Research Article
Mal-EVE Static Detection Model for Evasive Malware
@INPROCEEDINGS{10.4108/eai.15-8-2015.2260602, author={Charles Lim and Nicsen .}, title={Mal-EVE Static Detection Model for Evasive Malware}, proceedings={10th EAI International Conference on Communications and Networking in China}, publisher={IEEE}, proceedings_a={CHINACOM}, year={2015}, month={9}, keywords={malware evasion techniques packer anti-debugging anti-virtualization}, doi={10.4108/eai.15-8-2015.2260602} }- Charles Lim
Nicsen .
Year: 2015
Mal-EVE Static Detection Model for Evasive Malware
CHINACOM
IEEE
DOI: 10.4108/eai.15-8-2015.2260602
Abstract
The rapid growth of malware requires effective, automated, and accurate ways in analyzing and detecting it. Nowadays, malware not only have offensive characteristic, but also defensive ability to obfuscate itself to be analyzed or detected. It is more effective if these techniques can be identified before analyzing them. This research focuses on designing an effective, automated, and accurate model to detect evasive malware. A prototype is made to test the design. This prototype contains the most frequently evasion techniques used by malware: packer, anti debugging, and anti virtualization. In detecting packer, features of malware are extracted and scored based on the predefined risk and weight of each feature. Threshold of the score is set to determine whether the malware is packed or not. For detecting anti debugging and anti virtualization, several heuristic patterns are gathered and utilized. These capabilities are integrated into our static detection model for evasive malware. The model is able to provide an accuracy of 98.16 percent in determining packed malware with a false positive rate of 1.45 percent. The average time for processing a file that has size below 100 kilobyte is 3.2 second.