All the static analysis mechanisms can be evaded by dynamic code loading attacks [171]. A dynamic code loading attack consists of three steps. In the first step, a malware developer creates an application with two byte codes: a malicious code and a legitimate code. In the next step, he encrypts the malicious byte code. In the final step, he writes a decryption program in the main byte code (legitimate byte code) to decrypt the malicious byte code and compile the application. Hence, the malicious byte code is not available in plain text for analysis. During the runtime, the malicious code gets decrypted and executed in the system. Hence, it is required to consider runtime information ...