Logo PTI
Polish Information Processing Society
Logo FedCSIS

Annals of Computer Science and Information Systems, Volume 11

Proceedings of the 2017 Federated Conference on Computer Science and Information Systems

High-Level Malware Behavioural Patterns: Extractability Evaluation


DOI: http://dx.doi.org/10.15439/2017F354

Citation: Proceedings of the 2017 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 11, pages 569572 ()

Full text

Abstract. Many promising malware research projects focus on malware behaviour analysis, however, in the end they tend to build new detection systems and stick to measuring detection ratios. Our approach focuses on malware behavioural analysis for defining (characterising) malicious software on rather high level of abstraction, in order to break the endless cycle of evolving malware and malware analysts trying to catch up on new threats. As our research outlines, even such high-level behavioural information as numbers of occurrences of some behavioural events, can be successfully extracted from program samples and interpreted for extraction of repeating behavioural patterns. While this may seem simple at the first glance, there are plenty variables entering the process of behavioural data acquisition and pattern extraction.


  1. A. Moser, C. Kruegel, and E. Kirda, “Limits of static analysis for malware detection,” in Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, Dec 2007. http://dx.doi.org/10.1109/ACSAC.2007.21 pp. 421–430.
  2. S. Josse, “Secure and advanced unpacking using computer emulation,” Journal in Computer Virology, vol. 3, no. 3, pp. 221–236, 2007. http://dx.doi.org/10.1007/s11416-007-0046-0
  3. J. Stastna and M. Tomasek, “Exploring malware behaviour for improvement of malware signatures,” in IEEE 13th International Scientific Conference on Informatics, 2015, Nov 2015. http://dx.doi.org/10.1109/Informatics.2015.7377846 pp. 275–280.
  4. J. Št’astná and M. Tomášek, “The problem of malware packing and its occurrence in harmless software,” Acta Electrotechnica et Informatica, vol. 16, no. 3, pp. 41–47, 2016. http://dx.doi.org/0.15546/aeei-2016-0022
  5. J.-M. Borello and L. Mé, “Code obfuscation techniques for metamorphic viruses,” Journal in Computer Virology, vol. 4, no. 3, pp. 211–220, 2008. http://dx.doi.org/10.1007/s11416-008-0084-2
  6. H. R. Borojerdi and M. Abadi, “Malhunter: Automatic generation of multiple behavioral signatures for polymorphic malware detection,” in 3th International eConference on Computer and Knowledge Engineering (ICCKE), 2013, Oct 2013. http://dx.doi.org/10.1109/ICCKE.2013.6682867 pp. 430–436.
  7. J. Št’astná and M. Tomášek, Characterising Malicious Software with High-Level Behavioural Patterns, ser. Lecture Notes in Computer Science. Springer International Publishing, 2017, vol. 10139, pp. 473–484. http://dx.doi.org/10.1007/978-3-319-51963-0_37
  8. P. Hlinka, M. Tomášek, and J. Št’astná, “Collecting significant information from results of malicious software analysis,” Electrical Engineering and Informatics 7, pp. 103–108, 2016.
  9. R. Canzanese, M. Kam, and S. Mancoridis, “Toward an automatic, online behavioral malware classification system,” in 2013 IEEE 7th International Conference on Self-Adaptive and Self-Organizing Systems, Sept 2013. http://dx.doi.org/10.1109/SASO.2013.8 pp. 111–120.
  10. I. K. Cho and E. G. Im, “Extracting representative api patterns of malware families using multiple sequence alignments,” in Proceedings of the 2015 Conference on Research in Adaptive and Convergent Systems, ser. RACS. New York, NY, USA: ACM, 2015. http://dx.doi.org/10.1145/2811411.2811543 pp. 308–313.
  11. A. Hellal and L. B. Romdhane, “Minimal contrast frequent pattern mining for malware detection,” Computers & Security, vol. 62, pp. 19 – 32, 2016. http://dx.doi.org/https://doi.org/10.1016/j.cose.2016.06.004
  12. J. Konorski, P. Pacyna, G. Kolaczek, Z. Kotulski, K. Cabaj, and P. Szalachowski, “Theory and implementation of a virtualisation level future internet defence in depth architecture,” in Int. J. of Trust Management in Computing and Communications, vol. 1, no. 3, 2013. http://dx.doi.org/10.1504/IJTMCC.2013.056431 pp. 274–299.