Date Added: Nov 2009
Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious processes running on an end-host. Towards this end, most of the existing run-time intrusion or malware detection techniques utilize information available in Windows Application Programming Interface (API) call arguments or sequences. In comparison, the key novelty of the proposed tool is the use of statistical features which are extracted from both spatial (arguments) and temporal (sequences) information available in Windows API calls. The paper provides this composite feature set as an input to standard machine learning algorithms to raise the final alarm. The results of the experiments show that the concurrent analysis of spatio-temporal features improves the detection accuracy of all classifiers.