Proposed Model for Detecting Malware on Workstations
Cho Do Xuan1, Tisenko Victor Nikolaevich2, Do Hoang Long3, Nguyen Vuong Tuan Hiep4, Le Quang Sang5

1Cho Do Xuan*, FPT University Hanoi, Vietnam.
2Tisenko Victor Nikolaevich , Peter the Great St. Petersburg Polytechnic University Russia, St. Petersburg, Poly Technicheskaya.
3Do Hoang Long, FPT University Hanoi.
4Nguyen Vuong Tuan Hiep, FPT University Hanoi, Vietnam
5Le Quang Sang, FPT University Hanoi, Vietnam
Manuscript received on March 15, 2020. | Revised Manuscript received on March 31, 2020. | Manuscript published on April 10, 2020. | PP: 1069-1078 | Volume-9 Issue-6, April 2020. | Retrieval Number: F4180049620/2020©BEIESP | DOI: 10.35940/ijitee.F4180.049620
Open Access | Ethics and Policies | Cite | Mendeley
© The Authors. Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open access article under the CC BY-NC-ND license (

Abstract: The trend of network attacks through end-users are widely used by attackers today. One of them is the attack by distributing malware into users’ computers to steal data or escalate to higher privileges. The technique of attack by distributing malware is a dangerous attack method that is difficult to detect and prevent. Therefore, the task of detecting the sign of malware and alerting it for the user or the system is very necessary today. Current studies and recommendations for detecting malware are often based on two main methods that are using a set of signs and analyzing abnormal behavior based on machine learning or deep learning. In this paper, we will propose a method to detect malware on users’ computers using an Event ID profile analysis technique. Event IDs are signs and behaviors of malware that are tracked and collected on the operating system kernel of the workstation. The difference between our research and other published methods is the way to collect behaviors of the malware. We don’t collect them through virtualization systems, but through direct processes in the operating system kernel. Therefore, even though malware uses hidden techniques, its actions are recorded by the operating system kernel and based on those processes, we use the Event ID analysis technique to conclude about the existence of malware in the system. 
Keywords: MALWARE Detection, WORKSTATIONS, Event ID
Scope of the Article: Probabilistic Models and Methods