Raducu, Razvan; Rodríguez, Ricardo J.; Álvarez, Pedro
A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications Journal Article
In: The Computer Journal, 2026, (Accepted for publication. To appear.).
Abstract | Links | BibTeX | Tags: behavior graphs, call graphs, category graphs, Dynamic Analysis, malware, Windows
@article{Raducu2026,
title = {A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications},
author = {Razvan Raducu and Ricardo J. Rodríguez and Pedro Álvarez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/RaducuRA-COMPJ-26.pdf},
year = {2026},
date = {2026-01-01},
journal = {The Computer Journal},
publisher = {Oxford University Press},
abstract = {The increasing sophistication of malicious software (em malware) requires advanced tools to effectively analyze and counter threats. In this paper, we present sc MalGraphIQ, a dynamic analysis system designed to understand the behavior of unknown Windows binaries by introducing the em Windows Behavior Catalog (WBC). The WBC is a new repository of behavioral patterns inspired by MITRE's Malware Behavior Catalog (MBC), which systematically catalogs key APIs and system calls used by Windows binaries to exhibit specific behaviors. By leveraging sandbox technologies (specifically, CAPEv2), our dynamic analysis system uses the WBC to detect and quantify behaviors in programs, regardless of whether they are malicious or benign. It also generates graph-based visual representations of these behaviors, simplifying the interpretation of the actions performed by the program. To evaluate its effectiveness, we apply our system to multiple malware families and validate the results using cross-validation, demonstrating its ability to uncover specific actions and behavioral patterns across different malware samples and unknown binaries. The results show the system’s ability to detect behavioral patterns and distinguish between different types of malware, with an accuracy of up to 0.96 and an F1 score of 0.92, underlining the potential of our approach in malware detection and program behavioral analysis.},
note = {Accepted for publication. To appear.},
keywords = {behavior graphs, call graphs, category graphs, Dynamic Analysis, malware, Windows},
pubstate = {published},
tppubtype = {article}
}
The increasing sophistication of malicious software (em malware) requires advanced tools to effectively analyze and counter threats. In this paper, we present sc MalGraphIQ, a dynamic analysis system designed to understand the behavior of unknown Windows binaries by introducing the em Windows Behavior Catalog (WBC). The WBC is a new repository of behavioral patterns inspired by MITRE's Malware Behavior Catalog (MBC), which systematically catalogs key APIs and system calls used by Windows binaries to exhibit specific behaviors. By leveraging sandbox technologies (specifically, CAPEv2), our dynamic analysis system uses the WBC to detect and quantify behaviors in programs, regardless of whether they are malicious or benign. It also generates graph-based visual representations of these behaviors, simplifying the interpretation of the actions performed by the program. To evaluate its effectiveness, we apply our system to multiple malware families and validate the results using cross-validation, demonstrating its ability to uncover specific actions and behavioral patterns across different malware samples and unknown binaries. The results show the system’s ability to detect behavioral patterns and distinguish between different types of malware, with an accuracy of up to 0.96 and an F1 score of 0.92, underlining the potential of our approach in malware detection and program behavioral analysis.