (d2[j][lsquoμrsquo] lsquoselfrsquo)(28) π⟵+ lsquoSrsquo(29) elif (d2[j][lsquoμrsquo] lsquotsrsquo)(30) π⟵ π + lsquoTPrsquo(31) elif (d2[j][lsquoμrsquo] lsquossrsquo)(32) π⟵ π + lsquoSTrsquo(33) else(34) 2⟵ 2(35) end if(36) writed4()(37) end for(38) end if(39) end for

ALGORITHM 3 Feature creation algorithm II


generates a vector consisting of a set of features uniquelyidentifying the malware Each feature is a combination ofmalware behaviors that have been determined by systemcalls to the operating system Our model differentiates eachsystem call and where the system call has occurred eproposed model considers only features that can discrimi-nate malware from benign samples

53 Differentiate Malicious Behavior Patterns from BenignDuring the detection process the SCBM specifies maliciousbehavioral patterns which can be seen frequently in

malware but rarely seen in benign samples To do that thealgorithms in Section 4 have been used To specify themalicious behavior patterns following procedures are takeninto consideration

(1) e behaviors and the system paths where sampleprogram performed are identified

(2) Scores are calculated for each behavior(3) Behavior that could not exceed the specified score is

removed from the list(4) Behavior groups are determined according to the

order of the selected behaviors(5) Classification is performed according to the fre-

quency of selected behaviors

By using these procedures someone can easily separatemalicious behavior patterns from benign even if malwareand benign samples system calls are the same (in real examplesthis is not the case) Example real features from our dataset andtheir frequencies are shown in Table 8 It can be clearly seen inTable 8 that someone can easily differentiate malware andbenign samples by grouping to frequencies and level of fre-quencies One way to do that is group to frequencies bynumbering 0 1 to 20 21 to 100 101 to 200 201 to 300and 300+ and using decision tree for classification

54MachineLearning andDetection Machine learning (ML)algorithms have been used to discriminate malware frombenign samples Even thoughML algorithms have been used inmany different areas for a long time they have not been usedsufficiently in malware detection us in this study the mostappropriate algorithms were used including Bayesian network(BN) naive Bayes (NB) decision tree variant (C45-J48) lo-gistic model trees (LMT) random forest (RF) k-nearestneighbor (KNN) multilayer perceptron (MLP) simple logisticregression (SLR) and sequential minimal optimization (SMO)It cannot be concluded that one algorithm is more efficientthan the others because each algorithm has its own advantagesand disadvantages Each algorithm can perform better thanother algorithms under certain distributions of data numbersof features and dependencies between properties

NB does not return good results due to calculation onassumptions that are not very related to each other and BNis not practically applicable for data sets with many featuresOn our dataset performance of these two algorithms was lower

Table 6 Extracted features

No Risk IDs Features Related sources1 I12 A CreateFileSF ldquocwindowssfile1exerdquo2 I12 A WriteFileSF ldquocwindowssfile1exerdquo3 I12 I12 A P WriteFileSF ReadFileSF ldquocwindowssfile1exerdquo ldquocwindowssfile1exerdquo4 I12 I22 P A ReadFileSF WriteFileTP ldquocwindowssfile1exerdquo ldquocprogramfilestfile2exerdquo5 I22 P SearchDirectoryTP ldquocprogramfilesrdquo6 I22 I22 P P SearchDirectoryTP ReadFileTP ldquocprogramfilesrdquo ldquocprogramfilestfile1txtrdquo7 I21 I22 P P SearchDirectoryTP ReadFileTP ldquocprogramfilesrdquo ldquocprogramfilestfile2exerdquo8 I22 I22 A A WriteFileTP SetValueTP ldquocprogramFilestfile2exerdquo ldquohklmSoftwarekey1rdquo9 I31 P ReadFileST ldquocwindowsstfile1dllrdquo ldquocwindowsstfile2dllrdquo

Table 7 Feature vector

Features F1 F2 F3 F4 F5 F6 F7 F8 F9

Program 1 13

13

13

13

12

23

15

11

00

ndash ndash ndash ndash ndash ndash ndash ndash ndashProgram n mdash mdash mdash mdash mdash mdash mdash mdash mdash

Trojan (16)Adware (13)Downloader (11)Spyware (5)Malware (4)Injector (3)Rootkit (2)

Virus (13)Worm (11)Backdoor (10)Dropper (5)Ransomware (4)Packed malware (2)Keylogger (1)

Figure 4 Distribution of analyzed malware


than other ML algorithms However some satisfying resultshave beenmeasured in the literature SVM and SMOwork wellin both linear separation and nonlinear boundary situationsdepending on the kernel used and performs well on high-dimensional data but the desired performance measurementscould not gather on the data sets generated However the SVMand SMO perform better than NB and BN KNN algorithmrequires a lot of storage space and MLP algorithm requireslong calculation time during the learning phase ese 2 de-ficiencies reduce the efficiency of these 2 algorithms HoweverKNN performance was much higher than NB and BN per-formance Although the fact that the SLR algorithm is inad-equate to solve nonlinear problems and contains high biasdecreases the efficiency of the algorithm it has returned goodresults on the data sets created with the proposed model Onthe contrary decision trees produce scalable and highly ac-curate results and they are the best performing classifiersaccording to test results on our dataset makes these classifiersmore prominent than other classifiers In the literature exceptin some cases they have returned satisfying results as well

55 Model Performance and Evaluation To evaluate theperformance of the ML algorithms DR FP rate f-measureand accuracy were used ese values are calculated usingthe confusion matrix (Table 9)

ese values are represented by the TP (the number ofmalicious software being marked as malicious) TN (thenumber of benign software being marked as normal) FP(the number of benign software being mistakenly marked asmalicious) and FN (the number of malicious software ac-cidentally being marked as benign) By using these valuesDR FPR f-measure and accuracy are calculated as

DR recall TP

TP + FN

FPR FP

FP + TN

F minus measure 2lowast precisionlowast recallprecision + recall

accuracy TP + TN

TP + TN + FP + FN

(3)

To evaluate the model and ML performance holdoutcross-validation and bootstrap have been used widely Forsmall datasets cross-validation is a preferable method be-cause the model performs better on previously unknowndata while the holdout method is useful for large datasetsbecause the system can be trained with enough instances

In this study both the holdout and cross-validationmethods were used to evaluate performance At the be-ginning when the dataset was small cross-validationreturned better results However when the dataset hadgrown the holdout method also generated favorable results

6 Results and Discussion

e summarized test results can be seen in Tables 10ndash14 andFigures 5 and 6 e test results show the DR FPR andaccuracy on n-gram and proposed modelse both holdoutand cross-validation methods perform well on the proposedmodel us when evaluating a model performance thecombination of 10-fold cross validation and percentage split(75 training and 25 testing) for holdout results are usedSimilar results were obtained when parameters are changedTable 10 shows the comparison of the classification algo-rithms on the SCBM and n-gram model that were used tobuild the dataset

In Table 10 400 malware and 300 benign portable ex-ecutables are tested In almost all cases the proposed modelachieved better results than 4-gram similar results wereobtained using 2-gram 3-gram and 6-gram For instancethe SLR algorithm performance on 4-gram is measured as946 for DR 63 for FPR and 945 for accuracy versusSCBM performance is measured as 985 for DR 4 forFPR and 972 for accuracy In the same way J48 algorithmachieved 914 for DR 91 for FPR and 91 for accuracywhen using 4-gram and versus 995 for DR 07 for FPRand 994 for accuracy when using SCBM Other classifi-cation algorithms achieved similar results on the n-gram andSCBM datasets which shows that the proposed modelrsquosresults are much better than those of the n-grammodelsen-gram uses consecutive system calls whether related or notfrom properties is causes malware features to growsignificantly which increases the training time and makesthe detection processes challenging

e test results with and without scores can be seen inTables 11 and 12 when 1000 program samples have beenanalyzed e both datasets without score and with scorehave been created by using the proposed model Howeverthe dataset with score contains far less features than datasetwithout score us after 1000 programs have been ana-lyzed we have only continued to analyze programs fordataset with score

Decision tree classifiers (J48 LMT and RF) give betterresults than other classifiers such as SMO KNN BN andNB(Tables 11ndash13) For example in J48 DR FPR and accuracywere measured as 991 12 and 992 respectively(Table 12) e test results also indicate that SLR performsbetter than SMO KNN BN and NB However KNN isslightly better than SMO in terms of FPR and accuracy SMO

Table 8 Created dataset and its featuresClass name RegOpenKeyTP RegQueryValueTPRegSetInfoKeyTPMalware f2ec3cbe4d3840b9b11d3b4052ee2dc7exe 7600508Benign cmdexe15140Malware f2f72360bada04cb04a148334fb9b4f0exe674848Benign calcexe62599Malware f3a61848058d68097e7948cc3662963fexe546701305Benign notepadexe31484Malware f3ab8adddce6730b1ee494e59ca88d70exe321312213Benign servicesexe 103840Malware f3aa954ad390fc6be0be4c89120138e0exe498557342Benign taskhostexe006Features and number of rows are shortened


performs better than BN and NB NB shows lower per-formance than other classifiers us NB is not an appro-priate classifier for our dataset MLP was too slow to classifymalware and benign samples in both the n-gram dataset andthe proposed method us it was not included in the testresults

e DRs and accuracies are increased when the numberof analyzed programs are increased while FPRs are de-creased (Tables 12 and 13) is shows that the proposed

Table 10 Comparison of n-gram and the proposed model (400malware and 300 benign)

Model Classifier DR () FPR () Acc ()

4-gram

J48 914 91 91LMT 977 24 974RF 851 188 85SLR 946 63 945SMO 92 96 921KNN 87 162 873BN mdash mdash mdashNB 867 164 87

Proposed model

J48 995 07 994LMT 986 15 984RF 961 49 96SLR 985 4 972SMO 974 24 973KNN 874 136 877BN 866 128 865NB 758 20 755

Table 9 Confusion matrix

Actual classPredicted class

Yes NoYes TP FNNo FP TN

Table 11 Classifiers results on the proposed model without score(700 malware and 300 benign)

Classifier DR () FPR () F-score () Acc ()J48 989 16 989 99LMT 974 15 974 974RF 939 82 922 94SLR 973 14 973 973SMO 898 121 899 90KNN 883 73 885 884BN 851 129 855 85NB 783 141 79 784

Table 12 Classifiers results on the proposed model with score (700malware and 300 benign)


Table 13 Classifiers results on the proposed model with score(6700 malware and 3000 benign)


Table 14 Comparison of classifiers from different studies

Paper Classifier DR()

FPR()

Acc() Year

Firdausi et al [43] NB 581 128 654 2010J48 909 38 936

Ye et al [25]NB 633 mdash 502

2010SVM 845 mdash 834J48 568 mdash 573

Islam et al [16] SVM mdash 14 843 2013RF mdash 104 878

Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796

Yousefi-Azar et al [45]SVM 95 507 934

2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r

Without scoreWith score

Figure 5 Comparison of classification algorithms accuracy on thesuggested model with and without scores


model successfully differentiates malicious from benignpatterns However the n-gram was too slow when the an-alyzed programs increase Hence we stopped to analyzemore programs to create dataset with n-gram

e test results also indicate that the proposed modelwith score-specified malware properties is better than theproposed model without score (Figure 5) e averageclassification accuracy (cross-validation and holdout split by7525) can be seen in Figure 5 which shows the accuracy ofthe classifiers on the dataset with and without scores It canbe clearly seen that with the exception of the NB allclassifiers performed much better when the scoring systemwas used

We have concluded that using the scoring schema forour dataset eliminated less important features for discrim-inating malware from benign samples is is because theSCBM model with score also works as a feature selectionalgorithm and metric which produce better performanceFeature selection algorithms use dependency accuracydistance and information measures such as informationgain and gain ratio to select more important features fromthe dataset e dataset with score outperformed the datasetwithout score which uses feature selection algorithms andmetrics us there is no need to use a feature selectionalgorithm for most of the classifiers before classificationSince decision tree classifiers use a feature selection algo-rithm by default (feature selection and tree pruning) theclassification algorithm difference is low (Figure 5) Forexample J48 accuracy is 992 with score and 99 withoutscore LMT accuracy is 98 with score and 974 withoutscore and RF accuracy is 96 with score and 94 withoutscore However SMO accuracy is 92 with score and 90without score and KNN accuracy is 922 with score and884 without score us providing fewer but moremeaningful features for classification produces better resultsIt can also be concluded that using the feature selectionalgorithm for the dataset without scoring for some classifiersmay increase the detection and accuracy rates

To evaluate the proposed model more accurately dif-ferent numbers of malware and benign samples were testedFigure 6 shows the average accuracy rate and FPR when thenumber of analyzed programs increase e classificationaccuracy increases when the number of analyzed programsincrease while FPR decreases for all ML algorithms that havebeen used including J48 LMT RF SLR SMO KNN BN

and NB For example when 200 programs were analyzedthe accuracy rate was 89is accuracy increases over timewhen more programs are analyzed up to 94 953 and97 (Figure 6) However FPR decreased sharply whenmoreprograms were analyzed FPR was 12 at the beginning butovertime it decreased to 97 59 and 41 Based on thetest results it can be concluded that the classifier resultsimprove when more programs are analyzed

To evaluate the efficiency of the proposed model DRFPR and accuracies are also compared with different modelsfrom the literature (Table 14)e proposed model producesconsiderably better results than other models [16 43 45]when the same classifier is used for evaluation For instancewhen J48 is used as a classifier the DR FPR and accuraciesare measured as 999 02 and 998 respectively for theproposedmodel while 909 38 and 936 for themodelfrom [43] (Table 14) For other classifiers the proposedmodel also performed better than other models e worstresult was obtained for NB (756 DR 153 FPR and7562 accuracy for the proposedmodel) while DR of 581was obtained for the model in [43] and an FPR of 31 wasobtained for the model in [44] Even if our result was fairlylow when using the NB classifier it was still better than thoseof other works in the literature

Furthermore some important findings were foundduring analysis ese findings should be considered whencreating an effective detection systeme key findings of theanalysis are listed as follows

(i) Most of the new generation malware uses existingprocesses or newly created processes for maliciouspurposes

(ii) New generation malware tries to hide itself bycreating similar systems and third-party softwarefiles

(iii) Most malware creates malicious behaviors intemporary file paths

(iv) Malware usually tries to become permanent in thesystem by locating itself withinWindows automaticstartup locations

(v) Some malware displays the actual behaviors onlywhen it runs with administrator-level authority

(vi) Most malware creates random files (using mean-ingless file names)

(vii) Most new generation malware injects itself intoWindows system files (ldquosvchostexerdquo ldquowinlogo-nexerdquo and ldquoconhostexerdquo) or copies itself intodifferent file paths with the same or similar names

(vii) Some malware tries to find and disable existingsecurity software (firewall and antivirus program)as soon as it is performed

7 Limitations and Future Works

Even though SCBM is fast and efficient to detect malwarethere are some limitations needed to be mentioned eproposed model has been tested on uniformly distributed

020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)

Number of executed programs

FPRAccuracy

Figure 6 Average accuracy and FPR of classifiers versus thenumber of analyzed programs


dataset more zero-day malware need to be tested e testcases for malware is performed on virtual machines whichcan represent limited behaviors of malware [46] usrunning malware on real machine can improve the per-formance Besides suggested schema only tested on ourdataset if raw data of other datasets will be gathered in thefuture suggested schema will be tested on other datasets aswell e suggested schema will be integrated with othertechnologies such as cloud blockchain and deep learning tobuild more powerful detection system [46]

8 Conclusion

e SCBM is presented In the SCBM malware behaviorsand system paths where malware behaviors are performedare considered Features that could not exceed the specifiedscore are removed from the dataset is way maliciousbehavior patterns were differentiated from benign behaviorpatterns erefore datasets created using the proposedmodel contained far fewer features than datasets created byn-gram To evaluate the performance the proposed modelwas combined with an appropriate ML algorithm e testresults showed that the proposed model outperformed n-gram and some models used in other studies For theproposed model DR FPR and accuracies were 999 02and 998 respectively which are higher than those of n-gram and other methods

e test results also indicated that decision tree classifiers(J48 LMT and RF) and SLR yield better results thanclassifiers such as SMO KNN BN and NB BN and NBshow lower performance than other classifiers which showthat BN and NB are not appropriate classifiers It can beconcluded that the proposed method combined with ap-propriate ML algorithms has outperformed signature-baseddetection method n-gram model and other behavior-baseddetection methods e proposed model has performedeffectively for known and unknown malware

Data Availability

e data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

e authors declare that they have no conflicts of interestregarding the publication of this article

References

[1] E Masabo K S Kaawaase J Sansa-Otim J Ngubiri andD Hanyurwimfura ldquoA state of the art survey on polymorphicmalware analysis and detection techniquesrdquo ICTACT Journalof Soft Computing vol 8 no 4 2018

[2] S Morgan ldquoCybersecurity almanac 100 facts figures predic-tions and statistics Cisco and cybersecurity venturesrdquo 2019httpscybersecurityventurescomcybersecurity-almanac-2019

[3] R Samani and G Davis ldquoMcAfee mobile threat report Q1rdquo2019 httpswwwmcafeecomenterpriseen-usassetsreportsrp-mobile-threat-report-2019pdf

[4] Symantec Internet Security 6reat Report (ISTR) Vol 23Symantec Mountain View CA USA 2018

[5] M Sun X Li J C S Lui R T B Ma and Z Liang ldquoMonet auser-oriented behavior-based malware variants detectionsystem for androidrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 5 pp 1103ndash1112 2017

[6] D Emre and R Samet ldquoA new model for secure joining toZigBee 30 networks in the internet of thingsrdquo in Proceedingsof the 2018 International Congress on Big Data Deep Learningand Fighting Cyber Terrorism (IBIGDELFT) pp 3-4 IEEEAnkara Turkey December 2018

[7] O Aslan and R Samet ldquoInvestigation of possibilities to detectmalware using existing toolsrdquo in Proceedings of the 2017 IEEEACS 14th International Conference on Computer Systems andApplications pp 1277ndash1284 IEEE Hammamet TunisiaOctober 2017

[8] Z Bazrafshan H Hashemi S M H Fard and A Hamzeh ldquoAsurvey on heuristic malware detection techniquesrdquo in Pro-ceedings of the 5th Conference on Information and KnowledgeTechnology May 2013

[9] K M Alzarooni ldquoMalware variant detectionrdquo Doctoral dis-sertation University College London London UK 2012

[10] O Aslan and R Samet ldquoMitigating cyber security attacks bybeing aware of vulnerabilities and bugsrdquo in Proceedings of the2017 International Conference on Cyberworlds (CW)pp 222ndash225 Chester UK September 2017

[11] M Egele T Scholte E Kirda and C Kruegel ldquoA survey onautomated dynamic malware-analysis techniques and toolsrdquoACM Computing Surveys vol 44 no 2 pp 1ndash42 2012

[12] S Spencer ldquoTimeline of computer virusesrdquo 2019 httpswwwmapconcomus-entimeline-of-computer-viruses

[13] ldquoHistory of Malwarerdquo 2019 httpswwwgdatasoftwarecomseccuritylabsinformationhistory-of-malware

[14] G Wagener R State and A Dulaunoy ldquoMalware behaviouranalysisrdquo Journal in Computer Virology vol 4 no 4pp 279ndash287 2008

[15] Y Park D S Reeves and M Stamp ldquoDeriving commonmalware behavior through graph clusteringrdquo Computers ampSecurity vol 39 pp 419ndash430 2013

[16] R Islam R Tian L M Batten and S Versteeg ldquoClassificationof malware based on integrated static and dynamic featuresrdquoJournal of Network and Computer Applications vol 36 no 2pp 646ndash656 2013

[17] S Naval V Laxmi M Rajarajan M S Gaur and M ContildquoEmploying program semantics for malware detectionrdquo IEEETransactions on Information Forensics and Security vol 10no 12 pp 2591ndash2604 2015

[18] S Das Y LiuW Zhang andM Chandramohan ldquoSemantics-based online malware detection towards efficient real-timeprotection against malwarerdquo IEEE Transactions on InformationForensics and Security vol 11 no 2 pp 289ndash302 2016

[19] H Zhang W Zhang Z Lv A K Sangaiah T Huang andN Chilamkurti ldquoMALDC a depth detection method formalware based on behavior chainsrdquo World Wide Webpp 1ndash20 2019

[20] Z Shan and X Wang ldquoGrowing grapes in your computer todefend against malwarerdquo IEEE Transactions on InformationForensics and Security vol 9 no 2 pp 196ndash207 2014

[21] C Kolbitsch P M Comparetti C Kruegel E KirdaX-Y Zhou and X Wang ldquoEffective and efficient malwaredetection at the end hostrdquo in Proceedings of the 2009 USENIXSecurity Symposium vol 4 no 1 pp 351ndash366 MontrealCanada August 2009


[22] Y Fukushima A Sakai Y Hori and K Sakurai ldquoA behaviorbased malware detection scheme for avoiding false positiverdquoin Proceedings of the 2010 6th IEEE Workshop on SecureNetwork Protocols pp 79ndash84 IEEE Kyoto Japan October2010

[23] A Lanzi D Balzarotti C Kruegel M Christodorescu andE Kirda ldquoAccessMiner using system-centric models formalware protectionrdquo in Proceedings of the 2010 ACMSymposium on Information Computers and Communica-tions Security pp 399ndash412 Chicago IL USA October2010

[24] M Chandramohan H B K Tan L C Briand L K Shar andB M Padmanabhuni ldquoA scalable approach for malwaredetection through bounded feature space behavior modelingrdquoin Proceedings of the 2013 28th IEEEACM InternationalConference on Automated Software Engineering (ASE)pp 312ndash322 IEEE Silicon Valley CA USA November 2013

[25] Y Ye T Li Q Jiang and Y Wang ldquoCIMDS adaptingpostprocessing techniques of associative classification formalware detectionrdquo IEEE Transactions on Systems Man andCybernetics Part C (Applications and Reviews) vol 40 no 3pp 298ndash307 2010

[26] H H Pajouh A Dehghantanha R Khayami andK-K R Choo ldquoIntelligent OS X malware threat detectionwith code inspectionrdquo Journal of Computer Virology andHacking Techniques vol 14 no 3 pp 213ndash223 2018

[27] S T Liu H C Huang and YM Chen ldquoA system call analysismethod with MapReduce for malware detectionrdquo in Pro-ceedings of the 2011 IEEE 17th International Conference onParallel and Distributed Systems pp 631ndash637 IEEE TainanTaiwan Decemeber 2011

[28] U Bayer I Habibi D Balzarotti E Kirda and C Kruegel ldquoAview on current malware behaviorsrdquo 2009 httpwwweurecomfrseminar3832

[29] B Alsulami A Srinivasan H Dong and S MancoridisldquoLight-weight behavioral malware detection for windowsplatformsrdquo US Patent Application No 16112825 2019

[30] C Choi C Esposito M Lee and J Choi ldquoMetamorphicmalicious code behavior detection using probabilistic infer-ence methodsrdquo Cognitive Systems Research vol 56 pp 142ndash150 2019

[31] E B Karbab and M Debbabi ldquoMalDy portable data-drivenmalware detection using natural language processing andmachine learning techniques on behavioral analysis reportsrdquoDigital Investigation vol 28 pp S77ndashS87 2019

[32] W Wang M Zhao and J Wang ldquoEffective android malwaredetection with a hybrid model based on deep auto encoderand convolutional neural networkrdquo Journal of Ambient In-telligence and Humanized Computing vol 10 no 8pp 3035ndash3043 2019

[33] Q K Ali Mirza I Awan and M Younas ldquoCloudIntell anintelligent malware detection systemrdquo Future GenerationComputer Systems vol 86 pp 1042ndash1053 2018

[34] Z Ma H Ge Y Liu M Zhao and J Ma ldquoA combinationmethod for android malware detection based on control flowgraphs and machine learning algorithmsrdquo IEEE Access vol 7pp 21235ndash21245 2019

[35] M Sikorski and A Honig Pratical Malware Analysis 6eHands-On Guide to Dissecting Malicious Software No StarchPress San Francisco CA USA 2012

[36] ldquoOpen malware benchmark malware downloading websiterdquo2019 httpmalwarebenchmarkorg

[37] ldquoViruSign malware downloading websiterdquo 2019 httpwwwvirusigncom

[38] ldquoMal share malware downloading websiterdquo 2019 httpsmalsharecom

[39] D B Malware ldquoOpen malware malware downloadingwebsiterdquo 2019 httpswwwopenmalwareorg

[40] ldquoKernelMode malware downloading websiterdquo 2019 httpswwwkernelmodeinfo

[41] ldquoTekdefense malware downloading websiterdquo 2019 httpwwwtekdefensecomdownloads

[42] ldquoVirustotal malware scanning service websiterdquo 2019 httpswwwvirustotalcom

[43] I Firdausi C Lim A Erwin and A S Nugroho ldquoAnalysis ofmachine learning techniques used in behavior-based malwaredetectionrdquo in Proceedings of the 2010 2nd InternationalConference on Advances in Computing Control and Tele-communication Technologies pp 201ndash203 Jakarta IndonesiaDecember 2010

[44] I Santos F Brezo X Ugarte-Pedrero and P G BringasldquoOpcode sequences as representation of executables for data-mining-based unknown malware detectionrdquo InformationSciences vol 231 pp 64ndash82 2013

[45] M Yousefi-Azar L G C Hamey V Varadharajan andS Chen ldquoMalytics a malware detection schemerdquo IEEE Accessvol 6 pp 49418ndash49431 2018

[46] O Aslan and R Samet ldquoA comprehensive review on malwaredetection approachesrdquo IEEE Access vol 8 pp 6249ndash62712020


detector observes program behaviors using monitoring toolsand determines whether the program is malware or benignAlthough program codes change the behavior of the programwill remain relatively the same thus new malware can bedetected with this method [7] However some malware doesnot run properly under the protected environment (eg virtualmachine and sandbox environment) and thus the malwaresample may be incorrectly marked as benign

In recent years heuristic-based detection methods havebeen used frequently ese methods are complex detectionmethods that apply both experience and different techniquessuch as rules and machine learning techniques [8] Howevereven if the heuristic technique can detect various forms ofknown and unknown malware [7] it cannot detect newmalware that is quite different from existingmalware Inmodelchecking-based detection malware behaviors are manuallyextracted and behavior groups are coded using linear temporallogic (LTL) to display a specific feature [9] Although modelchecking-based detection can successfully detect some un-known malware that could not be detected with the previous 3methods it is insufficient for detecting all new malware

In this paper the subtractive center behavior model(SCBM) which captures semantically associated behaviorswhen creating a dataset is proposed In this model inaddition to malware behaviors system paths where malwarebehaviors are executed are also considered

e proposed model makes the following contributions

(i) SCBM is proposed to create a malware dataset withfewer features than known models

(ii) Instead of directly using system calls as behaviorssystem calls are mapped to relevant behaviors

(iii) Behaviors are divided into groups and risk scoresare calculated based on the system path and active-passive behaviors

(iv) Features are extracted from behaviors according tothe type of resources and instances that have beenused is way malicious behavior patterns aresegregated from benign behavior patterns

(v) e proposed model can handle both known andunknown malware

(vi) e obtained detection rate and accuracy of theproposed model are higher than those of the knownmodels

e rest of this paper is organized as follows Section 2defines malware and describes trends in malware technol-ogies Related work is summarized in Section 3 SCBM isexplained in Section 4 and the case study is presented inSection 5 e results and discussion are provided in Section6 Finally the limitations and future works are given inSection 7 and the conclusion is given in Section 8

2 Definition of Malware and Trends inMalware Technologies

Any software that intentionally executes malicious payloadson victim machines is considered to be malware [7] ere

are different types of malware including viruses wormsTrojan horses rootkits and ransomware Commonmalwaretypes and their primary characteristics can be seen in Table 1e malware types and families are designed to affect theoriginal victimmachine in different ways (eg damaging thetargeted system allowing remote code execution andstealing confidential data) Generally hackers launch anattack by using malware which exploits vulnerabilities inexisting systems such as buffer overflow injection andsensitive data misconfiguration [10] ese days the clas-sification of malware is becoming more complex becausesome malware instances can present the characteristics ofmultiple classes at the same time [11]

Viruses which are considered to be first malware thatappeared in the wild were defined as self-replicatingautomata by John von Neumann in the 1950s Howeverpractically the first virus called ldquothe Creeperrdquo was created in1971 by Bobomas [12 13] In the early days this softwarewas written for simple purposes but in time it was replacedby a new generation of malware that targeted large com-panies and governments Malware that runs in the kernelmode is more destructive and difficult to detect than tra-ditional malware and it can be defined as a new generation(next generation) of malware e comparison betweentraditional and new generation malware can be seen inTable 2

e inability to implement the operating system controlfeatures in the kernel mode makes the detection of newgeneration malware difficult is malware can easily bypassprotection software that is running in the kernel mode suchas antivirus software and firewalls In addition by using thissoftware targeted and persistent cyberattacks that havenever been seen before can be launched and more than onetype of malware can be used during the attacks Examples oftraditional versus new generation malware can be seen inFigures 1 and 2

M represents malware and (P1 P2 P3 P4) show therunning processes that interact with the malware First Mcopies itself into different processes such as P1 P2 and P3enM deletes itself from the system to make itself invisible(Figure 2) In early days rootkits were using similar tech-niques to hide themselves from the system However inprocess of time many other kinds of malware (in some casesrootkits are combining with viruses worms and Trojanhorses) have started to use similar techniques to hidethemselves as well With the help of the processes it hasrecently copied (P1⟶P2 P1⟶ P3 P3⟶ P4) and itconnects to remote system and makes changes on thevictimrsquos operating system Even if the actual malwarecontaining the malicious code has deleted itself from thesystem the new version of the malware remains in andaffects the system because the actual malware injecteditself into different processes such as existing system filesthird-party software and newly created processes whichmake the malware almost impossible to detect To de-termine the malicious software mentioned in Figure 2 Mand the P1 P2 P3 and P4 processes must be examinedseparately and the relations among these processesshould be determined












Trojan Horse



Backdoor











Hardware


M P1

Operating system

Hardware

RemotesystemM(D)

Deletedprocess

P2

P3

P4







3 Related Work
































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References



























































Trojan Horse



Backdoor











Hardware


M P1

Operating system

Hardware

RemotesystemM(D)

Deletedprocess

P2

P3

P4







3 Related Work
































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References





















































3 Related Work
































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References



































































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References
























































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References

































































Identify processes


Feature extraction

Features

Selected features


Identify behaviors

Group the behaviors











n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References






















































n (1)

























F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References





































































F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References

























































F a ab ac b bd c d


(2)







5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References



















































5 Case Study























Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References
































































Program 1 13

13

13

13

12

23

15

11

00









DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References




















































DR recall TP

TP + FN

FPR FP

FP + TN


accuracy TP + TN

TP + TN + FP + FN

(3)














4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References





















































4-gram


Proposed model













FPR()

Acc() Year



2010SVM 845 mdash 834J48 568 mdash 573


Santos et al [44]

KNNK 2 mdash 14 907

2013J48 mdash 9 912NB mdash 31 796


2018RF 932 682 901KNN 90 10 912

Proposed method

J48 999 02 998

2019SLR 974 2 974SMO 932 68 931KNN 996 08 9962NB 756 153 7562

0 20 40 60 80 100

J48

LMT

RF

SLR

SMO

KNN

BN

NB

Percentage ()

Clas

sifie

r





















020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References


































































020406080

100

200 500 700 1000 2000 9700

Perc

enta

ge (

)


FPRAccuracy




8 Conclusion



Data Availability




References


















































8 Conclusion



Data Availability




References











































































Documents

ResearchArticle ...downloads.hindawi.com/journals/scn/2020/7501894.pdf · ing methods to make the detection process more diﬃcult. is makes practically almost impossible to detect