An Effective Method to Detect Environment-Aware Malware Based on the Behavioral Distances Comparison

Document Type : Original Article

Authors

Abstract

Given the inefficiency of static analysis methods due to malware techniques such as code polymorphism, metamorphism, and obfuscation, and self-modifying code, leveraging dynamic and heuristic analysis   methods that are based on the analysis of runtime behavior of malwares, have become particularly         important. Environment-aware malware that attempts to conceal its malicious behavior through dynamic anti-analysis methods has caused problems for dynamic analysis detection methods in practice. The       purpose of this study is to present an effective method for environment-aware malware detection. Regarding to split–personality of such malware behaviors, this research has proposed an effective way to detect      environment-aware malware. This method is based on system call monitoring of malicious and benign  samples under the two NtTrace and drstrace softwares with different monitoring techniques and calculating behavioral distances as training data to create a Support Vector Machine model. Finally, the resulted    support vector machine classifier is used to detect this type of malware with an average precision, recall and accuracy up to 100%, whereas the evaluation of previous related work shows an average precision, recall and accuracy 96.85%, 95.68% and 96.12%, respectively.
 

Keywords


[1]     M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,”  ACM computing surveys (CSUR), vol. 44, p. 6, 2012.  ##
[2]     A. Jadhav, D. Vidyarthi, and M. Hemavathy, “Evolution of evasive malwares: A survey,” in International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT), 2016##
[3]     S. Naval, V. Laxmi, M. S. Gaur, S. Raja, M. Rajarajan, and M. Conti, “Environment–Reactive Malware Behavior: Detection and Categorization,” in Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, ed: Springer, pp. 167-182, 2015##.
[4]     P. Ferrie, “Attacks on Virtual Machine Emulators,” [Online] Available: https://www.symantec.com/avcenter/‌reference/Virtual_Machine_Threats.pdf, Symantec Advanced Threat Research, 2007##.
[5]     N. Falliere, “Windows anti-debug reference,” [Online] Available: https://www.symantec.com/connect/articles‌/windows-anti-debug-reference, 2007##.
[6]     K. Yoshizaki and T. Yamauchi, “Malware detection method focusing on anti-debugging functions,” in Computing and Networking (CANDAR), Second International Symposium on, pp. 563-566, 2014##.
[7]     M.-K. Sun, M.-J. Lin, M. Chang, C.-S. Laih, and H.-T. Lin, “Malware virtualization-resistant behavior detection,” in Parallel and Distributed Systems (ICPADS), IEEE 17th International Conference on, pp. 912-917, 2011##.
[8]     “NtTrace - Native API tracing for Windows,” [On.line] Available:www.howzatt.demon.co.uk/NtTrace, 2017.##
[9]     “System Call Tracer for Windows,” [Online] Available: http://drmemory.org/docs/page_drstrace.html, 2017.##
[10]   M. Sikorski and A. Honig, “Practical Malware Analysis,” no starch press, pp.159-160, 2012.##

[11]   “An introduction to machine learning with scikit-learn,” [Online] Available: http://scikit-learn.org/stable/tutorial‌/basic/tutorial.html, 2017.##

 [12]  M. Lindorfer, C. Kolbitsch, and P. MilaniComparetti,” Detecting environment-sensitive malware,” in Recent Advances in Intrusion Detection, pp. 338-357, 2011##.
[13]   C.-W. Hsu and S. W. Shieh, “Divergence detector: A fine-grained approach to detecting vm-awareness malware,” in Software Security and Reliability (SERE) IEEE 7th International Conference on, pp. 80-89, 2013.##
[14]   Y. J. Liu, C. K. Chen, M. C. Y. Cho, and S. Shieh, “Fast Discovery of VM-Sensitive Divergence Points with Basic Block Comparison,” in Software Security and Reliability, Eighth International Conference, pp. 196-205, 2014.##
[15]   S. Parsa, H. Saifi, M. H. Alaeian, “Providing a New Approach to Discovering Malware Behavioral Pattern Based on the Dependency Graph Between System Calls,” in Journal Of Electronical & Cyber Defence, vol. 4, no. 3, 2016. (In Persian)##
[16]   L. Sun, T. Ebringer, and S. Boztas, “An automatic           anti-anti-VMware technique applicable for multi-stage packed malware,” in Malicious and Unwanted Software. MALWARE, 3rd International Conference on, pp. 17-23, 2008.##
[17]   J. Lee, B. Kang, and E. G. Im, “Evading anti-debugging techniques with binary substitution,” International Journal of Security & its Applications, vol. 8, no.1, pp.183-192, 2014.##
[18]   “Dr. Memory,” [Online] Available: http://drmemory.org, 2017.##
[19]   D. Bruening, “Efficient, Transparent, and Comprehensive Runtime Code Manipulation,” Ph.D. Thesis, MIT, September 2004.##
[20]   W. H. Gomaa and A. A. Fahmy, “A survey of text similarity approaches,” International Jour‌nal of Computer Applications, vol. 68, pp. 13-18, 2013.##

[21]   T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, “Introduction to algorithms,” MIT press, 3rd Edition, pp. 390-396, 2009.##

 [22]  L. Buitinck, et al., API design for machine learning software: experiences from the scikit-learn project,” ECML PKDD Workshop: Languages for Data Mining and Machine Learning, pp. 108-122, 2013.##
[23]  F. Pedregosa, et al., “Scikit-learn: Machine Learning in Python,” Journal of Machine Learning Research, vol. 12, pp. 2825-2830, 2011.##
 [24]  “sklearn.model_selection.GridSearchCV,” [Online] Av‌ai-‌lable: http://scikit-learn.org/stable/‌modules/generated/skl-‌e‌‌‌arn.model‌_selection.train_test_split.html, 2017.##
 [25]  C.-W. Hsu, C.-C. Chang, and C.-J. Lin, “A practical guide to support vector classification,” [Online] Available‌:https://www.csie.ntu.edu.tw/~cjlin, 2016.##
[26]   “sklearn.preprocessing.StandardScaler,” [Online] Availa-‌ble: http://scikit-learn.org/stable/modules/generated/skl-‌earn.‌preprocessing.StandardScaler.html, 2017.##
[27]   “sklearn.model_selection.GridSearchCV,” [Online] Avai-‌lable: http://scikit-learn.org/stable/‌modules/generated/skl-‌e‌‌‌arn.model‌_selection.GridSearchCV.html, 2017.##

[28]   “Tuning the hyper-parameters of an estimator,” [Online] Available: http://scikit-learn.org/stable/modules/grid_se‌a-‌rch.html, 2017.##

[29]   “sklearn.model_selection.GridSearchCV,” [Online] Avai-‌lable: http://scikit-learn.org/stable/‌modules/generated/skl-‌e‌‌‌arn.metrics.precision_score.html, 2017.##
[30]   “sklearn.model_selection.GridSearchCV,” [Online] Avai-‌lable: http://scikit-learn.org/stable/‌modules/generated/skl-‌e‌‌‌arn.metrics.recall_score.html, 2017.##
[31]   “sklearn.model_selection.GridSearchCV,” [Online] Avai-‌lable: http://scikit-learn.org/stable/‌modules/generated/skl-‌e‌‌‌arn. .metrics.accuracy_score.html, 2017.##

[32]   “winapioverride32,” [Online] Available: http://jacquelin‌.‌potier.free.fr/winapioverride32/, 2017.##

 [33]  M. Russinovich, “Process Monitor v3.40,” [Online] Available: https://docs.microsoft.com/en-us/sysinternals‌/downloads/procmon, 2017.##