The International Arab Journal of Information Technology (IAJIT)

..............................
..............................
..............................


An Improved Process Supervision and Control Method for Malware Detection

Most modern-day malware detection methods and algorithms are based on prior knowledge of malware specifications. Discovering new malwares by solely relying on computer based automatic solutions with no human intervention currently appears out of reach. Many malwares never decode harmful parts of their code until the triggering of a specific event. Others detect virtual machine or sandbox environments and hide their true nature. Detecting these kinds of malwares- specifically multi evented ones-are nearly impossible for fully automatic detection methods. Previous research found that about 75% of malwares studied did not react in a fully automatic environment without user intervention thus being undetectable. This paper introduces a near automated solution to detect malwares quickly by relying on a supervision and control method based on user level capabilities of the operating system. Improving on previous methods, this research can replace the need for debugging new malwares in almost all aspects. This solution forces malwares in automated environments to activate and be discoverable. Researcher intervention during malware code execution along with the malware’s intent over calling sensitive operating system functions and parameters aid this process. Since operating system functions are virtualized malwares are incapable of physically harming the system during execution. The solution reached 98% overall accuracy in conjunction with reducing code size by 80% in comparison with similar techniques, improving simplicity and reliability.


[1] Asghari S. and Taheri H., “An Effective Soft Error Detection Mechanism Using Redundant Instructions,” The International Arab Journal of Information Technology, vol. 12, no. 1, pp. 69- 76, 2015.

[2] Chen F. and Fu Y., “Dynamic Detection of Unknown Malicious Executables Based on API Interception,” in Proceedings of 1st International Workshop on Database Technology and Applications, Wuhan, pp. 329-332, 2009.

[3] Cheng J., Tsai T., and Yang C., “An Information Retrieval Approach for Malware Classification Based on Windows API Calls,” in Proceedings of the International Conference on Machine Learning and Cybernetics, Tianjin, pp. 1678- 1683, 2013.

[4] Fu W., Pang J., Zhao R., Zhang Y., and Wei B., “Static Detection of API-calling Behavior from 658 The International Arab Journal of Information Technology, Vol. 19, No. 4, July 2022 Malicious Binary Executable,” in Proceedings of International Conference on Computer and Electrical Engineering, Phuket, 2008.

[5] Javaheri D., Hosseinzadeh M., and Rahmani A., “Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines,” IEEE Access, vol. 6, pp. 78321-78332, 2018.

[6] Liu Y., Lai Y., Wang Z., and Yan H., “A New Learning Approach to Malware Classification Using Discriminative Feature Extraction,” IEEE Access, vol. 7, pp. 13015-13023, 2019.

[7] Musavi A. and Kharrazi M., “Back to Static Analysis for Kernel-Level Rootkit Detection,” IEEE Transactions on Information Forensics And Security, vol. 9, no. 9, pp. 1465-1476, 2014.

[8] Muthumanickam K. and Ilavarasan E., “Behavior based Authentication Mechanism to Prevent Malicious Code Attacks in Windows,” International Conference on Innovations in Information, Embedded and Communication Systems, Coimbatore, pp. 1-5, 2015.

[9] Pektaş A. and Acarman T., “Malware Classification Based on API Calls and Behavior Analysis,” IET Information Security, vol. 12, no. 2, pp. 107-117, 2018.

[10] Qiao Y., He J., Yang Y., and Ji L., “Analyzing Malware by Abstracting the Frequent Item sets in API call Sequences,” in Proceedings of 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Melbourne, pp. 265-270, 2013.

[11] Qu-Nguyen L., Demir T., Rowe J., Hsu F., and Levitt K., “A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks,” in Proceedings of the 2nd ACM Symposium on Information, computer and Communications Security, New York, pp. 392- 394, 2007.

[12] Skaletsky A., Devor T., Chachmon N., Cohn R., Hazelwood K., Vladimirov V., and Bach M., “Dynamic Program Analysis of Microsoft Windows Applications,” in Proceedings of International Symposium on Performance Analysis of Systems and Software, White Plains, pp. 2-12, 2010.

[13] Shevchenko Y., “EPP Plus EDR: The Future of Endpoint Cybersecurity” Kaspersky Corporation EPP-EDR Importance. https://www.kaspersky.com/blog/epp-edr- importance/22366/, Last Visited, 2019.

[14] Sun H., Wang H., Wang K., and Chen C., “A Native APIs Protection Mechanism in the Kernel Mode Against Malicious Code,” IEEE Transactions on Computers, vol. 60, no. 6, pp. 813-823, 2011.

[15] Sun S., Fu X., Ruan H., Du X., Luo B., and Guizani M., “Real-Time Behavior Analysis and Identification for Android Application,” IEEE Access, vol. 6, pp. 38041-38051, 2018.

[16] Tsaur W. and Chen Y., “Exploring Rootkit Detectors’ Vulnerabilities Using a New Windows Hidden Driver Based Rootkit,” in Proceedings of 2nd International Conference on Social Computing, Minneapolis, pp. 842-848, 2010.

[17] Volynkin A., Skormin V., Summerville D., and Moronski J., “Evaluation of Run-Time Detection of Self-Replication in Binary Executable Malware,” in Proceedings of the IEEE Workshop on Information Assurance, West Point, pp. 184- 191, 2006.

[18] Xu S., Ma X., Liu Y., and Sheng Q., “Malicious Application Dynamic Detection in Real-Time API Analysis,” in Proceedings of IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Chengdu, pp. 788-794, 2016.

[19] Zhang F., Leach K., Stavrou A., and Wang H., “Towards Transparent Debugging,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 2, pp. 321-335, 2016. An Improved Process Supervision and Control Method for Malware Detection 659 Behnam Shamshirsaz received his B.Sc. degree in 2017 (IT engineering) from Azad University and M.Sc. (Computer Architecture) in 2019, Kharazmi University, Tehran. His research interests include Computer Architecture and Software Security system design. Seyyed Amir Asghari received his B.Sc. degree in 2007 (hardware engineering major), M.Sc. and Ph.D. in 2009 and 2013 respectively (computer architecture major) from Amirkabir University of Technology. His current research interests include fault-tolerant design and real-time embedded system design. He has served as a faculty member in the Department of Electrical and Computer Engineering at Kharazmi University. Mohammadreza Binesh Marvasti received the M.Sc. degree from Department of ECE University of Tehran, Iran, in 2007 and the Ph.D. degree in ECE from McMaster University, Canada, in 2013. His research interests include Computer Architecture, Low-Power Digital Design, FPGAs, Approximate Computing, and On-chip Interconnection Network. He has served as a faculty member in the Department of Electrical and Computer Engineering at Kharazmi University.