Study on Malware Detection Based on API Calls Characteristic

• Main Authors: Jyun-Wei Lin, 林駿威
• Other Authors: Wen-Chung Kuo
• Format: Others
• Language: zh-TW
• Published: 2015
• Online Access: http://ndltd.ncl.edu.tw/handle/cyv575

碩士 === 國立雲林科技大學 === 資訊工程系 === 103 === In recent years, with the rapid development, popularization and application of computer and network, it is getting more and more convenience to daily life. However, there are emerging a lot of information technology crimes too. Traditional crime patterns have been evolving into cyber crime patterns. The use of traditional forensic evidence method is not enough to contend with. Therefore, the judiciary start using various methods of information technology to obtain information stored in the computer and storage media. However, cybersecurity are threaten by those crimes, such as manufacture and cast computer viruses, steal information, hacking, sabotage...etc. Therefore, law enforcement agencies are facing new difficulties and challenges. In order to solve the problem that current malware detection method cannot effectively detect and analyze malware. This paper proposed a new framework for malware behavior identification and classification that apply static approach. Our proposed method analyzes API functions and parameters which are used by malwares to determine the types of malware and to observe their behaviors. The detection method consists of two stages: First, we extracted IAT table from the structure of the PE file, and find the behavior of API calls combination as the analysis target. In accordance with the sets of API calls that different types of malware must use, to regard as a set of feature vectors to analyze malware. Second, In addition to determining API used by malware, we also analyze their parameters to achieve a better detection accuracy. Experiment result shows that our proposed malware detection framework can effectively detect malwares and categorize the type of malwares, and help investigators to forensic malwares.