Security and Communication Networks

Research Article

Using a Subtractive Center Behavioral Model to Detect Malware

Sample malware execution trace and behaviors (list is abbreviated).


Action call	System path	Extracted behavior

NtCreateFile	“c:\windows\...\sfile₁.exe,” malware.exe ⟶ 1	CreateFile (1)
NtCreateFile	“c:\programfiles\...\,” malware.exe ⟶ 2	none
NtQueryDirectory	2, “c:\programfiles\...\,” malware.exe ⟶ 3	SearchDirectory (2)
NtReadFile	3, “c:\...\tfile₁.txt,” malware.exe ⟶ 4	ReadFile (3)
NtReadFile	3, “c:\...\tfile₂.exe,” malware.exe ⟶ 5	ReadFile (3)
NtCloseFile	4, “tfile₁.txt,” malware.exe ⟶ 6	none
NtWriteFile	1, “sfile₁.exe,” malware.exe ⟶ 7	WriteFile (1)
NtReadFile	7, “sfile₁.exe,” malware.exe ⟶ 8	ReadFile (7)
NtWriteFile	5, “tfile₂.exe,” sfile₁.exe ⟶ 9	WriteFile (5)
NtCreateKey	“hklm\software\...\, key₁,” tfile₂.exe ⟶ 10	none
NtSetValue	10, “key₁,” tfile₂.exe ⟶ 11	SetValue (10)
NtRegCloseKey	11, “key₁,” tfile₂.exe ⟶ 12	none
NtCreateFile	“c:\windows\...\stfile₁.dll,” tfile₂.exe ⟶ 13	none
NtCreateFile	“c:\windows\...\stfile₂.dll,” tfile₂.exe ⟶ 14	none
NtCloseFile	8, “sfile₁.exe,” malware.exe ⟶ 15	none
NtReadFile	13, “stfile₁.dll,” tfile₂.exe ⟶ 16	ReadFile (13)
NtReadFile	13, “stfile₁.dll,” tfile₂.exe ⟶ 17	ReadFile (13)
NtReadFile	14, “stfile₂.dll,” tfile₂.exe ⟶ 18	ReadFile (14)
NtCloseFile	17, “stfile₁.dll,” tfile₂.exe ⟶ 19	none
NtCloseFile	18, “stfile₂.dll,” tfile₂.exe ⟶ 20	none
NtCloseFile	9, “tfile₂.exe,” tfile₂.exe ⟶ 21	none