Abstract
Behavior-based malware analysis is an important technique for automatically analyzing and detecting malware, and it has received considerable attention from both academic and industrial communities. By considering how malware behaves, we can tackle the malware obfuscation problem, which cannot be processed by traditional static analysis approaches, and we can also derive the as-built behavior specifications and cover the entire behavior space of the malware samples. Although there have been several works focusing on malware behavior analysis, such research is far from mature, and no overviews have been put forward to date to investigate current developments and challenges. In this paper, we conduct a survey on malware behavior description and analysis considering three aspects: malware behavior description, behavior analysis methods, and visualization techniques. First, existing behavior data types and emerging techniques for malware behavior description are explored, especially the goals, principles, characteristics, and classifications of behavior analysis techniques proposed in the existing approaches. Second, the inadequacies and challenges in malware behavior analysis are summarized from different perspectives. Finally, several possible directions are discussed for future research.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alam S, Horspool RN, Traore I, et al., 2015. A framework for metamorphic malware analysis and real-time detection. Comput Secur, 48:212–233. https://doi.org/10.1016/j.cose.2014.10.011
Alazab M, 2015. Profiling and classifying the behavior of malicious codes. J Syst Softw, 100:91–102. https://doi.org/10.1016/j.jss.2014.10.031
Alazab M, Venkataraman S, Watters P, 2010. Towards Understanding malware behaviour by the extraction of API calls. Proc 2nd Cybercrime and Trustworthy Computing Workshop, p.52–59. https://doi.org/10.1109/CTC.2010.8
Anderson B, Storlie C, Lane T, 2012. Improving malware classification: Bridging the static/dynamic gap. Proc 5th ACM Workshop on Security and Artificial Intelligence, p.3–14. https://doi.org/10.1145/2381896.2381900
Anderson B, Lane T, Hash C, 2014. Malware phylogenetics based on the multiview graphical lasso. Proc 13th Int Symposium on Advances in Intelligent Data Analysis XIII, p.1–12. https://doi.org/10.1007/978-3-319-12571-8_1
Arp D, Spreitzenbarth M, Hübner M, et al., 2014. DREBIN: effective and explainable detection of Android malware in your pocket. Proc 17th Network and Distributed System Security Symp, p.1–16. https://doi.org/10.14722/ndss.2014.23247
Babic D, Reynaud D, Song DW, 2011. Malware analysis with tree automata inference. Proc 23rd Int Conf on Computer Aided Verification, p.116–131. https://doi.org/10.1007/978-3-642-22110-1_10
Babic D, Reynaud D, Song DW, 2012. Recognizing malicious software behaviors with tree automata inference. Form Methods Syst Des, 41(1):107–128. https://doi.org/10.1007/s10703-012-0149-1
Bailey M, Oberheide J, Andersen J, et al., 2007. Automated classification and analysis of Internet malware. Proc 10th Int Symp on Recent Advances in Intrusion Detection, p.178–197. https://doi.org/10.1007/978-3-540-74320-0_10
Barnum S, 2012. Standardizing cyber threat intelligence information with the structured threat information eXpression (STIXTM). https://www.mitre.org/sites/default/ files/publications/stix.pdf
Bauman E, Ayoade G, Lin ZQ, 2015. A survey on hypervisorbased monitoring: approaches, applications, and evolutions. ACM Comput Surv, 48(1), Article 10. https://doi.org/10.1145/2775111
Bayer U, Kruegel C, Kirda E, 2006. TTAnalyze: a tool for analyzing malware. Proc 15th Annual Conf of the European Institute for Computer Antivirus Research, p.180–192.
Bayer U, Comparetti PM, Hlauscheck C, et al., 2009. Scalable, behavior-based malware clustering. Proc 16th Symp on Network and Distributed System Security, p.1–21.
Bayer U, Habibi I, Balzarotti D, et al., 2014. A view on current malware behaviors. Proc 2nd USENIX Conf on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p.8.
Beaucamps P, Gnaedig I, Marion JY, 2010. Behavior abstraction in malware analysis. Proc 1st Int Conf on Runtime Verification, p.168–182. https://doi.org/10.1007/978-3-642-16612-9_14
Beaucamps P, Gnaedig I, Marion JY, 2012. Abstraction-based malware analysis using rewriting and model checking. Proc 17th European Symp on Research in Computer Security, p.806–823. https://doi.org/10.1007/978-3-642-33167-1_46
Belaoued M, Mazouzi S, 2015. A real-time pe-malware detection system based on CHI-square test and pe-file features. Proc 5th IFIP TC5 Int Conf on Science and Its Applications, p.416–425. https://doi.org/10.1007/978-3-319-19578-0_34
Biggio B, Rieck K, Ariu D, et al., 2014. Poisoning behavioral malware clustering. Proc Workshop on Artificial Intelligent and Security Workshop, p.27–36. https://doi.org/10.1145/2666652.2666666
Bos H, 2013. Analysis report of behavioral features. http://www.wombat-project.eu/2010/07/wombat-delivera ble-d16d42-anal.html
Brumley D, Hartwig C, Liang ZK, et al., 2008. Automatically identifying trigger-based behavior in malware. In: Lee W, Wang C, Dagon D (Eds.), Botet Detection. Springer, Boston, MA, p.65–88. https://doi.org/10.1007/978-0-387-68768-1_4
Canfora G, Mercaldo F, Visaggio CA, 2016. An hmm and structural entropy based detector for Android malware: an empirical study. Comput Secur, 61:1–18. https://doi.org/10.1016/j.cose.2016.04.009
Cao Y, Miao QG, Liu JC, et al., 2013. Abstracting minimal security-relevant behaviors for malware analysis. J Comput Virol Hack Tech, 9(4):193–204. https://doi.org/10.1007/s11416-013-0186-3
Cen L, Gates CS, Si L, et al., 2015. A probabilistic discriminative model for Android malware detection with decompiled source code. IEEE Trans Depend Sec Comput, 12(4):400–412. https://doi.org/10.1109/TDSC.2014.2355839
Cesare S, Xiang Y, Zhou WL, 2014. Control flow-based malware variant detection. IEEE Trans Depend Sec Comput, 11(4):307–317. https://doi.org/10.1109/TDSC.2013.40
Chandramohan M, Tan HBK, Shar LK, 2012. Scalable malware clustering through coarse-grained behavior modeling. Proc ACM SIGSOFT 20th Int Symp on the Foundations of Software Engineering, article 27. https://doi.org/10.1145/2393596.2393627
Christodorescu M, Jha S, Kruegel C, 2008. Mining specifications of malicious behavior. Proc 1st India Software Engineering Conf, p.5–14. https://doi.org/10.1145/1342211.1342215
Chuang HY, Wang SD, 2015. Machine learning based hybrid behavior models for Android malware analysis. Proc IEEE Int Conf on Software Quality, Reliability and Security, p.201–206. https://doi.org/10.1109/QRS.2015.37
Comparetti PM, Salvaneschi G, Kirda E, et al., 2010. Identifying dormant functionality in malware programs. Proc IEEE Symp on Security and Privacy, p.61–76. https://doi.org/10.1109/SP.2010.12
Cuckoo, 2017. Cuckoo sandbox. https://cuckoosandbox.org
Dahl GE, Stokes JW, Deng L, et al., 2013. Large-scale malware classification using random p.ojections and neural networks. Proc IEEE Int Conf on Acoustics, Speech and Signal Processing, p.3422–3426. https://doi.org/10.1109/ICASSP.2013.6638293
Damodaran A, di Troia F, Visaggio CA, et al., 2017. Acomparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hack Tech, 13(1): 1–12. https://doi.org/10.1007/s11416-015-0261-z
Das S, Liu Y, Zhang W, et al., 2016. Semantics-based online malware detection: towards efficient real-time p.otection against malware. IEEE Trans Inform Forens Secur, 11(2): 289–302. https://doi.org/10.1109/TIFS.2015.2491300
Deschamps N, 2008. Specification language for code behavior. http://wombat-project.eu/WP4/FP7-ICT-216026-Womba t_WP4_D08_V01_Specification_language_for_code_be haviour.pdf
Dinaburg A, Royal P, Sharif M, et al., 2008. Ether: malware analysis via hardware virtualization extensions. Proc 15th ACM Conf on Computer and Communications Security, p.51–62. https://doi.org/10.1145/1455770.1455779
Ding YX, Yuan XB, Tang K, et al., 2013. A fast malware detection algorithm based on objective-oriented association mining. Comput Secur, 39:315–324. https://doi.org/10.1016/j.cose.2013.08.008
Ding YX, Dai W, Yan SL, et al., 2014. Control flow-based opcode behavior analysis for malware detection. Comput Secur, 44:65–74. https://doi.org/10.1016/j.cose.2014.04.003
Dube T, Raines R, Peterson G, et al., 2012. Malware target recognition via static heuristics. Comput Secur, 31(1): 137–147. https://doi.org/10.1016/j.cose.2011.09.002
Dumitras T, Neamtiu I, 2011. Experimental challenges in cyber security: a story of provenance and lineage for malware. Proc 4th Conf on Cyber Security Experimentation and Test, p.9.
Egele M, Scholte T, Kirda E, et al., 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput Surv, 44(2), Article 6. https://doi.org/10.1145/2089125.2089126
Elhadi AAE, Maarof MA, Barry BIA, et al., 2014. Enhancing the detection of metamorphic malware using call graphs. Comput Secur, 46:62–78. https://doi.org/10.1016/j.cose.2014.07.004
Feng Y, Anand S, Dillig I, et al., 2014. Apposcopy: semantics-based detection of Android malware through static analysis. Proc 22nd ACM SIGSOFT Int Symp on Foundations of Software Engineering, p.576–587. https://doi.org/10.1145/2635868.2635869
Feng Y, Bastani O, Martins R, et al., 2017. Automated synthesis of semantic malware signatures using maximum satisfiability. Proc Network and Distributed System Security Symp, p.1–16. https://doi.org/10.14722/ndss.2017.23379
Fratantonio Y, Bianchi A, Robertson W, et al., 2016. Triggerscope: towards detecting logic bombs in Android applications. Proc IEEE Symp on Security and Privacy, p.377–396. https://doi.org/10.1109/SP.2016.30
Fredrikson M, Jha S, Christodorescu M, et al., 2010. Synthesizing near-optimal malware specifications from suspicious behaviors. Proc IEEE Symp on Security and Privacy, p.45–60. https://doi.org/10.1109/SP.2010.11
Galal HS, Mahdy YB, Atiea MA, 2016. Behavior-based features model for malware detection. J Comput Virol Hack Tech, 12(2):59–67. https://doi.org/10.1007/s11416-015-0244-0
Grégio ARA, Baruque AOC, Afonso VM, et al., 2012. Interactive, visual-aided tools to analyze malware behavior. Proc 12th Int Conf on Computational Science and Its Applications, p.302–313. https://doi.org/10.1007/978-3-642-31128-4_22
Gupta A, Kuppili P, Akella A, et al., 2009. An empirical study of malware evolution. Proc 1st Int Communication Systems and NETworks and Workshops, p.1–10. https://doi.org/10.1109/COMSNETS.2009.4808876
Haass JC, Ahn GJ, Grimmelmann F, 2015. ACTRA: a case study for threat information sharing. Proc 2nd ACM Workshop on Information Sharing and Collaborative Security, p.23–26. https://doi.org/10.1145/2808128.2808135
Huang HD, Acampora G, Loia V, et al., 2011. Applying FML and fuzzy ontologies to malware behavioural analysis. Proc IEEE Int Conf on Fuzzy Systems, p.2018–2025. https://doi.org/10.1109/FUZZY.2011.6007716
Huang HD, Lee CS, Wang MH, et al., 2014. IT2FS-based ontology with soft-computing mechanism for malware behavior analysis. Soft Comput, 18(2):267–284. https://doi.org/10.1007/s00500-013-1056-0
Huang L, Joseph AD, Nelson B, et al., 2011. Adversarial machine learning. Proc 4th ACM Workshop on Security and Artificial Intelligence, p.43–58. https://doi.org/10.1145/2046684.2046692
Inoue D, Yoshioka K, Eto M, et al., 2009. Automated malware analysis system and its sandbox for revealing malware’s internal and external activities. IEICE Trans Inform Syst, E92.D(5):945–954. https://doi.org/10.1587/transinf.E92.D.945
Jacob G, Debar H, Filiol E, 2009. Malware behavioral detection by attribute-automata using abstraction from platform and language. Proc 12th Int Symp on Recent Advances in Intrusion Detection, p.81–100. https://doi.org/10.1007/978-3-642-04342-0_5
Jang J, Woo M, Brumley D, 2013. Towards automatic software lineage inference. Proc 22nd USENIX Conf on Security, p.81–96.
Kharraz A, Arshad S, Mulliner C, et al., 2016. UNVEIL: a large-scale, automated approach to detecting ransomware. Proc 25th USENIX Security Symp, p.757–772.
Kirat D, Vigna G, 2015. MalGene: automatic extraction of malware analysis evasion signature. Proc 22nd ACM SIGSAC Conf on Computer and Communications Security, p.769–780. https://doi.org/10.1145/2810103.2813642
Kirat D, Vigna G, Kruegel C, 2014. Barecloud: bare-metal analysis-based evasive malware detection. Proc 23rd USENIX Conf on Security Symp, p.287–301.
Kirda E, Kruegel C, Banks G, et al., 2006. Behavior-based spyware detection. Proc 15th Conf on USENIX Security Symp, Article 19.
Kirillov I, Beck D, Chase P, et al., 2011. Malware attribute enumeration and characterization (MAEC™). http://maec.mitre.org/
Kokkonen T, Hautamaki J, Siltanen J, et al., 2016. Model for sharing the information of cyber security situation awareness between organizations. Proc 23rd Int Conf on Telecommunications, p.1–5. https://doi.org/10.1109/ICT.2016.7500406
Kruegel C, 2014. Full system emulation: achieving successful automated dynamic analysis of evasive malware. Lastline, Inc., Las Vegas, NV, USA.
Lanzi A, Sharif M, Lee W, 2009. K-Tracer: a system for extracting kernel malware behavior. Proc Network and Distributed System Security Symp, p.163–169.
Lebiere C, Bennati S, Thomson R, et al., 2015. Functional cognitive models of malware identification. Proc 13th Annual Conf on Cognitive Modeling, p.90–95.
Leder F, Steinbock B, Martini P, 2009. Classification and detection of metamorphic malware using value set analysis. Proc 4th Int Conf on Malicious and Unwanted Software, p.39–46. https://doi.org/10.1109/MALWARE.2009.5403019
Lee T, Choi B, Shin Y, et al., 2015. Automatic malware mutant detection and group classification based on the n-gram and clustering coefficient. J Supercomput, p.1–15. https://doi.org/10.1007/s11227-015-1594-6
Lindorfer M, Kolbitsch C, Comparetti PM, 2011. Detecting environment-sensitive malware. Proc 14th Int Symp on Recent Advances in Intrusion Detection, p.338–357. https://doi.org/10.1007/978-3-642-23644-0_18
Liu L, Wang BS, Yu B, et al., 2016. A novel selective ensemble learning based on K-means and negative correlation. Proc 2nd Int Conf on Cloud Computing and Security, p.578–588. https://doi.org/10.1007/978-3-319-48674-1_51
Martignoni L, Stinson E, Fredrikson M, et al., 2008. A layered architecture for detecting malicious behaviors. Proc 11th Int Symp on Recent Advances in Intrusion Detection, p.78–97. https://doi.org/10.1007/978-3-540-87403-4_5
Martignoni L, Paleari R, Bruschi D, 2009. A framework for behavior-based malware analysis in the cloud. Proc 5th Int Conf on Information Systems Security, p.178–192. https://doi.org/10.1007/978-3-642-10772-6_14
Miao QG, Liu JC, Cao Y, et al., 2016. Malware detection using bilayer behavior abstraction and improved one-class support vector machines. Int J Inform Secur, 15(4):361–379. https://doi.org/10.1007/s10207-015-0297-6
Ming J, Xin Z, Lan PW, et al., 2015. Replacement attacks: automatically impeding behavior-based malware specifications. Proc 13th Int Conf on Applied Cryptography and Network Security, p.497–517. https://doi.org/10.1007/978-3-319-28166-7_24
Ming J, Xin Z, Lan PW, et al., 2017. Impeding behavior-based malware analysis via replacement attacks to malware specifications. J Comput Virol Hack Tech, 13(3):193–207. https://doi.org/10.1007/s11416-016-0281-3
Mithal T, Shah K, Singh DK, 2016. Case studies on intelligent approaches for static malware analysis. In: Shetty NR, Prasad NH, Nalini N (Eds.), Emerging Research in Computing, Information, Communication and Applications. Springer, Singapore, p.555–567. https://doi.org/10.1007/978-981-10-0287-8_52
Mohaisen A, Alrawi O, 2015. AMAL: high-fidelity, behaviorbased automated malware analysis and classification. Proc 15th Int Workshop on Information Security Applications, p.107–121. https://doi.org/10.1007/978-3-319-15087-1
Moonsamy V, Tian RH, Batten L, 2012. Feature reduction to speed up malware classification. Proc 16th Nordic Conf on Information Security Technology for Applications, p.176–188. https://doi.org/10.1007/978-3-642-29615-4_13
Moser A, Kruegel C, Kirda E, 2007. Exploring multiple execution paths for malware analysis. Proc IEEE Symp on Security and Privacy, p.231–245. https://doi.org/10.1109/SP.2007.17
Naval S, Laxmi V, Rajarajan M, et al., 2015. Employing program semantics for malware detection. IEEE Trans Inform Forens Secur, 10(12):2591–2604. https://doi.org/10.1109/TIFS.2015.2469253
Neugschwandtner M, Platzer C, Comparetti PM, et al., 2010. dAnubis—dynamic device driver analysis based on virtual machine introspection. Proc 7th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.41–60. https://doi.org/10.1007/978-3-642-14215-4_3
Nunes E, Buto C, Shakarian P, et al., 2015. Malware task identification: a data driven approach. Proc IEEE/ACM Int Conf on Advances in Social Networks Analysis and Mining, p.978–985. https://doi.org/10.1145/2808797.2808894
O’Kane P, Sezer S, McLaughlin K, et al., 2013. SVM training phase reduction using dataset feature filtering for malware detection. IEEE Trans Inform Forens Secur, 8(3):500–509. https://doi.org/10.1109/TIFS.2013.2242890
Palahan S, Babic D, Chaudhuri S, et al., 2013. Extraction of statistically significant malware behaviors. Proc 29th Annual Computer Security Applications Conf, p.69–78. https://doi.org/10.1145/2523649.2523659
Park Y, Reeves DS, Stamp M, 2013. Deriving common malware behavior through graph clustering. Comput Secur, 39:419–430. https://doi.org/10.1016/j.cose.2013.09.006
Pleszkoch M, Linger R, 2015. Controlling combinatorial complexity in software and malware behavior computation. Proc 10th Annual Cyber and Information Security Research Conf, Article 15. https://doi.org/10.1145/2746266.2746281
Poeplau S, Fratantonio Y, Bianchi A, et al., 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. Proc Network and Distributed System Security Symp, p.23–26. https://doi.org/10.14722/ndss.2014.23328
Razak MFA, Anuar NB, Salleh R, et al., 2016. The rise of “malware”: bibliometric analysis of malware study. J Netw Comput Appl, 75:58–76. https://doi.org/10.1016/j.jnca.2016.08.022
Rieck K, Holz T, Willems C, et al., 2008. Learning and classification of malware behavior. Proc 5th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.108–125. https://doi.org/10.1007/978-3-540-70542-0_6
Rieck K, Trinius P, Willems C, et al., 2011. Automatic analysis of malware behavior using machine learning. J Comput Secur, 19(4):639–668. https://doi.org/10.3233/JCS-2010-0410
Riley R, Jiang XX, Xu DY, 2009. Multi-aspect profiling of kernel rootkit behavior. Proc 4th ACM European Conf on Computer Systems, p.47–60. https://doi.org/10.1145/1519065.1519072
Royal P, Halpin M, Dagon D, et al., 2006. PolyUnpack: automating the hidden-code extraction of unpackexecuting malware. Proc 22nd Annual Computer Security Applications Conf, p.289–300. https://doi.org/10.1109/ACSAC.2006.38
Saxe J, Mentis D, Greamo C, 2012. Visualization of shared system call sequence relationships in large malware corpora. Proc 9th Int Symp on Visualization for Cyber Security, p.33–40. https://doi.org/10.1145/2379690.2379695
Saxe J, Turner R, Blokhin K, 2014. Crowdsource: automated inference of high level malware functionality from low-level symbols using a crowd trained machine learning model. Proc 9th Int Conf on Malicious and Unwanted Software: the Americas, p.68–75. https://doi.org/10.1109/MALWARE.2014.6999417
Shan ZY, Wang X, 2014. Growing grapes in your computer to defend against malware. IEEE Trans Inform Forens Secur, 9(2):196–207. https://doi.org/10.1109/TIFS.2013.2291066
Shi HB, Hamagami T, Yoshioka K, et al., 2014. Structural classification and similarity measurement of malware. IEEJ Trans Electr Electron Eng, 9(6):621–632. https://doi.org/10.1002/tee.22018
Shosha AF, Liu C, Gladyshev P, et al., 2012. Evasion-resistant malware signature based on profiling kernel data structure objects. Proc 7th Int Conf on Risk and Security of Internet and Systems, p.1–8. https://doi.org/10.1109/CRISIS.2012.6378949
Sirinda P, 2014. A framework for mining significant subgraphs and its application in malware analysis. PhD Thesis, The Pennsylvania State University, Pennsylvania, USA.
Suarez-Tangil G, Conti M, Tapiador JE, et al., 2014. Detecting targeted smartphone malware with behavior-triggering stochastic models. Proc 19th European Symp on Research in Computer Security, p.183–201. https://doi.org/10.1007/978-3-319-11203-9_11
Sun MK, Lin MJ, Chang M, et al., 2011. Malware virtualization-resistant behavior detection. Proc 17th Int Conf on Parallel and Distributed Systems, p.912–917. https://doi.org/10.1109/ICPADS.2011.78
Thomson R, Lebiere C, Bennati S, et al., 2015. Malware identification using cognitively-inspired inference. Proc 24th Annual Behavior Representation in Modeling and Simulation Conf, p.1–8.
Trinius P, Holz T, Göbel J, et al., 2009. Visual analysis of malware behavior using treemaps and thread graphs. Proc 6th Int Workshop on Visualization for Cyber Security, p.33–38. https://doi.org/10.1109/VIZSEC.2009.5375540
Trinius P, Willems C, Holz T, et al., 2011. A malware instruction set for behavior-based analysis. http://subs.emis.de/LNI/Proceedings/Proceedings170/arti cle5739.html
Walenstein A, Lakhotia A, 2012. A transformation-based model of malware derivation. Proc 7th Int Conf on Malicious and Unwanted Software, p.17–25. https://doi.org/10.1109/MALWARE.2012.6461003
Wang SW, Wang BS, Yong T, et al., 2015. Malware clustering based on SNN density using system calls. Proc 1st Int Conf on Cloud Computing and Security, p.181–191. https://doi.org/10.1007/978-3-319-27051-7_16
Wang Z, Jiang XX, Cui WD, et al., 2008. Countering persistent kernel rootkits through systematic hook discovery. Proc 11th Int Symp on Recent Advances in Intrusion Detection, p.21–38. https://doi.org/10.1007/978-3-540-87403-4_2
Watson MR,Shirazi NUH, Marnerides AK, et al., 2016. Malware detection in cloud computing infrastructures. IEEE Trans Depend Sec Comput, 13(2):192–205. https://doi.org/10.1109/TDSC.2015.2457918
Wu DJ, Mao CH, Wei TE, et al., 2012. DroidMat: Android malware detection through manifest and API calls tracing. Proc 7th Asia Joint Conf on Information Security, p.62–69. https://doi.org/10.1109/AsiaJCIS.2012.18
Wüchner T, Ochoa M, Pretschner A, 2015. Robust and effective malware detection through quantitative data flow graph metrics. Proc 12th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.98–118. https://doi.org/10.1007/978-3-319-20550-2_6
Yang C, Xu ZY, Gu GF, et al., 2014. DroidMiner: automated mining and characterization of fine-grained malicious behaviors in Android applications. Proc 19th European Symp on Research in Computer Security, p.163–182. https://doi.org/10.1007/978-3-319-11203-9_10
Yang W, Xiao XS, Andow B, et al., 2015. AppContext: differentiating malicious and benign mobile app behaviors using context. Proc 37th IEEE Int Conf on Software Engineering, p.303–313. https://doi.org/10.1109/ICSE.2015.50
Yavvari C, Tokhtabayev A, Rangwala H, et al., 2012. Malware characterization using behavioral components. Proc 6th Int Conf on Mathematical Methods, Models, and Architectures for Computer Network Security, p.226–239. https://doi.org/10.1007/978-3-642-33704-8_20
Yerima SY, Sezer S, Muttik I, 2015. High accuracy Android malware detection using ensemble learning. IET Inform Secur, 9(6):313–320. https://doi.org/10.1049/iet-ifs.2014.0099
Yin H, Liang ZK, Song D, 2008. HookFinder: identifying and understanding malware hooking behaviors. Proc Network and Distributed System Security Symp, p.1–16.
Yuan JF, Qiang WZ, Jin H, et al., 2014. Cloudtaint: an elastic taint tracking framework for malware detection in the cloud. J Supercomput, 70(3):1433–1450. https://doi.org/10.1007/s11227-014-1235-5
Zhang FW, Leach K, Stavrou A, et al., 2015. Using hardware features for increased debugging transparency. Proc IEEE Symp on Security and Privacy, p.55–69. https://doi.org/10.1109/SP.2015.11
Zhang H, Yao DF, Ramakrishnan N, et al., 2016. Causality reasoning about network events for detecting stealthy malware activities. Comput Secur, 58:180–198. https://doi.org/10.1016/j.cose.2016.01.002
Zhang M, Duan Y, Yin H, et al., 2014. Semantics-aware Android malware classification using weighted contextual API dependency graphs. Proc ACM SIGSAC Conf on Computer and Communications Security, p.1105–1116. https://doi.org/10.1145/2660267.2660359
Zhao ZQ, Wang JF, Bai JR, 2014. Malware detection method based on the control-flow construct feature of software. IET Inform Secur, 8(1):18–24. https://doi.org/10.1049/iet-ifs.2012.0289
Zhou YJ, Jiang XX, 2012. Dissecting Android malware: characterization and evolution. Proc IEEE Symp on Security and Privacy, p.95–109. https://doi.org/10.1109/SP.2012.16
Author information
Authors and Affiliations
Corresponding author
Additional information
Project supported by the National Natural Science Foundation of China (No. 61472437)
Rights and permissions
About this article
Cite this article
Yu, B., Fang, Y., Yang, Q. et al. A survey of malware behavior description and analysis. Frontiers Inf Technol Electronic Eng 19, 583–603 (2018). https://doi.org/10.1631/FITEE.1601745
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/FITEE.1601745
Key words
- Malware behavior
- Static analysis
- Dynamic Analysis
- Behavior data expression
- Behavior analysis
- Machine learning
- Semantics-based analysis
- Behavior visualization
- Malware evolution