MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values

Basically malware detection techniques are either: static analysis or dynamic analysis. Static analysis explores malware code without executing it while dynamic analysis relies on run-time values. Static analysis suffers from obfuscation but dynamic analysis is less sensitive to code obfuscation. In this paper, a new dynamic malware feature selection method is proposed that mainly is based on novel feature generation. Similar to other dynamic methods, each binary is run in a controlled environment. The arguments and return values of each respective API call are recorded. Features are constructed based on the name of API calls and each argument and/or return value recorded during runtime. A selected set of features have such a discriminative capability that can be used to classify with an accuracy of 99.4% and a false positive rate less than one percent on a 1211 malware and benign PEs dataset. Features are so robust that even on much larger datasets containing new families of malware accuracy of 96.3% on a 3175 new samples with the selected features of the first experiment is obtained. This setting proves the features can present malicious activity irrespective of dataset families. List of executables, source code and execution traces can be found at: http://home.shirazu.ac.ir/~sami/malware