4.1 Emulator-Based Dynamic Analysis4.2 Dynamic Malware Detection Mechanisms4.2.1 System metric and traffic analysis (Category 1)4.2.2 Network packet analysis (Category 2)4.2.3 Sensitive API call analysis (Category 3)4.2.4 System call analysis (Category 4)4.2.4.1 System call frequency or TF-IDF-based methods4.2.4.2 System call dependency graph or markov chain-based methods4.2.4.3 System call phylogeny-based methods4.2.4.4 System call behavior or sequence analysis-based methods4.3 Hybrid Analysis4.3.1 Hybrid detection based on a single classifier (Category 1)4.3.2 Hybrid detection based on ensemble classifiers (Category 2)4.4 Correlation Among Static and Dynamic Features4.4.1 Tree augmented Naive Bayes (TAN) model4.5 Hybrid Analysis with TAN Classifier4.5.1 Dependencies among API calls, permission and system calls4.5.2 Ridge regularized logistic regression (RRLR)4.5.3 Probability estimation4.5.4 Anomaly detection4.5.4.1 App permission analysis4.5.4.2 Static API function call analysis4.5.4.3 System call analysis4.5.5 Malware detection using TAN-based model4.6 Experiments and Analysis4.6.1 Training phase4.6.1.1 Estimation of threshold for L1,L2,L34.6.1.2 Conditional probability estimation4.6.2 Evaluation phase4.7 Conclusion