Authors:
(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk);
(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;
(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK.
Table of Links
- Abstract and 1 Introduction
- 2. Related Work
- 3. Methodology and 3.1. File Content Analysis
- 3.2. File Name Analysis
- 3.3. Executable Analysis
- 3.4. Behaviour Analysis
- 4. Evaluation and Discussion
- 4.1. Majority Voting
- 5. Conclusion
- 5.1. Limitations
- 5.2. Future Work
- References and Appendix
5.2. Future Work
The results achieved during the Windows API call analysis could possibly be improved by further investigation and modifications to the types of API calls present, their frequency and their position within the file or process memory. One area of further work would be a deeper analysis of this aspect of the binaries and volatile memory. Another area of work would be to introduce a weighting element to the measurements, allowing some tests to have a greater influence on the final classification results.
Analyses of other types of tests could also be performed. Examples of which could be: multiple-file read and write operations, high entropy differences between read and write operations, file tree traversal, privilege escalation, accessing crypto API functionality, accessing unusual domain names, generation of large amounts of traffic, DGA detection [11, 66] and the termination of a large number of processes.
This paper is available on arxiv under CC BY 4.0 DEED license.