Saved in:
Bibliographic Details
Main Authors: Ghodeshwar, Paras, Shukla, Sandeep K, Handa, Anand, Kumar, Nitesh
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.23812
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915959564926976
author Ghodeshwar, Paras
Shukla, Sandeep K
Handa, Anand
Kumar, Nitesh
author_facet Ghodeshwar, Paras
Shukla, Sandeep K
Handa, Anand
Kumar, Nitesh
contents Rootkits are among the most elusive types of malware, capable of bypassing traditional static analysis methods due to their metamorphic behavior. Signature-based detection techniques struggle against these threats, necessitating a shift toward dynamic analysis approaches. We propose SeqShield, a behavior-based rootkit detection approach designed specifically for the Windows OS, leveraging API call sequences for dynamic behavior analysis. Instead of relying on static signatures, SeqShield examines the execution patterns of API calls, which inherently reflect malicious intent. Analyzing API sequences, we can effectively identify rootkit-like behavior. We also employed a metamorphic code engine to generate 10X mutated variants of rootkits, demonstrating their obfuscation strategies. SeqShield applies n-gram analysis to extract bigram and trigram features from these API call sequences, enabling effective detection of rootkit-like activity. Among the models tested, Random Forest achieves the highest accuracy of 97.27% (bigram) and 96.17% (trigram). To optimize performance and decrease the dimension, we apply feature importance ranking using the Gini Impurity Index, iteratively selecting the most significant features. The optimized lower-dimensional feature matrix significantly enhances detection efficiency without sacrificing accuracy. Using the optimized feature set, our approach achieves 96.72% accuracy for bigrams and 97.81% accuracy for trigrams.
format Preprint
id arxiv_https___arxiv_org_abs_2604_23812
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SeqShield: A Behavioral Analysis Approach to Uncover Rootkits
Ghodeshwar, Paras
Shukla, Sandeep K
Handa, Anand
Kumar, Nitesh
Cryptography and Security
Machine Learning
Rootkits are among the most elusive types of malware, capable of bypassing traditional static analysis methods due to their metamorphic behavior. Signature-based detection techniques struggle against these threats, necessitating a shift toward dynamic analysis approaches. We propose SeqShield, a behavior-based rootkit detection approach designed specifically for the Windows OS, leveraging API call sequences for dynamic behavior analysis. Instead of relying on static signatures, SeqShield examines the execution patterns of API calls, which inherently reflect malicious intent. Analyzing API sequences, we can effectively identify rootkit-like behavior. We also employed a metamorphic code engine to generate 10X mutated variants of rootkits, demonstrating their obfuscation strategies. SeqShield applies n-gram analysis to extract bigram and trigram features from these API call sequences, enabling effective detection of rootkit-like activity. Among the models tested, Random Forest achieves the highest accuracy of 97.27% (bigram) and 96.17% (trigram). To optimize performance and decrease the dimension, we apply feature importance ranking using the Gini Impurity Index, iteratively selecting the most significant features. The optimized lower-dimensional feature matrix significantly enhances detection efficiency without sacrificing accuracy. Using the optimized feature set, our approach achieves 96.72% accuracy for bigrams and 97.81% accuracy for trigrams.
title SeqShield: A Behavioral Analysis Approach to Uncover Rootkits
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2604.23812