Dynamic VSA: a framework for malware detection based on register contents

The number of malware files increases every day because of existing obfuscation techniques. Researchers recently pursued dynamic analysis to extract runtime behavior of programs to detect new malware variants.A method is proposed to find similarities of run-time behaviors based on the assumption that binary behaviors affect registers values differently. The idea has been explored in static settings known as VSA, where run-time values were estimated statically. VSA is extended into a dynamic setting in this research where actual run-time values are used to approximate all the possible values. Due to large number of values obtained for each binary in every register at run-time, a small representative set, a.k.a. prototypes, is extracted. Unknown files are classified based on comparison to these prototypes only. Experimental results showed that proposed method outperformed commercial Anti-Virus applications on the dataset used and reached a classification accuracy of 95.9% with 4.5% false positive. List of execution traces and dataset can be found at: http://home.shirazu.ac.ir/~sami/malware.