Malware Analysis by Combining Multiple Detectors and Observation Windows

Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This article proposes an ensemble detector, which exploits the capabilities of the main analysis algorithm...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on computers Jg. 71; H. 6; S. 1276 - 1290
1. Verfasser: Ficco, Massimo
Format: Journal Article
Sprache:Englisch
Veröffentlicht: New York IEEE 01.06.2022
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Schlagworte:
Algorithms
API sequence
correlation
deep learning
Detection algorithms
Detectors
diversity of detection algorithms
ensemble detector
Feature extraction
Malware
malware activation
Malware detection
malware evasion
mean-time-to-detect
memory dump
observation windows
Resilience
Sensors
Smartphones
Switches
Training
training time
Windows (intervals)
ISSN:0018-9340, 1557-9956
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Abstract Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This article proposes an ensemble detector, which exploits the capabilities of the main analysis algorithms proposed in the literature designed to offer greater resilience to specific evasion techniques. In particular, the article presents different methods to optimally combine both generic and specialized detectors during the analysis process, which can be used to increase the unpredictability of the detection strategy, as well as improve the detection rate in presence of unknown malware families and provide better detection performance in the absence of a constant re-training of detector needed to cope with the evolution of malware. The paper also presents an alpha-count mechanism that explores how the length of the observation time window can affect the detection accuracy and speed of different combinations of detectors during the malware analysis. An extended experimental campaign has been conducted on both an open-source sandbox and an Android smartphone with different malware datasets. A trade-off among performance, training time, and mean-time-to-detect is presented. Finally, a comparison with other ensemble detectors is also presented.
AbstractList Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This article proposes an ensemble detector, which exploits the capabilities of the main analysis algorithms proposed in the literature designed to offer greater resilience to specific evasion techniques. In particular, the article presents different methods to optimally combine both generic and specialized detectors during the analysis process, which can be used to increase the unpredictability of the detection strategy, as well as improve the detection rate in presence of unknown malware families and provide better detection performance in the absence of a constant re-training of detector needed to cope with the evolution of malware. The paper also presents an alpha-count mechanism that explores how the length of the observation time window can affect the detection accuracy and speed of different combinations of detectors during the malware analysis. An extended experimental campaign has been conducted on both an open-source sandbox and an Android smartphone with different malware datasets. A trade-off among performance, training time, and mean-time-to-detect is presented. Finally, a comparison with other ensemble detectors is also presented.
Author Ficco, Massimo
Author_xml – sequence: 1
  givenname: Massimo
  orcidid: 0000-0003-4199-8199
  surname: Ficco
  fullname: Ficco, Massimo
  email: massimo.ficco@unicampania.it
  organization: Department of Engineering, University of Campania Luigi Vanvitelli, Aversa, CE, Italy
BookMark eNp9kL1vwjAUxK2KSqW0c4culjoHnu04yRtR-kElEAtVR8tOTGUUHGqHIv77QkEdOnR6y_3u3d016fnWW0LuGAwZAxwtyiEHzoYCCg7AL0ifSZkniDLrkT4AKxIUKVyR6xhXAJBxwD6ZzHSz08HSsdfNPrpIzZ6W7do47_wHnW2bzm0aSx9tZ6uuDZFqX9O5iTZ86c61nr47X7e7eEMul7qJ9vZ8B-Tt-WlRTpLp_OW1HE-TihfYJdKkrM6ZTlGnkMn6EERLK7AGY7AyGUdEbo3Jwdb5UjNRY1oVgmNWmUrmhRiQh5PvJrSfWxs7tWq34RA-Kp4dO2Eq84NqdFJVoY0x2KXaBLfWYa8YqONcalGq41zqPNeBkH-IynU_DbugXfMPd3_inLX29wumQiIvxDfQGHgu
CODEN ITCOB4
CitedBy_id crossref_primary_10_1080_23742917_2025_2545641
crossref_primary_10_1109_TIFS_2024_3414339
crossref_primary_10_1109_ACCESS_2021_3139334
crossref_primary_10_1109_ACCESS_2025_3540955
crossref_primary_10_1109_ACCESS_2024_3491185
crossref_primary_10_1109_TR_2023_3332090
crossref_primary_10_1109_ACCESS_2024_3387475
crossref_primary_10_1016_j_future_2021_12_013
crossref_primary_10_7717_peerj_cs_2546
crossref_primary_10_1109_ACCESS_2025_3576733
crossref_primary_10_1007_s11416_023_00477_y
crossref_primary_10_1109_ACCESS_2024_3452675
crossref_primary_10_1145_3688833
crossref_primary_10_1016_j_chaos_2023_113703
crossref_primary_10_1109_TII_2023_3327522
crossref_primary_10_1109_ACCESS_2023_3319093
crossref_primary_10_1016_j_eswa_2022_118073
crossref_primary_10_1109_TDSC_2022_3144697
crossref_primary_10_1109_JIOT_2022_3194881
crossref_primary_10_1109_TDSC_2023_3307445
crossref_primary_10_1016_j_jisa_2022_103258
crossref_primary_10_1109_TC_2023_3291998
crossref_primary_10_1016_j_cose_2022_102741
crossref_primary_10_1109_TDSC_2022_3161477
crossref_primary_10_1109_TDSC_2023_3265665
crossref_primary_10_1080_19361610_2022_2067459
crossref_primary_10_1109_TIFS_2023_3294059
crossref_primary_10_1007_s12530_025_09661_5
crossref_primary_10_1109_ACCESS_2021_3102073
crossref_primary_10_1109_TIFS_2024_3407655
Cites_doi 10.1016/j.jnca.2018.12.014
10.1109/UKSim.2012.40
10.1007/978-3-319-04283-1_6
10.14722/ndss.2017.23353
10.1145/3029806.3029823
10.1007/978-3-642-37832-4_21
10.1109/SPW.2016.25
10.1016/j.engappai.2018.06.006
10.1145/3123939.3123972
10.1109/Trustcom.2015.376
10.1007/s10586-017-1110-2
10.1016/j.asoc.2021.107234
10.14722/ndss.2016.23078
10.1109/CyberSA.2015.7166128
10.1109/TDSC.2018.2801858
10.1016/j.diin.2018.09.006
10.1109/CCST.2018.8585560
10.1109/TNSE.2021.3051354
10.1016/j.cose.2015.04.001
10.1007/978-3-030-44038-1_77
10.1145/1978672.1978682
10.1155/2015/659101
10.14738/tmlai.23.261
10.1109/TIFS.2018.2866319
10.1016/j.jpdc.2019.11.001
10.1109/TC.2016.2540634
10.1109/IC2E.2019.00037
10.1007/978-1-4471-6308-4
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022
DBID 97E
RIA
RIE
AAYXX
CITATION
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
DOI 10.1109/TC.2021.3082002
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005–Present
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Electronic Library (IEL)
CrossRef
Computer and Information Systems Abstracts
Electronics & Communications Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Technology Research Database
Computer and Information Systems Abstracts – Academic
Electronics & Communications Abstracts
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts Professional
DatabaseTitleList
Technology Research Database
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Computer Science
EISSN 1557-9956
EndPage 1290
ExternalDocumentID 10_1109_TC_2021_3082002
9435928
Genre orig-research
GrantInformation_xml – fundername: Università degli Studi della Campania Luigi Vanvitelli
  funderid: 10.13039/501100009448
GroupedDBID --Z
-DZ
-~X
.DC
0R~
29I
4.4
5GY
6IK
85S
97E
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABQJQ
ABVLG
ACGFO
ACIWK
ACNCT
AENEX
AETEA
AGQYO
AHBIQ
AKJIK
AKQYR
ALMA_UNASSIGNED_HOLDINGS
ASUFR
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CS3
DU5
EBS
EJD
HZ~
IEDLZ
IFIPE
IPLJI
JAVBF
LAI
M43
MS~
O9-
OCL
P2P
PQQKQ
RIA
RIE
RNS
RXW
TAE
TN5
TWZ
UHB
UPT
XZL
YZZ
.55
3EH
3O-
5VS
AAYXX
ABFSI
ABUFD
AETIX
AGSQL
AI.
AIBXA
ALLEH
CITATION
E.L
H~9
IAAWW
IBMZZ
ICLAB
IFJZH
MVM
RNI
RZB
UKR
VH1
X7M
XOL
YXB
YYQ
ZCG
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c289t-5b41d71a49a4065d000a5e39d0bb9cb629992ebb70ed7fa13d94c83296cbc5783
IEDL.DBID RIE
ISICitedReferencesCount 61
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000793808400004&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 0018-9340
IngestDate Sun Jun 29 14:10:42 EDT 2025
Sat Nov 29 01:35:42 EST 2025
Tue Nov 18 22:38:30 EST 2025
Wed Aug 27 02:37:57 EDT 2025
IsPeerReviewed true
IsScholarly true
Issue 6
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c289t-5b41d71a49a4065d000a5e39d0bb9cb629992ebb70ed7fa13d94c83296cbc5783
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0003-4199-8199
PQID 2662099457
PQPubID 85452
PageCount 15
ParticipantIDs proquest_journals_2662099457
crossref_primary_10_1109_TC_2021_3082002
crossref_citationtrail_10_1109_TC_2021_3082002
ieee_primary_9435928
PublicationCentury 2000
PublicationDate 2022-06-01
PublicationDateYYYYMMDD 2022-06-01
PublicationDate_xml – month: 06
  year: 2022
  text: 2022-06-01
  day: 01
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE transactions on computers
PublicationTitleAbbrev TC
PublicationYear 2022
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref35
ref15
ref36
ref33
ref10
(ref39) 0
ref17
ref16
in kyeom (ref12) 2014; 4
ref19
ref18
(ref1) 0
(ref3) 0
hyunjoo (ref14) 2019; 22
tenenboim-chekina (ref21) 2013
ref24
ref45
ref23
ref26
elhadi (ref13) 2013; 7
ref25
ref20
ref41
vorobeychik (ref29) 2014
ref22
ref44
ref43
(ref38) 0
(ref30) 2019
kim (ref11) 2012
(ref34) 0
ref28
ref27
(ref32) 0
(ref37) 2018
ref8
ref7
(ref2) 0
ref9
ref4
ref6
ref5
yousra (ref31) 2013
(ref40) 0
(ref42) 0
References_xml – ident: ref20
  doi: 10.1016/j.jnca.2018.12.014
– ident: ref24
  doi: 10.1109/UKSim.2012.40
– year: 0
  ident: ref40
– start-page: 1
  year: 2012
  ident: ref11
  article-title: Polymorphic attacks against sequence based software birthmarks
  publication-title: Proc 2nd ACM SIGPLAN Workshop Softw Secur Protection
– ident: ref7
  doi: 10.1007/978-3-319-04283-1_6
– ident: ref8
  doi: 10.14722/ndss.2017.23353
– ident: ref44
  doi: 10.1145/3029806.3029823
– year: 0
  ident: ref34
– ident: ref9
  doi: 10.1007/978-3-642-37832-4_21
– ident: ref36
  doi: 10.1109/SPW.2016.25
– start-page: 91
  year: 2013
  ident: ref21
  article-title: Detecting application update attack on mobile devices through network features
  publication-title: Proc IEEE Conf Comput Commun Workshops
– ident: ref17
  doi: 10.1016/j.engappai.2018.06.006
– year: 0
  ident: ref3
  article-title: Polymorphic & metamorphic malware.
– ident: ref5
  doi: 10.1145/3123939.3123972
– start-page: 86
  year: 2013
  ident: ref31
  article-title: DroidAPIMiner: Mining API-level features for robust malware detection in Android
  publication-title: Proc Int Conf Secur Privacy Commun Syst
– year: 0
  ident: ref32
– ident: ref22
  doi: 10.1109/Trustcom.2015.376
– year: 0
  ident: ref42
– volume: 22
  start-page: 921
  year: 2019
  ident: ref14
  article-title: Improvement of malware detection and classification using API call sequence alignment and visualization
  publication-title: Cluster Comput
  doi: 10.1007/s10586-017-1110-2
– year: 2019
  ident: ref30
– volume: 7
  start-page: 29
  year: 2013
  ident: ref13
  article-title: Improving the detection of malware behavior using simplified data dependent API call graph
  publication-title: Int J Secur Appl
– year: 2018
  ident: ref37
– ident: ref6
  doi: 10.1016/j.asoc.2021.107234
– ident: ref28
  doi: 10.14722/ndss.2016.23078
– year: 0
  ident: ref2
  article-title: Malware statistics & trends report.
– ident: ref26
  doi: 10.1109/CyberSA.2015.7166128
– ident: ref4
  doi: 10.1109/TDSC.2018.2801858
– ident: ref18
  doi: 10.1016/j.diin.2018.09.006
– ident: ref41
  doi: 10.1109/CCST.2018.8585560
– ident: ref45
  doi: 10.1109/TNSE.2021.3051354
– ident: ref25
  doi: 10.1016/j.cose.2015.04.001
– ident: ref15
  doi: 10.1007/978-3-030-44038-1_77
– start-page: 485
  year: 2014
  ident: ref29
  article-title: Optimal randomized classification in adversarial settings
  publication-title: Proc Int Conf Auton Agents Multi-Agent Syst
– year: 0
  ident: ref1
  article-title: Detects 360,000 new malicious files daily up 11.5% from December 2017.
– ident: ref43
  doi: 10.1145/1978672.1978682
– ident: ref10
  doi: 10.1155/2015/659101
– ident: ref27
  doi: 10.14738/tmlai.23.261
– year: 0
  ident: ref39
– ident: ref23
  doi: 10.1109/TIFS.2018.2866319
– year: 0
  ident: ref38
– ident: ref33
  doi: 10.1016/j.jpdc.2019.11.001
– ident: ref19
  doi: 10.1109/TC.2016.2540634
– ident: ref16
  doi: 10.1109/IC2E.2019.00037
– ident: ref35
  doi: 10.1007/978-1-4471-6308-4
– volume: 4
  start-page: 103
  year: 2014
  ident: ref12
  article-title: Malware similarity analysis using API sequence alignments
  publication-title: J Internet Serv Inf Secur
SSID ssj0006209
Score 2.5678222
Snippet Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 1276
SubjectTerms Algorithms
API sequence
correlation
deep learning
Detection algorithms
Detectors
diversity of detection algorithms
ensemble detector
Feature extraction
Malware
malware activation
Malware detection
malware evasion
mean-time-to-detect
memory dump
observation windows
Resilience
Sensors
Smartphones
Switches
Training
training time
Windows (intervals)
Title Malware Analysis by Combining Multiple Detectors and Observation Windows
URI https://ieeexplore.ieee.org/document/9435928
https://www.proquest.com/docview/2662099457
Volume 71
WOSCitedRecordID wos000793808400004&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVIEE
  databaseName: IEEE Electronic Library (IEL)
  customDbUrl:
  eissn: 1557-9956
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0006209
  issn: 0018-9340
  databaseCode: RIE
  dateStart: 19680101
  isFulltext: true
  titleUrlDefault: https://ieeexplore.ieee.org/
  providerName: IEEE
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwED21FQMMFFoQhYI8MDCQNt-OR1SoOtDCUES3yF-RkKoUNSkV_x7bdSIkYGDL4JOiu5yf38V3D-A6w1GcuMx3aMaZE0aEOwklkYMV-okslgpxjWrJI57NksWCPDfgtu6FkVKay2dyoB_Nv3yx4htdKhsShe3ET5rQxBjverXqXTeurnN4KoGD0LVjfDyXDOcjxQN9b6Ans1T1kwqBjKTKj33YgMu4_b_XOoJDe4hEd7uoH0ND5h1oVwINyOZrBw6-TRvswmRKl1u6lqgaRILYJ1JGzGhEoKm9WojuZWlK-QWiuUBPrK7boldF4Ffb4gRexg_z0cSxQgoOV3yqdCIWegJ7NCRU4XcklLtoJAMiXMYIZ7GCJOJLxrArBc6oFwgScpXqJOaMq5QOTqGVr3J5BiiKM4FdwUI_87U4nWJrXDLCYpEp4uexHgwq56bcThnXYhfL1LANl6TzUaqjkdpo9OCmNnjfDdj4e2lXO79eZv3eg34VvdQmYJGqc4duCg4jfP671QXs-7qTwRRU-tAq1xt5CXv8o3wr1lfm2_oCREzLVw
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NT8JAEJ0gmqgHUdSIou7BgwcLbdlt2aNBCUZADxi5NfvVxISAgSLx37u7bBsT9eCth52kmens2zfdmQdwlcYkavs89FgquIcJFV6bUeLFGv1kGimNuFa1pB8Ph-3xmD6X4KbohVFK2ctnqmEe7b98ORNLUyprUo3tNGxvwCbBOAzW3VrFvhvlFzoCncIt7LtBPoFPm6OOZoJh0DCzWfIKSo5BVlTlx05s4aVb-d-L7cOeO0ai23XcD6CkplWo5BINyGVsFXa_zRs8hN6ATVZsrlA-igTxT6SNuFWJQAN3uRDdqcwW8xeITSV64kXlFr1qCj9bLY7gpXs_6vQ8J6XgCc2oMo9wHMg4YJgyjeBEancxolpU-pxTwSMNSjRUnMe-knHKgpakWOhkp5HgQid16xjK09lUnQAiUSpjX3IcpqGRp9N8TShOeSRTTf0CXoNG7txEuDnjRu5ikli-4dNk1ElMNBIXjRpcFwbv6xEbfy89NM4vljm_16CeRy9xKbhI9MnDtAVjEp_-bnUJ273RoJ_0H4aPZ7ATmr4GW16pQzmbL9U5bImP7G0xv7Df2RcCic6e
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Malware+Analysis+by+Combining+Multiple+Detectors+and+Observation+Windows&rft.jtitle=IEEE+transactions+on+computers&rft.au=Ficco%2C+Massimo&rft.date=2022-06-01&rft.pub=IEEE&rft.issn=0018-9340&rft.volume=71&rft.issue=6&rft.spage=1276&rft.epage=1290&rft_id=info:doi/10.1109%2FTC.2021.3082002&rft.externalDocID=9435928
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0018-9340&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0018-9340&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0018-9340&client=summon