Abstract— In computer security, protecting systems against malwares has become the main concern of particulars and companies. Unfortunately, the existing anti-malware systems are so fare unable to provide an efficient protection. However, a new generation of powerful malware detection techniques has emerged. One of these techniques is that based on the static analysis of the called API functions by a program in order to detect any suspicious behavior. In this paper we provide a method to extract existing associations between the imported API functions by malware codes under Microsoft Windows environment. The main goal of this work is to be able to determine with a high degree of confidence what the most likely used Windows APIs and their associations by malware are. We have used for that purpose a well known and a powerful statistical method which is the Multiple Correspondence Analysis (MCA). We applied the MCA method on a set of APIs which were priori extracted from a large dataset of malware and clean portable executable (PE) files. According to our knowledge, this is the first work having used factorial analysis to determine API associations in malwares. We assume that this allows a more accurate behavior based malware detection.
Index Terms— Malware, malware analysis, multiple correspondence analysis (MCA), Windows API.
The authors are with the Department of Computer Science, University of Skikda, Algeria (e-mail: belaoued.mohamed@gmail.com, mazouzi_smaine@yahoo.fr).
[PDF]
Cite: Mohamed Belaoued and Smaine Mazouzi, " An MCA Based Method for API Association Extraction for PE Malware Categorization," International Journal of Information and Electronics Engineering vol. 5, no. 3, pp. 225-231, 2015.