Research On The Malware Detection Based On Windows API Call Behavior

Information security is a very important problem that we should pay attention to in nowadays’ internet society. The number of malwares is growing fast and it is bringing a big risk to the information security of internet. It’s a big problem that we need to solve to detect the malwares efficiently. It’s difficult for the signature code based malwares detecting technology to detect the huge number of malwares especially the new types. So the behaviors based malwares detecting technology is appearing. It’s a hot point to research on the malwares detecting based on the Windows API call behaviors. I did some research on the Windows API call behaviors of malwares and benign softwares to improve the detecting rate of malwares.I combine the text analysis and data mining technology to research the Windows API call behaviors. I totally generated 5 types of features and did 6 different experiments to analyze the Windows API call behaviors. At first we use a professional tool to hook the Windows API call behaviors of malware and benign softwares so that I can generate the Windows API call logfile dataset. I turn the analysis of behaviors to the analysis of texts. Then we generate 3 different types of features:Windows API, Windows API and parameters, Windows API and parameters and parameter values. The feature has more details as the sequence and the feature Windows API and parameters and parameter values is a new feature. Then I select the features by the way to combine the TF and information gain technology. We also did some research on Windows API call frequency and the relationships between Windows API calls. In the research on Windows API call frequency, we did some improvement on TF-IDF to generate the feature vector which is better of my dataset. Then I used four classical methods Naive Bayes, SMO, J48 and Radom Forests to do the experiments. And I used evaluation indexes of text analysis to evaluate the results.We find that the Windows API call logfiles have rich information through our research. It’s a better and useful way to detect malwares based on the Windows API call behaviors. In the follow-up study, I will go on the research on the other aspects of the Windows API call logfiles.