Traditional dynamic analysis methods are mostly based on sequence mining technology and graph matching technology to detect malware. Sequence mining technology is susceptible to system call injection, while graph matching technology is limited by the complexity of subgraph matching. Moreover, these methods don’t consider the anti detection behavior of samples, such as anti virtual machine. Therefore, the accuracy of detection becomes worse and worse. In this paper, we design a physical machine dynamic analysis method based on program semantic API dependency graph. The API call sequences of malware are extracted in the sandbox based on real machine, so as to avoid the influence of anti virtual machine detection. Our feature construction method is based on the asymptotic equipartition property (AEP) concept widely used in information theory. We can extract the semantic information rich API sequences based on AEP, and then the behavior is defined with the typical path of the API dependency graph. We define the relevance of the path by the average logarithmic branch factor of typical paths. The average logarithm branch factor and histogram bin are used to construct the feature space. Finally, this paper adopts the random forest to classify malware. Experimental results show that the proposed method can effectively classify malware with the accuracy of 97.1%.
