A comparison between API call sequences and opcode sequences as reflectors of malware behavior

Citations Over Time

Abstract

The volume of malware detected annually is increasing exponentially, and malware programs are written in such a way that they can often escape detection tools. Some are can even modify themselves and alter their appearance for each infection. Thus, for malware detection, it is important to analyze malware behavior, and application programming interface (API) call sequences and operational code (opcode) sequences usefully reflect the behavior of malware. Moreover, a hidden Markov model (HMM) is a robust learning model for malware detection. In this work, we therefore compared API call sequences and opcode sequences using the HMM learning model. The results showed that learning in API call sequences is more accurate than that of opcode sequences. We conclude that API call sequences are therefore better for malware detection.

Related Papers

• → Opcode sequences as representation of executables for data-mining-based unknown malware detection(2011)428 cited
• Detection of Malicious Code-Injection Attack Using Two Phase Analysis Technique(2012)
• → Framework for Detecting Metamorphic Malware Based on Opcode Feature Extraction(2017)3 cited
• → Detecting malicious files using non-signature-based methods(2014)2 cited
• → Malware Detection Approaches based on Operational Codes (OpCodes) of Executable Programs: A Review(2023)