1

As you know, using machine learning we can detect malware.

We can use dynamic analysis based on WinAPI function calls and their arguments.

But what about static analysis using machine learning? In this case, we can parse Portable Executable and extract imported API call functions by program, and use this calls as features for model. But in this case, we can`t get arguments of the calling functions from Portable Executable. Such technique, i think, worse than dynamic analysis.

Is that means that the static analysis results is always worse than dynamic analysis results? Or there any other good technique exists for improve model prediction results in static analysis case?

Improve this question

1 Answer 1

Reset to default
0

Is analyzing a switched off car (static analysis) worse than analyzing a car while driving (dynamic analysis)? No, it's just different.

In the dynamic analysis one can only observe what a malware is doing in your specific setup on for some specific time. But one has no view in what it might be doing in other circumstances (different OS language, different patch level, different cached files in the browser, ...) or in later time of execution. In the static analysis (which is more than just extracting imported API calls) one could check what the malware might be doing, w/o knowing for sure in all cases if there would be a setup which produces the specific behavior. Doing a more comprehensive dynamic analysis with lots of different setups will take much time. Doing a more comprehensive static analysis will lead to high complexity and also take much time.

So both are useful ways to collect information. It is not that one is better than the other, they simply have different advantages and disadvantages. And they can be used together.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .