Malicious programs pose a major threat to Internet-connected systems, increasing the importance of studying their behavior in order to fight against them. In this paper, we propose definitions to the different types of behavior that a program can present during its execution. Based on those definitions, we define suspicious behavior as the group of actions that change the state of a target system. We also propose a set of network and system-level dangerous activities that can be used to denote the malignity in suspicious behaviors, which were extracted from a large set of malware samples. In addition, we evaluate the malware samples according to their suspicious behavior. Moreover, we developed filters to translate from lower-level execution traces to the observed dangerous activities and evaluated them in the context of actual malware. © 2012 Springer-Verlag.7336 LNCSPART 4274285Universidade Federal da Bahia (UFBA),Universidade Federal do Reconcavo da Bahia (UFRB),Universidade Estadual de Feira de Santana (UEFS),University of Perugia,University of Basilicata (UB)Norman Sandbox, , http://www.norman.com/security_center/security_tools/http://www.threatexpert.com/Afonso, V.M., Filho, D.S.F., Grégio, A.R.A., De Geus, P.L., Jino, M., A hybrid framework to analyze web and os malware Proceedings of the 2012 IEEE International Conference on Communications (ICC) (June 2012)Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G., Efficient detection of split personalities in malware 17th Annual Network and Distributed System Security Symposium, NDSS 2010 (February 2010)Bellard, F., Qemu, a fast and portable dynamic translator (2005) USENIX Annual Technical Conference, FREENIX Track, pp. 41-46Calais, P.H., Pires, D.E.V., Guedes, D.O., Meira, W., Hoepers, C., Steding-jessen, K., A campaign-based characterization of spamming strategies Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS) (2008)Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D., Dynamic Spyware Analysis (2007) Proceedings of the USENIX Annual Technical Conference, , USENIX Association, BerkeleyFiliol, E., Malware pattern scanning schemes secure against black-box analysis (2006) Journal in Computer Virology, 2 (1), pp. 35-50Filiol, E., Jacob, G., Le Liard, M., Evaluation methodology and theoretical model for antiviral behavioural detection strategies (2007) Journal in Computer Virology, 3 (1), pp. 23-37Hoglund, G., Butler, J., (2006) Rootkits - Subverting the Windows Kernel, , Addison- WesleyJacob, G., Debar, H., Filiol, E., Malware Behavioral Detection by Attribute- Automata Using Abstraction from Platform and Language (2009) LNCS, 5758, pp. 81-100. , Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. Springer, HeidelbergKruegel, C., Kirda, E., Bayer, U., TTAnalyze: A tool for analyzing malware Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference (April 2006)Kruegel, C., Kirda, E., Bayer, U., Balzarotti, D., Habibi, I., Insights into current malware behavior 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston (April 2009)Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C., A Layered Architecture for Detecting Malicious Behaviors (2008) LNCS, 5230, pp. 78-97. , Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. Springer, HeidelbergProvos, N., Holz, T., (2007) Virtual Honeypots: From Botnet Tracking to Intrusion Detection, , 1st edn. Addison-Wesley ProfessionalRules for Naming Detected Objects, , http://www.securelist.com/en/%20threats/detect?chapter=136Willems, C., Holz, T., Freiling, F., Toward Automated Dynamic Malware Analysis Using CWSandbox (2007) IEEE Security and Privacy, 5, pp. 32-39