A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis

Rami Sihwail, Khairuddin Omar, Khairul Akram Zainol Ariffin


Now a day the threat of malware is increasing rapidly. A software that sneaks to your computer system without your knowledge with a harmful intent to disrupt your computer operations. Due to the vast number of malware, it is impossible to handle malware by human engineers. Therefore, security researchers are taking great efforts to develop accurate and effective techniques to detect malware. This paper presents a semantic and detailed survey of methods used for malware detection like signature-based and heuristic-based. The Signature-based technique is largely used today by anti-virus software to detect malware, is fast and capable to detect known malware. However, it is not effective in detecting zero-day malware and it is easily defeated by malware that use obfuscation techniques. Likewise, a considerable false positive rate and high amount of scanning time are the main limitations of heuristic-based techniques. Alternatively, memory analysis is a promising technique that gives a comprehensive view of malware and it is expected to become more popular in malware analysis. The main contributions of this paper are: (1) providing an overview of malware types and malware detection approaches, (2) discussing the current malware analysis techniques, their findings and limitations, (3) studying the malware obfuscation, attacking and anti-analysis techniques, and (4) exploring the structure of memory-based analysis in malware detection. The detection approaches have been compared with each other according to their techniques, selected features, accuracy rates, and their advantages and disadvantages. This paper aims to help the researchers to have a general view of malware detection field and to discuss the importance of memory-based analysis in malware detection.


Malicious, Malware Detection Method, Feature, Behavior Based, Memory Analysis, Security.

Full Text:



AV-TEST, “The AV-TEST Security Report,†2017. [Online]. Available: https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf.

C. T. Lin, N. J. Wang, H. Xiao, and C. Eckert, “Feature selection and extraction for malware classification,†J. Inf. Sci. Eng., vol. 31, no. 3, pp. 965–992, 2015.

R. Mosli, R. Li, B. Yuan, and Y. Pan, “Automated malware detection using artifacts in forensic memory images,†in 2016 IEEE Symposium on Technologies for Homeland Security, HST 2016, 2016, pp. 1–6.

M. Karresand, “Separating Trojan horses, viruses, and worms - A proposed taxonomy of software weapons,†in IEEE Systems, Man and Cybernetics Society Information Assurance Workshop, 2003, pp. 127–134.

X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, “Detecting worms via mining dynamic program execution,†in Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks, SecureComm, 2007, pp. 412–421.

Y. Ye, T. Li, D. Adjeroh, and S. S. Iyengar, “A Survey on Malware Detection Using Data Mining Techniques,†ACM Comput. Surv., vol. 50, no. 3, pp. 1–40, 2017.

A. Zaki and B. Humphrey, “Unveiling the kernel : Rootkit discovery using selective automated kernel memory differencing,†Virus Bull., no. September, pp. 239–256, 2014.

N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, “CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data,†in Proceedings - International Conference on Distributed Computing Systems, 2016, vol. 2016–Augus, pp. 303–312.

G. A. N. Mohamed and N. B. Ithnin, “Survey on Representation Techniques for Malware Detection System,†Am. J. Appl. Sci., vol. 14, no. 11, pp. 1049–1069, 2017.

M. Chowdhury and A. Rahman, “Malware Analysis and Detection Using Data Mining and Machine Learning Classificatio,†in International Conference on Applications and Techniques in Cyber Security and Intelligence, 2018, vol. 580, pp. 266–274.

A. Damodaran, F. Di Troia, C. A. Visaggio, T. H. Austin, and M. Stamp, “A comparison of static, dynamic, and hybrid analysis for malware detection,†J. Comput. Virol. Hacking Tech., vol. 13, no. 1, pp. 1–12, 2017.

A. Souri and R. Hosseini, “A state-of-the-art survey of malware detection approaches using data mining techniques,†Human-centric Computing and Information Sciences, vol. 8, no. 1. 2018.

M. Alazab, S. Venkataraman, and P. Watters, “Towards understanding malware behaviour by the extraction of API calls,†Proc. - 2nd Cybercrime Trust. Comput. Work. CTC 2010, no. July 2009, pp. 52–59, 2010.

Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, “A survey on heuristic malware detection techniques,†in IKT 2013 - 2013 5th Conference on Information and Knowledge Technology, 2013, pp. 113–120.

I. You and K. Yim, “Malware obfuscation techniques: A brief survey,†in Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010, 2010, pp. 297–300.

W. Wong and M. Stamp, “Hunting for metamorphic engines,†J. Comput. Virol., vol. 2, no. 3, pp. 211–229, 2006.

M. Hafiz, M. Yusof, and M. R. Mokhtar, “A Review of Predictive Analytic Applications of Bayesian Network,†Int. J. Adv. Sci. Eng. Inf. Technol., vol. 6, no. 6, pp. 857–867, 2016.

S. N. Das, M. Mathew, and P. K. Vijayaraghavan, “An Approach for Optimal Feature Subset Selection using a New Term Weighting Scheme and Mutual Information,†Int. J. Adv. Sci. Eng. Inf. Technol., vol. 1, no. 3, pp. 273–278, 2011.

D. Ucci, L. Aniello, and R. Baldoni, “Survey on the Usage of Machine Learning Techniques for Malware Analysis,†arXiv Prepr. arXiv1710.08189, pp. 1–67, 2018.

E. Gandotra, D. Bansal, and S. Sofat, “Malware Analysis and Classification: A Survey,†J. Inf. Secur., vol. 05, no. 02, pp. 56–64, 2014.

T. Abou-Assaleh, N. Cercone, V. Keselj, and R. Sweidan, “N-gram-based detection of new malicious code,†Proc. 28th Annu. Int. Comput. Softw. Appl. Conf. 2004. COMPSAC 2004., vol. 2, no. 1, pp. 41–42, 2004.

D. Kirat and G. Vigna, “MalGene,†in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS ’15, 2015, pp. 769–780.

H. Hashemi and A. Hamzeh, “Visual malware detection using local malicious pattern,†Journal of Computer Virology and Hacking Techniques, pp. 1–14, 2018.

S. Z. M. Shaid and M. A. Maarof, “Malware behaviour visualization,†J. Teknol., vol. 70, no. 5, pp. 25–33, 2014.

Z. Salehi, A. Sami, and M. Ghiasi, “Using feature generation from API calls for malware detection,†Comput. Fraud Secur., vol. 2014, no. 9, pp. 9–18, 2014.

K. S. Han, I. K. Kim, and E. G. Im, “Malware classification methods using API sequence characteristics,†in Lecture Notes in Electrical Engineering, 2012, vol. 120 LNEE, pp. 613–626.

Y. Cheng, W. Fan, W. Huang, and J. An, “A Shellcode Detection Method Based on Full Native API Sequence and Support Vector Machine,†in IOP Conference Series: Materials Science and Engineering, 2017, vol. 242, no. 1, pp. 1–7.

I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas, “Opcode sequences as representation of executables for data-mining-based unknown malware detection,†Inf. Sci. (Ny)., vol. 231, pp. 64–82, 2013.

A. Mohaisen and O. Alrawi, “Unveiling Zeus: automated classification of malware samples,†Proc. 22nd Int. Conf. World Wide Web companion, pp. 829–832, 2013.

A. Mohaisen, O. Alrawi, and M. Mohaisen, “AMAL: High-fidelity, behavior-based automated malware analysis and classification,†Comput. Secur., vol. 52, pp. 251–266, 2015.

Q. Chen and R. A. Bridges, “Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware,†arXiv Prepr. arXiv1709.08753, pp. 1–9, 2017.

G. Liang, J. Pang, and C. Dai, “A Behavior-Based Malware Variant Classification Technique,†Int. J. Inf. Educ. Technol., vol. 6, pp. 291–295, 2016.

H. S. Galal, Y. B. Mahdy, and M. A. Atiea, “Behavior-based features model for malware detection,†J. Comput. Virol. Hacking Tech., vol. 12, no. 2, pp. 59–67, 2016.

Y. Ki, E. Kim, and H. K. Kim, “A novel approach to detect malware based on API call sequence analysis,†Int. J. Distrib. Sens. Networks, vol. 2015, no. 6: 659101, pp. 1–9, 2015.

C.-I. Fan, H.-W. Hsiao, C.-H. Chou, and Y.-F. Tseng, “Malware Detection Systems Based on API Log Data Mining,†in 2015 IEEE 39th Annual Computer Software and Applications Conference, 2015, pp. 255–260.

D. Song et al., “BitBlaze: A new approach to computer security via binary analysis,†in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2008, vol. 5352 LNCS, pp. 1–25.

U. Bayer et al., “Dynamic analysis of malicious code,†J Comput Virol, vol. 2, pp. 67–77, 2006.

M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,†ACM Comput. Surv., vol. 44, no. 2, pp. 1–42, 2012.

Microsoft Azure, “What is a virtual machine?,†2018. [Online]. Available: https://azure.microsoft.com/en-in/overview/what-is-a-virtual-machine/.

M. Sikorski and A. Honig, Practical malware analysis: the hands-on guide to dissecting malicious software. no starch press. 2012.

X. Chen, J. Andersen, Z. Morley Mao, M. Bailey, and J. Nazario, “Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,†in Proceedings of the International Conference on Dependable Systems and Networks, 2008, pp. 177–186.

M. Eskandari, Z. Khorshidpour, and S. Hashemi, “HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection,†J. Comput. Virol. Hacking Tech., vol. 9, no. 2, pp. 77–93, 2013.

P. V. Shijo and A. Salim, “Integrated static and dynamic analysis for malware detection,†in Procedia Computer Science, 2015, vol. 46, pp. 804–811.

R. Islam, R. Tian, L. M. Batten, and S. Versteeg, “Classification of malware based on integrated static and dynamic features,†Journal of Network and Computer Applications, vol. 36, no. 2. pp. 646–656, 2013.

X. Ma, Q. Biao, W. Yang, and J. Jiang, “Using multi-features to reduce false positive in malware classification,†in Proceedings of 2016 IEEE Information Technology, Networking, Electronic and Automation Control Conference, ITNEC 2016, 2016, vol. 3, pp. 361–365.

I. Santos, J. Devesa, F. Brezo, J. Nieves, and P. G. Bringas, “OPEM: A static-dynamic approach for machine-learning-based malware detection,†in Advances in Intelligent Systems and Computing, 2013, vol. 189 AISC, pp. 271–280.

C. Rathnayaka and A. Jamdagni, “An efficient approach for advanced malware analysis using memory forensic technique,†Proc. - 16th IEEE Int. Conf. Trust. Secur. Priv. Comput. Commun. 11th IEEE Int. Conf. Big Data Sci. Eng. 14th IEEE Int. Conf. Embed. Softw. Syst., pp. 1145–1150, 2017.

J. Stüttgen and M. Cohen, “Anti-forensic resilient memory acquisition,†in Digital Investigation, 2013, vol. 10, no. SUPPL., pp. 105–115.

C. W. Tien, J. W. Liao, S. C. Chang, and S. Y. Kuo, “Memory forensics using virtual machine introspection for Malware analysis,†in 2017 IEEE Conference on Dependable and Secure Computing, 2017, pp. 518–519.

T. Teller and A. Hayon, “Enhancing Automated Malware Analysis Machines with Memory Analysis Report,†Black Hat USA, 2014.

and K.-W. P. Choi, Sang-Hoon, Yu-Seong Kim, “Toward Semantic Gap-less Memory Dump for Malware Analysis,†ICNGC Conf., pp. 1–4, 2016.

R. Mosli, R. Li, B. Yuan, and Y. Pan, “A behavior-based approach for malware detection,†in IFIP Advances in Information and Communication Technology, 2017, vol. 511, pp. 187–201.

G. Willems, T. Holz, and F. Freiling, “Toward automated dynamic malware analysis using CWSandbox,†IEEE Security and Privacy, vol. 5, no. 2. pp. 32–39, 2007.

M. H. Ligh, S. Adair, B. Hartstein, and M. Richard, Malware analyst’s cookbook and DVD: tools and techniques for fighting malicious code. Wiley Publishing, 2011.

Adlice Software, “Rootkits hooks,†2014. [Online]. Available: https://www.adlice.com/.

S. Kim, J. Park, K. Lee, I. You, and K. Yim, “A Brief Survey on Rootkit Techniques in Malicious Codes,†J. Internet Serv. Inf. Secur., vol. 3, no. 4, pp. 134–147, 2012.

A. Hosseini, “Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques,†2017. [Online]. Available: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process.

J. Berdajs and Z. Bosni??, “Extending applications using an advanced approach to DLL injection and API hooking,†Softw. - Pract. Exp., vol. 40, no. 7, pp. 567–584, 2010.

J. Butler, J. L. Undercoffer, and J. Pinkston, “Hidden processes: The implication for intrusion detection,†in IEEE Systems, Man and Cybernetics Society Information Assurance Workshop, 2003, pp. 116–121.

S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau, “VMM-based hidden process detection and identification using Lycosid,†in Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments - VEE ’08, 2008, pp. 91–100.

A. Schuster, “Searching for processes and threads in Microsoft Windows memory dumps,†Digit. Investig., vol. 3, no. SUPPL., pp. 10–16, 2006.

K. Lee, H. Hwang, K. Kim, and B. N. Noh, “Robust bootstrapping memory analysis against anti-forensics,†Digit. Investig., vol. 18, pp. S23–S32, 2016.

A. Moser, C. Kruegel, and E. Kirda, “Limits of static analysis for malware detection,†in Proceedings - Annual Computer Security Applications Conference, ACSAC, 2007, pp. 421–430.

J. Okolica and G. Peterson, “A compiled memory analysis tool,†in IFIP Advances in Information and Communication Technology, 2010, vol. 337 AICT, pp. 195–204.

V. ATLURI, Anoop Chowdary; TRAN, Botnets threat analysis and detection. Cham, 2017.

Endgame, “Ember,†2018. [Online]. Available: https://www.endgame.com/blog/technical-blog/introducing-ember-open-source-classifier-and-dataset.

Microsoft, “Microsoft Malware Classification Challenge (BIG 2015),†2015. [Online]. Available: https://www.kaggle.com/c/malware-classification.

DOI: http://dx.doi.org/10.18517/ijaseit.8.4-2.6827


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development