Virus Detection Method based on Behavior Resource Tree

  • Zou, Mengsong (Department of Computer Science and Technology, Huazhong University of Science & Technology) ;
  • Han, Lansheng (Department of Computer Science and Technology, Huazhong University of Science & Technology) ;
  • Liu, Ming (Department of Computer Science and Technology, Huazhong University of Science & Technology) ;
  • Liu, Qiwen (Department of Computer Science and Technology, Huazhong University of Science & Technology)
  • 투고 : 2010.08.11
  • 심사 : 2010.09.03
  • 발행 : 2011.03.31


Due to the disadvantages of signature-based computer virus detection techniques, behavior-based detection methods have developed rapidly in recent years. However, current popular behavior-based detection methods only take API call sequences as program behavior features and the difference between API calls in the detection is not taken into consideration. This paper divides virus behaviors into separate function modules by introducing DLLs into detection. APIs in different modules have different importance. DLLs and APIs are both considered program calling resources. Based on the calling relationships between DLLs and APIs, program calling resources can be pictured as a tree named program behavior resource tree. Important block structures are selected from the tree as program behavior features. Finally, a virus detection model based on behavior the resource tree is proposed and verified by experiment which provides a helpful reference to virus detection.



  1. Jeffrey O. Kephart and William C. Arnold, “Automatic Extraction of Computer Virus Signatures,” 4th Virus Bulletin International Conference, Jersey, USA, 1994, pp.178-184.
  2. Matthew G. Schultz, Eleazar Eskin, Erez Zadok and Salvatore J. Stolfo, “Data Mining Methods for Detection of New Malicious Executables,” IEEE Symposium on security and privacy, 2001, pp.38-49.
  3. Jeremy Z. Kolter and Marcus A. Maloof, “Learning to Detect Malicious Executables in the Wild,” Proceedings of the tenth ACM SIGKDD international conference, 2004, pp.2721-2744.
  4. David Wagner and Drew Dean, “Intrusion Detection via Static Analysis,” Proceedings of the IEEE Symposium on Security and Privacy, 2001, pp.156-168.
  5. J-Y. Xu, A. H. Sung, P. Chavez and S. Mukkamala, “Polymorphic Malicious Executable Scanner by API Sequence Analysis,” Proceedings of the Fourth International Conference on Hybrid Intelligent Systems, 2004, pp.378-383.
  6. J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. Lavoie and N. TawbiStatic, “Detection of Malicious Code in Executable Programs,” Int. J. of Req. Eng., 2001, pp.45-48.
  7. XU Ming, CHEN Chun and YING Jing, “Anomaly Detection Based on System Call Classification,” Journal of Software, Vol.15, No.3, 2004, pp.391-403.
  8. Elizabeth Stinson and John C. Mitchell, “Characterizing Bots’ Remote Control Behavior. In Detection of Intrusions & Malware, and Vulnerability Assessment,” 2007, pp.89-108.
  9. Essam Al Daoud, Iqbal H. Jebril and Belal Zaqaibeh, “Computer Virus Strategies and Detection Methods,” Int. J. Open Problems Compt. Math., Vol.1, No.2, 2008, pp.12-20.
  10. F. Cohen, “Computer viruses:: Theory and experiments,” Computers & security, Vol.6, 1987, pp.22-33.

피인용 문헌

  1. Unified threat model for analyzing and evaluating software threats 2012,
  2. Simple and effective method for detecting abnormal internet behaviors of mobile devices vol.321, 2015,
  3. Digital forensics investigation methodology applicable for social network services vol.74, pp.14, 2015,