Scientific and Technical Journal


ISSN Print 2221-3937
ISSN Online 2221-3805

The paper proposes a method of forming a signature of a virus program based on API call tracing. The developed signature is compact and makes it possible to assign the virus program not only to one of the classes of viruses, but also allows determining its modification. An approach is proposed that allows detection of a virus program represented by a developed signature. The developed method for carrying out experimental researches is realized in distributed multilevel detection system of malicious software in local area computer networks.

To implement the virus detection process, a system has been developed that consists of three main components: the signature of the virus program, the signature database and the method of detection, which involves comparing the signatures of the virus with the database of signatures.

Signature of the program's behavior based on API call tracing can be represented as a set of two components: the call frequency and the nature of the interaction of critical API calls. Analysis of the first component allows determining the distribution of critical API calls by groups of harmful activity and displays the quantitative component of the signature. The second component of the signature implies the mapping into the vector space the nature of the interaction of critical API functions that characterize virus program and describes the relationship between critical API functions. Analysis of the second component of the signature provides an opportunity to distinguish virus programs from useful applications not only in the presence of critical API calls, but also in their interaction with each other.

A number of experimental studies have been carried out to determine the accuracy of the proposed method for detecting virus programs using the developed signature. Viral family programs Delf, Bifrose and MyDoom were used as test data. The best detection rate was received for MyDoom virus programs (accuracy was 93%) with the use of the J48 binary classification algorithm.

  1. McAfee Labs Threat Report. December 2017, available at: resources/reports/rp-quarterly-threats-dec-2017.pdf
  2. Savenko, O., Lysenko, S., Nicheporuk, A., Savenko, B.(2017), “Approach for the Unknown Metamorphic Virus”, In. proc of the 9-th IEEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, pp. 453‒458.
  3. Ki, Y., Kim, E., H. K. Kim (2015) “A Novel Approach to Detect Malware Based on API Call Sequence Analysis”, International Journal of Distributed Sensor Networks - Special issue on Advanced Big Data Management and Analytics for Ubiquitous Sensors, Vol. 2015, No. 4, pp. 120‒129.
  4. Hyun-il Lim (2016), “Detecting Malicious Behaviors of Software through Analysis of API Sequence k-grams”, Computer Science and Information Technology, Vol. 4(3), pp. 85‒91.
  5. Sami, A., Yadegari, B., Rahimi, H., Peiravian, N. (2010), “Malware Detection based on Mining API Calls”, In proc. of the 2010 ACM Symposium on Applied Computing (SAC), pp. 1020–1025.
  6. Alazab, M., Layton, R., Venkataraman, S., Watters, P. (2010), “Malware Detection Based on Structural and Behavioral Features of API Calls”, In Proc. of the 1st International Cyber Resilience Conference, pp. 1–10.
  7. Sathyanarayan, V. Sai, Kohli, P., Bruhadeshwar, B. (2008), “Signature Generation and Detection of Malware Families”, In Proc. of the 13th Australasian conference on Information Security and Privacy, pp. 336‒349.
  8. Moldavskaya, A. V., Ruvinskaya, V. M., Berkovich, E. L. (2016), “Method of Learning Malware Behavior Scripts by Sequential Pattern Mining”, Symposium on Conformal and Probabilistic Prediction with Applications, pp. 196‒207.
  9. Christodorescu, M., Jha, S., Krugel, C. (2007), “Mining Specification of Malicious Behavior”, Proceeding of the 6th joint meeting of the European Software Engineering Conference, pp. 5‒14.
  10. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N. (2001), “Static Detection of Malicious Code in Executable Programs”, In: Symposium on Requirements Engineering for Information Security, pp. 1‒8.
  11. MSDN Library, available at:
  12. VX Heavens Computer virus collection, available at: Availabe:
  13. University Of Waikato. WEKA: Data Mining with Open Source Machine Learning Software, available at:
  14. API monitor, available at:
  15. Markowsky, G., Savenko,O., Sachenko, A. (2018), “Distributed System for Detecting the Malware in LAN”, In Proc. of the 2018 IEEEE 13th International Scientific and Technical Conference on Computer Science and Information Technologies (CSIT), pp. 306‒309.
  16. David, E., Netanyahu, N. S. (2015 ) “DeepSign: Deep Learning for Automatic Malware Signature Generation and Classification”, International Joint Conference on Neural Networks, Killarney, Ireland, pp.1–8.
Last download:
17 Feb 2019

[ © KarelWintersky ] [ All articles ] [ All authors ]
[ © Odessa National Polytechnic University, 2014-2018. Any use of information from the site is possible only under the condition that the source link! ]