10th EAI International Conference on Communications and Networking in China

Research Article

Mal-EVE Static Detection Model for Evasive Malware

  • @INPROCEEDINGS{10.4108/eai.15-8-2015.2260602,
        author={Charles Lim and Nicsen .},
        title={Mal-EVE Static Detection Model for Evasive Malware},
        proceedings={10th EAI International Conference on Communications and Networking in China},
        keywords={malware evasion techniques packer anti-debugging anti-virtualization},
  • Charles Lim
    Nicsen .
    Year: 2015
    Mal-EVE Static Detection Model for Evasive Malware
    DOI: 10.4108/eai.15-8-2015.2260602
Charles Lim1,*, Nicsen .1
  • 1: Swiss German University
*Contact email: Charles.lims@gmail.com


The rapid growth of malware requires effective, automated, and accurate ways in analyzing and detecting it. Nowadays, malware not only have offensive characteristic, but also defensive ability to obfuscate itself to be analyzed or detected. It is more effective if these techniques can be identified before analyzing them. This research focuses on designing an effective, automated, and accurate model to detect evasive malware. A prototype is made to test the design. This prototype contains the most frequently evasion techniques used by malware: packer, anti debugging, and anti virtualization. In detecting packer, features of malware are extracted and scored based on the predefined risk and weight of each feature. Threshold of the score is set to determine whether the malware is packed or not. For detecting anti debugging and anti virtualization, several heuristic patterns are gathered and utilized. These capabilities are integrated into our static detection model for evasive malware. The model is able to provide an accuracy of 98.16 percent in determining packed malware with a false positive rate of 1.45 percent. The average time for processing a file that has size below 100 kilobyte is 3.2 second.