TY - JOUR ID - 39137 TI - DyVSoR: dynamic malware detection based on extracting patterns from value sets of registers JO - The ISC International Journal of Information Security JA - ISECURE LA - en SN - 2008-2045 AU - Ghiasi, M. AU - Sami, A. AU - Salehi, Z. AD - Y1 - 2013 PY - 2013 VL - 5 IS - 1 SP - 71 EP - 82 KW - Malware Detection KW - API Call KW - Dynamic analysis KW - CPU Register Values KW - x86 Registers Values DO - 10.22042/isecure.2013.5.1.5 N2 - To control the exponential growth of malware files, security analysts pursue dynamic approaches that automatically identify and analyze malicious software samples. Obfuscation and polymorphism employed by malwares make it difficult for signature-based systems to detect sophisticated malware files. The dynamic analysis or run-time behavior provides a better technique to identify the threat. In this paper, a dynamic approach is proposed in order to extract features from binaries. The run-time behavior of the binary files were found and recorded using a homemade tool that provides a controlled environment. The approach based on DyVSoR assumes that the run-time behavior of each binary can be represented by the values of registers. A method to compute the similarity between two binaries based on the value sets of the registers is presented. Hence, the values are traced before and after invoked API calls in each binary and mapped to some vectors. To detect an unknown file, it is enough to compare it with dataset binaries by computing the distance between registers, content of this file and all binaries. This method could detect malicious samples with 96.1% accuracy and 4% false positive rate. The list of execution traces and the dataset are reachable at: http://home.shirazu.ac.ir/˷ sami/malware UR - https://www.isecure-journal.com/article_39137.html L1 - https://www.isecure-journal.com/article_39137_2ec12eb8dddec2ad8da9da145ee933b7.pdf ER -